System requirements
Steps to set up Office 365 modern authentication for BlackBerry Dynamics apps
Enable modern authentication for the Mail service in BEMS
Enable modern authentication for the Connect and Presence services in BEMS
- Configure Skype for Business Online for the Connect service
  - Obtain an Azure app ID for the Connect client
- Configure Skype for Business Online for the Presence service
Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service
Enable modern authentication for the Docs service in BEMS
Configure BlackBerry Work for iOS and Android app settings for Office 365 modern authentication
Configure BlackBerry Work for Windows and macOS app settings for Office 365 modern authentication
- Obtain an Azure app ID for BlackBerry Work for Windows and macOS
Configure BlackBerry Notes and BlackBerry Tasks app settings for Office 365 modern authentication
- Obtain an Azure app ID for BlackBerry Tasks and BlackBerry Notes
Add the BEMS instance to the Good Enterprise Services and BlackBerry Work entitlement app
Additional configuration options
- Configure single sign-on for BlackBerry Access in BlackBerry UEM
- Configure alternate login and Office 365 resource URLs
Troubleshooting

Enable modern authentication for the Mail service in
BEMS

You must allow

BEMS

to authenticate with

Microsoft Office 365

to access users’ mailboxes and send notifications to users’ devices when new email is received on the device.

Verify that you have the following information and completed the following task:

If you enable modern authentication, obtain the Client Application ID
. For instructions, see Obtain an Azure app ID for BEMS with credential authentication.

If you enable Modern Authentication using a Client Certificate:

Obtain the Client Application ID with certificate based authentication
. For instructions, see Obtain an Azure app ID for BEMS with certificate-based.

Request and associate a certificate to the

Azure

app ID for

BEMS

In the

BlackBerry Enterprise Mobility Server Dashboard

, under

BlackBerry Services Configuration

, click

Mail

Click

Microsoft Exchange

In the

Select Authentication type

section, select an authentication type based on your environment and complete the associated tasks to allow

BEMS

to communicate with

Microsoft Office 365

Authentication type	Description	Task
Credential	This option uses the BEMS username and password to authenticate to Microsoft Office 365 .	In the Username field, enter the service account's User Principal Name (UPN) In the Password field, enter the password for the service account. When using modern authentication, BEMS leverages the WS-Trust protocol. For BEMS to authenticate with Azure AD, the MetadataExchangeUri value must be set within Azure in your organization's Federation settings. If the MetadataExchangeUri value is not set, BEMS cannot authenticate using the modern authentication settings. For more information, visit set-msoldomainauthentication?view=azureadps-1.0. Some third-party identity providers (IDPs) may not require this value to be set during the initial configuration. If the MetadataExchangeUri for your organization is not currently set, consult with your IDP vendor or with Microsoft before you make any changes to your Federation settings.
Client Certificate	This option uses a client certificate to allow the BEMS service account to authenticate to Microsoft Office 365 .	For the Upload PFX file , click Choose File and select the client certificate file. For instructions on obtaining the .pfx file, see associate a certificate to the Azure app ID for BEMS . In the Enter PFX file Password field, enter the password for the client certificate.

Select the

Enable Modern Authentication

checkbox.

In the

Authentication Authority

field, enter the Authentication Server URL that

BEMS

accesses and retrieve the OAuth token for authentication with

Office 365

(for example, https://login.microsoftonline.com/<tenantname>). By default, the field is prepopulated with https://login.microsoftonline.com/common.

In the

Client Application ID

field, enter one of the following

Azure

app IDs:

Obtain an Azure app ID for BEMS with credential authentication

Obtain an Azure app ID for BEMS with certificate-based

In the

Server Name

field, enter the FQDN of the

Microsoft Office 365

server. By default, the field is prepopulated with https://outlook.office365.com.

When you configure modern authentication, all nodes use the specified configuration.

Under the

Autodiscover and Exchange Options

section, complete one of the following actions. Most environments only require the default settings. Before modifying the settings, test the change in your environment.

Task	Steps
Override Autodiscover URL	If you select to override the autodiscover process, BEMS uses the override URL to obtain user information from Microsoft Office 365 . Select the Override Autodiscover URL checkbox. In the Autodiscover URL field, type the autodiscover endpoint (for example, https://example.com/autodiscover/autodiscover.svc).
Autodiscover and Microsoft Exchange Server options	Select the Swap ordering of <`domain.com`>/autodiscover and autodiscover. <`domain.com`>/autodiscover check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures. Modify the TCP Connect timeout for Autodiscover url(milliseconds) field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds). By default, the Enable SCP record lookup checkbox is selected. If you clear the checkbox, BEMS does not perform a Microsoft Active Directory lookup of Autodiscover URLs. This option is not available when Override Autodiscover URL is selected. Select the Use SSL connection when doing SCP lookup checkbox to allow BEMS to communicate with the Microsoft Active Directory using SSL. If you enable this feature, you must import the Microsoft Active Directory certificate to each computer that hosts an instance of BEMS . This option is not available when Override Autodiscover URL is selected. By default, the Enforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP server check box is selected. By default, the Allow HTTP redirection and DNS SRV record checkbox is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users for BlackBerry Work Push Notifications . Select the Force re-autodiscover of user on all Microsoft Exchange errors checkbox to force BEMS to perform the autodiscover again for the user when Microsoft Office 365 returns an error message.

Task

Steps

Override Autodiscover URL

If you select to override the autodiscover process,

BEMS

uses the override URL to obtain user information from

Microsoft Office 365

Select the

Override Autodiscover URL

checkbox.

In the

Autodiscover URL

field, type the autodiscover endpoint (for example, https://example.com/autodiscover/autodiscover.svc).

Autodiscover and

Microsoft Exchange Server

options

Select the

Swap ordering of <domain.com>/autodiscover and autodiscover. <domain.com>/autodiscover

check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures.

Modify the

TCP Connect timeout for Autodiscover url(milliseconds)

field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds).

By default, the

Enable SCP record lookup

checkbox is selected. If you clear the checkbox,

BEMS

does not perform a

Microsoft Active Directory

lookup of Autodiscover URLs. This option is not available when Override Autodiscover URL is selected.

Select the

Use SSL connection when doing SCP lookup

checkbox to allow

BEMS

to communicate with the

Microsoft Active Directory

using SSL. If you enable this feature, you must import the

Microsoft Active Directory

certificate to each computer that hosts an instance of

BEMS

. This option is not available when Override Autodiscover URL is selected.

By default, the

Enforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP server

check box is selected.

By default, the

Allow HTTP redirection and DNS SRV record

checkbox is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users for

BlackBerry Work

Push Notifications

Select the

Force re-autodiscover of user on all Microsoft Exchange errors

checkbox to force

BEMS

to perform the autodiscover again for the user when

Microsoft Office 365

returns an error message.

In the

End User Email Address

field, type an email address to test connectivity to

Microsoft Office 365

using the service account. You can delete the email address after you complete the test.

Click

Save

If you selected

Client Certificate

authentication, you can view the certificate information. Click

Mail

. The following certificate information is displayed:

Subject

Issuer

Validation period

Serial number

Obtain an Azure app ID for BEMS with credential authentication

Obtain an Azure app ID for BEMS with certificate-based authentication

Associate a certificate with the Azure app ID for BEMS

Enable modern authentication for the Mail service in BEMS

Enable modern authentication for the Mail service in
BEMS