Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Work 3.2
  3. Configuring Office 365 Modern Authentication for BlackBerry Dynamics Apps
  4. Enable modern authentication for the Mail service in BEMS

Enable modern authentication for the Mail service in 
BEMS

You must allow 
BEMS
 to authenticate with 
Microsoft Office 365
 to access users’ mailboxes and send notifications to users’ devices when new email is received on the device.
  1. In the 
    BlackBerry Enterprise Mobility Server Dashboard
    , under 
    BlackBerry Services Configuration
    , click 
    Mail
    .
  2. Click 
    Microsoft Exchange
  3. In the 
    Select Authentication type
     section, select an authentication type based on your environment and complete the associated tasks to allow 
    BEMS
     to communicate with 
    Microsoft Office 365
    :
    Authentication type
    Description
    Task
    Credential
    This option uses the 
    BEMS
     username and password to authenticate to 
    Microsoft Office 365
    .
    1. In the 
      Username
       field, enter the service account's User Principal Name (UPN)
    2. In the 
      Password
       field, enter the password for the service account.
    When using modern authentication, 
    BEMS
     leverages the WS-Trust protocol. For 
    BEMS
     to authenticate with 
    Azure
    AD, the MetadataExchangeUri value must be set within 
    Azure
     in your organization's Federation settings. If the MetadataExchangeUri value is not set, 
    BEMS
     cannot authenticate using the modern authentication settings. For more information, visit set-msoldomainauthentication?view=azureadps-1.0.
    Some third-party identity providers (IDPs) may not require this value to be set during the initial configuration. If the MetadataExchangeUri for your organization is not currently set, consult with your IDP vendor or with 
    Microsoft
     before you make any changes to your Federation settings. 
    Client Certificate
    This option uses a client certificate to allow the 
    BEMS
     service account to authenticate to 
    Microsoft Office 365
    .
    1. For the 
      Upload PFX file
      , click 
      Choose File
       and select the client certificate file. For instructions on obtaining the .pfx file, see associate a certificate to the 
      Azure
       app ID for 
      BEMS
      .
    2. In the 
      Enter PFX file Password
       field, enter the password for the client certificate. 
    Passive Authentication
     This option uses an identity provider (IDP) to authenticate the user and provide 
    BEMS
     with OAuth tokens to authenticate to 
    Microsoft Office 365
    .
    Proceed to step 5.
  4. Select the 
    Enable Modern Authentication
     checkbox.
  5. In the 
    Authentication Authority
     field, enter the Authentication Server URL that 
    BEMS
     accesses and retrieve the OAuth token for authentication with 
    Office 365
     (for example, https://login.microsoftonline.com/<
    tenantname
    >). By default, the field is prepopulated with https://login.microsoftonline.com/common.
  6. In the 
    Client Application ID
     field, enter one of the following 
    Azure
     app IDs: 
  7. In the 
    Server Name
     field, enter the FQDN of the 
    Microsoft Office 365
     server. By default, the field is prepopulated with https://outlook.office365.com.
    When you configure modern authentication, all nodes use the specified configuration.
  8. If you use Credential or Client certificate authentication and the metadata endpoint is protected by mutual TLS authentication, select the 
    Use Mutual TLS Authentication
     check box to allow 
    BEMS
     to respond to mutual TLS authentication requests. This step requires that the mutual TLS certificate is imported into 
    BEMS
    . For instructions, see Import the mutual TLS certificates into the BEMS keystore.
    When you configure modern authentication, all nodes use the specified configuration. 
  9. If you use Passive Authentication, complete the following steps:   
    1. In the 
      Redirect URI
       field, enter the URL that the IDP redirects the administrator to when the client app ID is authorized and the authentication tokens are provided. If you remotely log in to the computer that hosts the 
      BEMS
       and perform the configuration from the computer's browser, enter 
      https://localhost:8443/dashboard/views/dashboard.jsp
      ), otherwise enter 
      https://<FQDN of the computer that hosts the BEMS instance>/views/dashboard.jsp
      .  (for example, https://localhost:8443/dashboard/views/dashboard.jsp). 
      The URI must be the same as the 
      BEMS
       URI and whitelisted in the portal for 
      Azure
       application ID.
    2. Click 
      login
    3. Enter the credentials for the service account. 
    4. Click 
      OK
       to acknowledge that the authentication tokens were obtained
    5. Important: 
      BEMS
       doesn't automatically refresh the OAuth tokens. Repeat steps b to d to refresh the OAuth tokens. The tokens expiration time depends on your tenant policy. When the OAuth tokens expire, email notifications  on the users' devices stop. The OAuth token expiration is displayed after you login to the IDP. 
  10. Under the 
    Autodiscover and Exchange Options
     section, complete one of the following actions. Most environments only require the default settings. Before modifying the settings, test the change in your environment. 
    Task
    Steps
    Override Autodiscover URL
    If you select to override the autodiscover process, 
    BEMS
     uses the override URL to obtain user information from 
    Microsoft Office 365
    1. Select the 
      Override Autodiscover URL
       checkbox. 
    2. In the 
      Autodiscover URL
       field, type the autodiscover endpoint (for example, https://example.com/autodiscover/autodiscover.svc).
    Autodiscover and 
    Microsoft Exchange Server
     options 
    1. Select the 
      Swap ordering of <
      domain.com
      >/autodiscover and autodiscover. <
      domain.com
      >/autodiscover
       check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures. 
    2. Modify the 
      TCP Connect timeout for Autodiscover url(milliseconds)
       field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds). 
    3. By default, the 
      Enable SCP record lookup
       checkbox is selected. If you clear the checkbox, 
      BEMS
       does not perform a 
      Microsoft Active Directory
       lookup of Autodiscover URLs. This option is not available when Override Autodiscover URL is selected. 
    4. Select the 
      Use SSL connection when doing SCP lookup
       checkbox to allow 
      BEMS
       to communicate with the 
      Microsoft Active Directory
       using SSL. If you enable this feature, you must import the 
      Microsoft Active Directory
       certificate to each computer that hosts an instance of 
      BEMS
      . This option is not available when Override Autodiscover URL is selected.
    5. By default, the 
      Enforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP server
       check box is selected.  
    6. By default, the 
      Allow HTTP redirection and DNS SRV record
       checkbox is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users for 
      BlackBerry Work
      Push Notifications
    7. Select the 
      Force re-autodiscover of user on all Microsoft Exchange errors
       checkbox to force 
      BEMS
       to perform the autodiscover again for the user when 
      Microsoft Office 365
       returns an error message.
  11. In the 
    End User Email Address
     field, type an email address to test connectivity to 
    Microsoft Office 365
     using the service account. You can delete the email address after you complete the test.
  12. Click 
    Save
If you selected 
Client Certificate
 authentication, you can view the certificate information. Click 
Mail
. The following certificate information is displayed:
  • Subject
  • Issuer
  • Validation period
  • Serial number