Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Enterprise Mobility Server 3.7
  3. Configuring the BlackBerry Docs service
  4. Steps to configure the Docs service
  5. Configure the Docs network and security settings
  6. Obtain an Entra app ID for the BEMS-Docs component service

Obtain an
Entra
 app ID for the
BEMS-Docs
 component service

When your environment is configured for
Microsoft SharePoint Online
,
Microsoft OneDrive for Business
, or
Microsoft Entra ID
-IP you must register the
BEMS
 component services in
Entra
. You can register one or more of the services in
Entra
. In this task, the
Docs
 services and
Microsoft Entra ID
-IP are registered in
Entra
.
  • To grant permissions, you must use an account with tenant administrator permissions.
  • Verify that you have recorded the Application ID for
    BlackBerry Work
    . For more information, see obtained an
    Entra
     app ID for
    BlackBerry Work
    .
  1. Sign in to portal.azure.com.
  2. In the left column, click
    Microsoft Entra ID
    .
  3. Click
    App registrations
    .
  4. Click
    New registration
    .
  5. In the
    Name
     field, enter a name for the app. For example, AzureAppIDforBEMS.
  6. Select a supported account type. 
  7. In the
    Redirect URI
     drop-down list, select
    Web
     and enter
    https://localhost:8443
    .
  8. Click
    Register
    .
  9. Record the
    Application (client) ID
    .
    This is used as the
    BEMS Service Azure Application ID
     value for the Docs > Settings service in the
    BEMS
     dashboard.
  10. In the
    Manage
     section, click
    API permissions
    .
  11. Click
    Add a permission
    .
  12. Complete one or more of the following tasks:
    Service
    Permissions
    If you configure
    BEMS-Docs
     to use
    Microsoft SharePoint Online
     or
    Microsoft OneDrive for Business
    1. Search for and click
      SharePoint
      .
    2. Set the following permissions:
      • In application permissions, clear all of the permissions.
        1. Click
          Application permissions
          .
        2. Click expand all. Make sure that all options are cleared.
      • In
        Delegated permissions
        , click
        AllSites
         and select the
        AllSites.Manage
         checkbox to grant
        Read and write items and lists in all site collections
        . Make sure that all other options are cleared.
    3. Click
      Add permissions
      .
    If you use
    Microsoft Entra ID
    -IP
    1. Click
      Microsoft Graph
      . If
      Microsoft Graph
       is not listed, add
      Microsoft Graph
      .
    2. Set the following permissions:
      • In application permissions, select the
        Read directory data
         checkbox (
        Directory > Directory.Read.All
        ).
      • In delegated permissions, select the
        Read directory data
         checkbox (
        Directory > Directory.Read.All
        ).
    3. Click
      Update permissions
      .
    4. Add a permission
      .
    5. In the
      Select an API
       section, click
      Azure Rights Management Services
      . Set the following permissions:
      • In application permissions, select all of the permissions.
        1. Click
          Application permissions
          .
        2. Make sure that all Content options are selected.
      • In delegated permissions, select the
        user_impersonation
         checkbox.
    6. Click
      Add permissions
      .
    7. Click
      Add a permission
      .
    8. In the
      Select an API
       section, click
      APIs my organization uses
      .
    9. Search for and click
      Microsoft Information Protection Sync Service
      . Set the following permission:
      • In delegated permissions, select the
        Read all unified policies a user has access to
         checkbox (
        UnifiedPolicy > UnifiedPolicy.User.Read
        ).
    10. Click
      Add permissions
      .
  13. Wait a few minutes, then click
    Grant admin consent
    . Click
    Yes
    .
    This step requires tenant administrator privileges.
  14. To allow autodiscovery to function as expected, set the authentication permissions. Complete the following steps:
    1. In the
      Manage
       section, click
      Authentication
      .
    2. Under the
      Allow public client flows
       section, select
      Yes
       to
      Enable the following mobile and desktop flows
      .
    3. Click
      Save
      .
  15. Define the scope and trust for this API. In the
    Manage
     section, click
    Expose an API
    . Complete the following tasks.
    Task
    Steps
    Add a scope
    The scope restricts access to data and functionality protected by the API.
    1. Click
      Add a scope
      .
    2. Click
      Save and continue
      .
    3. Complete the following fields and settings:
      • Scope name: Provide a unique name for the scope.
      • Who can consent: Click
        Admins and user
        .
      • Admin consent display name: Enter a descriptive name.
      • Admin consent description: Enter a description for the scope.
      • State: Click
        Enabled
        . By default, the state is enabled.  
    4. Click
      Add Scope
      .
    Add a client application
    Authorizing a client application indicates that the API trusts the application and users shouldn't be prompted for consent.
    1. Click
      Add a client application
      .
    2. In the
      Client ID
       field, enter the
      BlackBerry Work
       Application ID that you recorded when you obtained an
      Entra
       app ID for
      BlackBerry Work
      .
    3. Select the
      Authorized scopes
       checkbox to specify the token type that is returned by the service.
    4. Click
      Add application
  16. In the
    Manage
     section, click
    Certificates & secrets
     and add a client secret. Complete the following steps:
    1. Click
      New client secret
      .
    2. In the
      Description
       field, enter a key description up to a maximum of 16 characters including spaces.
    3. Set an expiration date (for example, In 1 year, In 2 years, Never expires). 
    4. Click
      Add
      .
    5. Copy the key
      Value
      .
      The Value is available only when you create it. You cannot access it after you leave the page.
      This is used as the
      BEMS Service Application Key
       in the
      BEMS-Docs
       service in the
      BEMS
       Dashboard.