Create an enterprise endpoint in Entra Skip Navigation

Create an enterprise endpoint in
Entra

To give
BlackBerry UEM
access to
Microsoft Entra ID
you must create an enterprise endpoint within
Entra
. The enterprise endpoint allows
BlackBerry UEM
to authenticate with
Microsoft Entra ID
. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration.
If you are connecting
BlackBerry UEM
to both
Microsoft Intune
and the
Windows Store
for Business, use a different enterprise application for each purpose to avoid issues with different permissions and potential future changes.
When you create the application to use
Microsoft Intune
(step 11), you must use the
Entra
account with Global administrator permissions.
  1. Log in to the Azure portal.
  2. Go to
    Microsoft Azure > Azure Active Directory > App registrations
    .
  3. Click
    Endpoints
    .
  4. Copy the
    OAuth 2.0 token endpoint (v1)
    value and paste it to a text file.
    This is the
    OAuth 2.0 token endpoint
    required in
    BlackBerry UEM
    .
  5. Close the
    Endpoints
    list and click
    New registration
    .
  6. In the
    Name
    field, enter a name for the app.
  7. Select a supported account type.
  8. In the
    Redirect URI
    section, in the drop-down list, select
    Web
    and enter a valid URL. The URL format is https://<
    FQDN_of_the_BlackBerry_UEM_server
    >:<
    port
    >/admin/intuneauth
  9. Click
    Register
    . The new registered app appears.
  10. Copy the
    Application ID
    of your app and paste it to a text file.
    This is the
    Client ID
    required in
    BlackBerry UEM
    .
  11. If you are creating the application to use
    Microsoft Intune
    Click
    API permissions
    in the
    Manage
    section. Perform the following steps.
    1. Click
      Add a permission
      .
    2. Select
      Microsoft Graph
      .
    3. Select
      Delegated permissions
      .
    4. Scroll down in the permissions list and under
      Delegated Permissions
      , set the following permissions for
      Microsoft Intune
      :
      • Read and write
        Microsoft Intune
        apps (
        DeviceManagementApps > DeviceManagementApps.ReadWrite.All
        )
      • Read all users' basic profiles (
        User > User.ReadBasic.All
        )
      • Read all groups (
        Group > Group.Read.All
        )
    5. Click
      Add permissions
      .
    6. Under
      Grant consent
      , click
      Grant admin consent
      .
      You must be a global administrator to grant permissions.
    7. When you are prompted, click
      Yes
      to grant permissions for all accounts in the current directory.
  12. Select
    Certificates and secrets
    in the
    Manage
    section. Perform the following actions:
    1. Under
      Client secrets
      , click
      New client secret
      .
    2. Type a description for the client secret
    3. Select a duration for the client secret.
    4. Click
      Add
      .
    5. Copy the value of the new client secret.
      This is the
      Client Key
      that is required in
      BlackBerry UEM
      .
      If you do not copy the value of your key now, you will have to create a new key because the value is not displayed after you leave this screen.