Create an enterprise endpoint in Entra
Entra
To give
BlackBerry UEM
access to Microsoft Entra ID
you must create an enterprise endpoint within Entra
. The enterprise endpoint allows BlackBerry UEM
to authenticate with Microsoft Entra ID
. For more information, see the Microsoft
resource Quickstart: Register an application in Microsoft Entra ID.
If you are connecting
BlackBerry UEM
to both Microsoft Intune
and the Windows Store
for Business, use a different enterprise application for each purpose to avoid issues with different permissions and potential future changes.When you create the application to use
Microsoft Intune
(step 11), you must use the Entra
account with Global administrator permissions. - If you use modern authentication, make sure that you have the Reply URL. For instructions on obtaining the Reply URL for modern authentication, see Configure BlackBerry UEM to synchronize with Microsoft Intune in BlackBerry UEM.
- Log in to the Entra portal.
- In the left column, clickApplications > App registrations.
- ClickEndpoints.
- Copy theOAuth 2.0 token endpoint (v1)value and paste it to a text file.This is theOAuth 2.0 token endpointrequired inBlackBerry UEM.
- Close theEndpointslist and clickNew registration.
- In theNamefield, enter a name for the app.
- Select a supported account type.
- In theRedirect URIsection, in the drop-down list, selectWeband enter a valid URL. The URL format is https://<FQDN_of_the_BlackBerry_UEM_server>:<port>/admin/intuneauth
- If you use client credentials authentication or don't have a registered domain, you can use:http://localhost/
- If you use modern authentication, enter the Reply URL from theBlackBerry UEM. For instructions, see Configure BlackBerry UEM to synchronize with Microsoft Intune in BlackBerry UEM.
- ClickRegister. The new registered app appears.
- Copy theApplication IDof your app and paste it to a text file.This is theClient IDrequired inBlackBerry UEM.
- Optionally, to maintain a successful connection toIntunebased on the client key, add the following additional application permissions:
- Microsoft Graph
- Application permissions
- Set the following application permissions:
- Read and write Microsoft Intune apps (DeviceManagementApps > DeviceManagementApps.ReadWrite.All)
- Read all groups (Group > Group.Read.All)
- Read all users' basic profile (User > User.ReadBasic.All)
Grant administrator consent for all accounts in the current directory. You must be a global administrator to grant permissions.It is a best practice to addApplication permissionsinstead ofDelegated permissions. If you grant Delegated permissions, the connection toIntunerequires an update when theIntuneadministrator's refresh token expires (the token expires on a regular schedule and when the administrator password changes). Application permissions uses the client key for authentication when the administrator's refresh token expires. - SelectCertificates and secretsin theManagesection. Perform the following actions:
- UnderClient secrets, clickNew client secret.
- Type a description for the client secret
- Select a duration for the client secret.
- ClickAdd.
- Copy the value of the new client secret.This is theClient Keythat is required inBlackBerry UEM.If you do not copy the value of your key now, you will have to create a new key because the value is not displayed after you leave this screen.