Enable modern authentication for the Mail service in BEMS
You must allow
BEMSto authenticate with
Microsoft Office 365to access users’ mailboxes and send notifications to users’ devices when new email is received on the device.
When using modern authentication,
BEMSleverages the WS-Trust protocol. For
BEMSto authenticate with
AzureAD, the MetadataExchangeUri value must be set within Azure in your organization's Federation settings. If the MetadataExchangeUri value is not set,
BEMScannot authenticate using the modern authentication settings. For more information, visit set-msoldomainauthentication?view=azureadps-1.0.
Some third-party identity providers (IDPs) may not require this value to be set during the initial configuration. If the MetadataExchangeUri for your organization is not currently set, consult with your IDP vendor or with
Microsoftbefore you make any changes to your Federation settings.
- Verify that you have the following information and completed the following task:
- If you enable modern authentication using Credential, theClient Application ID. For instructions, see Obtain an Azure app ID for BEMS with credential authentication.
- If you enable Modern Authentication using a Client Certificate:
- TheClient Application ID with certificate based authentication. For instructions, see Obtain an Azure app ID for BEMS with certificate-based.
- In theBlackBerry Enterprise Mobility Server Dashboard, underBlackBerry Services Configuration, click
- ClickMicrosoft Exchange.
- In theSelect Authentication typesection, select an authentication type based on your environment and complete the associated tasks to allowBEMSto communicate withMicrosoft Office 365:Authentication typeDescriptionTaskCredentialThis option uses theBEMSusername and password to authenticate toMicrosoft Office 365.
Client CertificateThis option uses a client certificate to allow theBEMSservice account to authenticate toMicrosoft Office 365.
- In theUsernamefield, enter the service account's User Principal Name (UPN)
- In thePasswordfield, enter the password for the service account.
- For theUpload PFX file, clickChoose Fileand select the client certificate file. For instructions on obtaining the .pfx file, see mhc1516685256437.html.
- In theEnter PFX file Passwordfield, enter the password for the client certificate.
- Select theEnable Modern Authenticationcheckbox.
- In theAuthentication Authorityfield, enter the Authentication Server URL thatBEMSaccesses and retrieve the OAuth token for authentication withOffice 365(for example, https://login.microsoftonline.com/<tenantname>). By default, the field is prepopulated with https://login.microsoftonline.com/common.
- In theServer Namefield, enter the FQDN of theMicrosoft Office 365server. By default, the field is prepopulated with https://outlook.office365.com.When you configure modern authentication, all nodes use the specified configuration.
- Under theAutodiscover and Exchange Optionssection, complete one of the following actions. Most environments only require the default settings. Before modifying the settings, test the change in your environment.TaskStepsOverride Autodiscover URLIf you select to override the autodiscover process,BEMSuses the override URL to obtain user information fromMicrosoft Office 365.
Autodiscover andMicrosoft Exchange Serveroptions
- Select theOverride Autodiscover URLcheckbox.
- In theAutodiscover URLfield, type the autodiscover endpoint (for example, https://example.com/autodiscover/autodiscover.svc).
- Select theSwap ordering of <check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures.domain.com>/autodiscover and autodiscover. <domain.com>/autodiscover
- Modify theTCP Connect timeout for Autodiscover url(milliseconds)field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds).
- By default, theEnable SCP record lookupcheckbox is selected. If you clear the checkbox,BEMSdoes not perform aMicrosoft Active Directorylookup of Autodiscover URLs. This option is not available when Override Autodiscover URL is selected.
- Select theUse SSL connection when doing SCP lookupcheckbox to allowBEMSto communicate with theMicrosoft Active Directoryusing SSL. If you enable this feature, you must import theMicrosoft Active Directorycertificate to each computer that hosts an instance ofBEMS. This option is not available when Override Autodiscover URL is selected.
- By default, theEnforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP servercheck box is selected.
- By default, theAllow HTTP redirection and DNS SRV recordcheckbox is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users forBlackBerry WorkPush Notifications.
- Select theForce re-autodiscover of user on all Microsoft Exchange errorscheckbox to forceBEMSto perform the autodiscover again for the user whenMicrosoft Office 365returns an error message.
- In theEnd User Email Addressfield, type an email address to test connectivity toMicrosoft Office 365using the service account. You can delete the email address after you complete the test.
If you selectedMail. The following certificate information is displayed:
Client Certificateauthentication, you can view the certificate information. Click
- Validation period
- Serial number