Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Enterprise Mobility Server 3.5
  3. Configuring the BlackBerry Docs service
  4. Steps to configure the Docs service
  5. Configure the Docs security settings
  6. Obtain an Azure app ID for the BEMS-Docs component service

Obtain an
Azure
 app ID for the
BEMS-Docs
 component service

When your environment is configured for
Microsoft SharePoint Online
,
Microsoft OneDrive for Business
, or
Microsoft Azure
-IP you must register the
BEMS
 component services in
Azure
. You can register one or more of the services in Azure. In this task, the
Docs
 services and
Microsoft Azure
-IP are registered in Azure.
To grant permissions, you must use an account with tenant administrator permissions.
  1. Sign in to portal.azure.com.
  2. In the left column, click
    Azure Active Directory
    .
  3. Click
    App registrations
    .
  4. Click
    New registration
    .
  5. In the
    Name
     field, enter a name for the app. For example, AzureAppIDforBEMS.
  6. Select a supported account type. 
  7. In the
    Redirect URI
     drop-down list, select
    Web
     and enter
    https://localhost:8443
    .
  8. Click
    Register
    .
  9. Record the
    Application (client) ID
    .
    This is used as the
    BEMS Service Azure Application ID
     value for the Docs > Settings service in the
    BEMS
     dashboard.
  10. In the
    Manage
     section, click
    API permissions
    .
  11. Click
    Add a permission
    .
  12. Complete one or more of the following tasks:
    Service
    Permissions
    If you configure
    BEMS-Docs
     to use
    Microsoft SharePoint Online
     or
    Microsoft OneDrive for Business
    1. Search for and click
      SharePoint
      .
    2. Set the following permissions:
      • In application permissions, clear all of the permissions.
        1. Click
          Application permissions
          .
        2. Click expand all. Make sure that all options are cleared.
      • In delegated permissions, select the
        Read and write items and item lists in all site collections
         checkbox.  None. Clear the check boxes for all options.
      • Delegated permissions
         Select the
        Read and write items and lists in all site collections
         checkbox. (
        AllSite > AllSites.Manage
        )
    3. Click
      Add permissions
      .
    If you use
    Microsoft Azure
    -IP
    1. Click
      Microsoft Graph
      . If
      Microsoft Graph
       is not listed, add
      Microsoft Graph
      .
    2. Set the following permissions:
      • In application permissions, select the
        Read directory data
         checkbox (
        Directory > Directory.Read.All
        ).
      • In delegated permissions, select the
        Read directory data
         checkbox (
        Directory > Directory.Read.All
        ).
    3. Click
      Update permissions
      .
    4. Add a permission
      .
    5. In the
      Select an API
       section, click
      Azure Rights Management Services
      . Set the following permissions:
      • In application permissions, select all of the permissions.
        1. Click
          Application permissions
          .
        2. Make sure that all Content options are selected.
      • In delegated permissions, select the
        user_impersonation
         checkbox.
    6. Click
      Add permissions
      .
    7. Click
      Add a permission
      .
    8. In the
      Select an API
       section, click
      APIs my organization uses
      .
    9. Search for and click
      Microsoft Information Protection Sync Service
      . Set the following permission:
      • In delegated permissions, select the
        Read all unified policies a user has access to
         checkbox (
        UnifiedPolicy > UnifiedPolicy.User.Read
        ).
    10. Click
      Add permissions
      .
  13. Wait a few minutes, then click
    Grant admin consent
    . Click
    Yes
    .
    This step requires tenant administrator privileges.
  14. To allow autodiscovery to function as expected, set the authentication permissions. Complete the following steps:
    1. In the
      Manage
       section, click
      Authentication
      .
    2. Under the
      Allow public client flows
       section, select
      Yes
       to
      Enable the following mobile and desktop flows
      .
    3. Click
      Save
      .
  15. Define the scope and trust for this API. In the
    Manage
     section, click
    Expose an API
    . Complete the following tasks.
    Task
    Steps
    Add a scope
    The scope restricts access to data and functionality protected by the API.
    1. Click
      Add a scope
      .
    2. Click
      Save and continue
      .
    3. Complete the following fields and settings:
      • Scope name: Provide a unique name for the scope.
      • Who can consent: Click
        Admins and user
        .
      • Admin consent display name: Enter a descriptive name.
      • Admin consent description: Enter a description for the scope.
      • State: Click
        Enabled
        . By default, the state is enabled.  
    4. Click
      Add Scope
      .
    Add a client application
    Authorizing a client application indicates that the API trusts the application and users shouldn't be prompted for consent.
    1. Click
      Add a client application
      .
    2. In the
      Client ID
       field, enter the client ID that you recorded in step 9 above.
    3. Select the
      Authorized scopes
       checkbox to specify the token type that is returned by the service.
    4. Click
      Add application
  16. In the
    Manage
     section, click
    Certificates & secrets
     and add a client secret. Complete the following steps:
    1. Click
      New client secret
      .
    2. In the
      Description
       field, enter a key description up to a maximum of 16 characters including spaces.
    3. Set an expiration date (for example, In 1 year, In 2 years, Never expires). 
    4. Click
      Add
      .
    5. Copy the key
      Value
      .
      The Value is available only when you create it. You cannot access it after you leave the page.
      This is used as the
      BEMS Service Application Key
       in the
      BEMS-Docs
       service in the
      BEMS
       Dashboard.