Configure BEMS to communicate with a Microsoft Office
365 environment using Microsoft Graph API
BEMSto communicate with a
Microsoft Office 365environment using
Complete this task only if your environment requires new client app registrations.
You must allow
Microsoft Office 365to access users’ mailboxes and send notifications to users’ devices when new email is received in the user's mailbox using
Microsoft Graph. When you configure
BEMSto use the
Microsoft GraphAPI, your environment is using modern authentication. After you configure the
Microsoft GraphAPI, you must configure the autodiscover.
Microsoftstarted to deprecate the
Microsoft Exchange Web Services(EWS) for
Microsoft Exchange OnlineAPIs replacing the EWS with
Microsoft Graph. For more information, visit techcommunity.microsoft.com and read 'Upcoming API Deprecations in Exchange Web Services for Exchange Online'.
For information on configuring email notifications for
BEMSCloud, see the
BlackBerry UEM Cloudcontent.
Verify that you have the following information and have completed the appropriate tasks.
- Verify that you completed the following:
- If you enableMicrosoft Graphusing a Client Certificate:
- In environments where the metadata endpoint is protected by mutual TLS authentication, make sure that you imported the mutual TLS certificate in to theBEMSkeystore. For instructions, see Import the trusted mutual TLS certificates into the BEMS keystore.
- In theBlackBerry Enterprise Mobility Server Dashboard, underBlackBerry Services Configuration, click
- ClickMicrosoft Graph.
- Select theUse Microsoft Graphcheck box.
- In theSelect Authentication typesection, select an authentication type based on your environment and complete the associated tasks to allowBEMSto communicate withMicrosoft Office 365:Authentication typeDescriptionTaskClient CertificateThis option uses a client certificate to allow theBEMSservice account to authenticate toMicrosoft Office 365.
Client SecretThis option uses a client secret to allow theBEMSservice account to authenticate toMicrosoft Office 365. The client secret is created during the application registration process.
- For theUpload PFX file, clickChoose Fileand select the client certificate file. For instructions on obtaining the .PFX file, see Associate a certificate with the Azure app ID for BEMS
- In theEnter PFX file Passwordfield, enter the password for the client certificate.
- In theAuthentication Authorityfield, enter the Authentication Server URL thatBEMSaccesses and retrieve the OAuth token for authentication withMicrosoft Office 365. By default, the field is prepopulated with https://login.microsoftonline.com/common.The authentication server URL must be in the format of https://login.microsoftonline.com/tenantnameor https://login.microsoftonline.com/tenantid.
- In theClient Application IDfield, enter theAzureapp ID for the credential authentication. For instructions, see the App ID for BEMS using credential authentication.
- In theServer Namefield, enter the FQDN of theMicrosoft Office 365server. By default, the field is prepopulated with https://graph.microsoft.com
- In theExternal Notification URLfield, enter the URL that your IT provided when they registered withMicrosoftfor callbacks on port 443 to send and receive notifications. Optionally, you can restrict traffic that the firewall accepts to only allow the external notification URL, enter https://<your_ExternalNotificationURL>/notificationClient/ (for example, bems.example.com:443/notificationClient). For more information, see the BlackBerry Push Notifications (Mail) prerequisites in the BEMS Installation content.
- In theEnd User Email Addressfield, type an email address to test connectivity toMicrosoft Office 365using the service account. ClickTest. You can delete the email address after you complete the test.
- Configure the Autodiscover and Exchange Options in Configure BEMS to communicate with the Microsoft Exchange Server, Microsoft Office 365, or hybrid environment (step 5). You can configure the Autodiscovery and Exchange Options settings (Mail > Microsoft Exchange) using one of the following authentication types: Credential, Credential + Modern Authentication, Client Certificate + Modern Authentication, or Passive Authentication.
- If you selectedClient Certificateauthentication, you can view the certificate information. Click
- Validation period
- Serial number