Obtain an Entra app ID for the BEMS-Docs component service
Entra
app ID for the BEMS-Docs
component serviceWhen your environment is configured for
Microsoft
SharePoint Online
, Microsoft OneDrive for Business
, or Microsoft Entra ID
-IP, you must register the BEMS
component services in Entra
. You can register one or more of the services in Entra
. In this task, the Docs
services and Microsoft Entra ID
-IP are registered in Entra
.
- To grant permissions, you must use an account with tenant administrator permissions.
- Verify that you have recorded the Application ID forBlackBerry Work. For more information, see Obtained anEntraapp ID forBlackBerry Work.
- Sign in to entra.microsoft.com.
- In the left column, clickApplications > App registrations.
- ClickNew registration.
- In theNamefield, enter a name for the app. For example, AzureAppIDforBEMS.
- Select a supported account type.
- In theRedirect URIdrop-down list, selectWeband enterhttps://localhost:8443.
- ClickRegister.
- Record theApplication (client) ID.This is used as theBEMS Service Azure Application IDvalue in theBlackBerry UEMmanagement console. This is used as theBEMS Service Azure Application IDvalue for the Docs > Settings service in theBEMSdashboard.
- In theManagesection, clickAPI permissions.
- ClickAdd a permission.
- Complete one or more of the following tasks:ServicePermissionsIf you configureBEMS-Docsto useMicrosoft SharePoint OnlineorMicrosoft OneDrive for Business
- Search for and clickSharePoint.
- Set the following permissions:
- In application permissions, clear all of the permissions.
- ClickApplication permissions.
- Clickexpand all. Make sure that all options are cleared.
- InDelegated permissions, clickAllSitesand select theAllSites.Managecheckbox to grantRead and write items and lists in all site collections. Verify that all other options are cleared.
- ClickAdd permissions.
If you useMicrosoft Entra ID-IP- ClickMicrosoft Graph. IfMicrosoft Graphis not listed, addMicrosoft Graph.
- Set the following permissions:
- In application permissions, select theRead directory datacheckbox (Directory > Directory.Read.All).
- In delegated permissions, select theRead directory datacheckbox (Directory > Directory.Read.All).
- ClickUpdate permissions.
- Add a permission.
- In theSelect an APIsection, clickAzure Rights Management Services. Set the following permissions:
- In application permissions, select all of the permissions.
- ClickApplication permissions.
- Make sure that all Content options are selected.
- In delegated permissions, select theuser_impersonationcheckbox.
- ClickAdd permissions.
- ClickAdd a permission.
- In theSelect an APIsection, clickAPIs my organization uses.
- Search for and clickMicrosoft Information Protection Sync Service. In delegated permissions, select theRead all unified policies a user has access tocheckbox (UnifiedPolicy > UnifiedPolicy.User.Read).
- ClickAdd permissions.
- Wait a few minutes, then clickGrant admin consent. ClickYes.This step requires tenant administrator privileges.
- To allow autodiscovery to function as expected, set the authentication permissions. Complete the following steps:
- In theManagesection, clickAuthentication.
- Under theAllow public client flowssection, selectYestoEnable the following mobile and desktop flows.
- ClickSave.
- Define the scope and trust for this API. In theManagesection, clickExpose an API. Complete the following tasks.TaskStepsAdd a scopeThe scope restricts access to data and functionality protected by the API.
- ClickAdd a scope.
- ClickSave and continue.
- Complete the following fields and settings:
- Scope name: Provide a unique name for the scope.
- Who can consent: ClickAdmins and user.
- Admin consent display name: Enter a descriptive name.
- Admin consent description: Enter a description for the scope.
- State: ClickEnabled. By default, the state is enabled.
- ClickAdd Scope.
Add a client applicationAuthorizing a client application indicates that the API trusts the application and users shouldn't be prompted for consent.- ClickAdd a client application.
- In theClient IDfield, enter theBlackBerry WorkApplication ID that you recorded when you obtained anEntraapp ID forBlackBerry Work.
- Select theAuthorized scopescheckbox to specify the token type that is returned by the service.
- ClickAdd application.
- In theManagesection, clickCertificates & secretsand do the following:
- ClickNew client secret.
- In theDescriptionfield, enter a key description up to a maximum of 16 characters including spaces.
- Set an expiration date.
- ClickAdd.
- Copy the keyValue.The Value is available only when you create it. You cannot access it after you leave the page. If you do not record the value, you must create a new one. This is used as theBEMS Service Azure Application Keyin the dashboard andBlackBerry UEMmanagement console.