Configure BEMS to communicate with the Microsoft Exchange
Server, Microsoft 365, or hybrid environment
BEMS
to communicate with the Microsoft Exchange
Server
, Microsoft 365
, or hybrid environmentIf your
BEMS
environment uses Microsoft Graph
to communicate with Microsoft 365
, see Configure BEMS to communicate with a Microsoft 365 environment using Microsoft Graph API. You must allow BEMS
to authenticate to Microsoft Exchange
Server
or Microsoft 365
to access users’ mailboxes and send notifications to users’ devices when new email is received on the device. A hybrid modern authentication environment (for example, on-premises Microsoft Exchange
Server
and Microsoft 365
), allows the on-premises Microsoft Exchange
Server
to use a more secure user authentication and authorization by consuming OAuth access tokens obtained from the cloud. For more information, see the Microsoft
resource How to configure Exchange Server on-premises to use Hybrid Modern Authentication.
For information on configuring email notifications for
BlackBerry Work
using BEMS
Cloud, see the BlackBerry UEM Cloud
content. Verify that you have the following information and completed the appropriate tasks.
- Verify that the service account has impersonation rights on theMicrosoft Exchange Server.
- In aMicrosoft 365environment, if you plan to enable Modern Authentication, verify that you completed the following:
- If you enable Modern Authentication using a Client Certificate:
- In environments where the metadata endpoint is protected by mutual TLS authentication, make sure that you imported the mutual TLS certificate in to theBEMSkeystore. For instructions, see Import the trusted mutual TLS certificates into the BEMS keystore. This feature requires that you enable modern authentication using Credential or Client Certificate.
- In a hybridMicrosoft 365and on-premisesMicrosoft Exchange Serverenvironment, if you enable Modern Authentication, make sure that the on-premisesMicrosoft Exchange Serveris configured to use hybrid modern authentication. For more information, see theMicrosoftresource How to configure Exchange Server on-premises to use Hybrid Modern Authentication. If theMicrosoft Exchange Serveris not configured appropriately, users won't receive email notifications.
- In aMicrosoft 365environment, if you use Passive Authentication, verify that you have the App ID for BEMS using credential authentication.
- In theBlackBerry Enterprise Mobility Server Dashboard, underBlackBerry Services Configuration, clickMail.
- ClickMicrosoft Exchange.
- In theSelect Authentication typesection, select an authentication type based on your environment and complete the associated tasks to allowBEMSto communicate with theMicrosoft Exchange ServerorMicrosoft 365:Authentication typeEnvironmentDescriptionTaskIntegratedMicrosoft Exchange Serveron-premisesThis option uses theWindowsauthentication credentialsGood Technology Common Servicesservice to authenticate to theMicrosoft Exchange Serverusing Basic Authentication.No additional actions are required.Credential
- On-premisesMicrosoft Exchange Server
- Microsoft 365
This option uses a definedBEMSusername and password to authenticate to- Microsoft Exchange Serverusing Basic Authentication
- Microsoft 365requires Modern Authentication*
- In theUsernamefield, enter the username of theBEMSservice account.
- ForMicrosoft 365, enter the service account's User Principal Name (UPN
- For on-premisesMicrosoft Exchange Server, use the format <domain>\<username>.
- In thePasswordfield, enter the password for the service account.
Client Certificate- On-premisesMicrosoft Exchange Server
- Microsoft 365
This option uses a client certificate to allow theBEMSservice account to authenticate to theMicrosoft Exchange ServerorMicrosoft 365.- For theUpload PFX file, clickChoose Fileand select the client certificate file. For instructions on obtaining the .PFX file, see Associate a certificate with the Entra app ID for BEMS
- In theEnter PFX file Passwordfield, enter the password for the client certificate.
Passive Authentication- Microsoft 365
- In a hybrid environment, on-premisesMicrosoft Exchange Server**
This option uses an identity provider (IDP) to authenticate the user and provideBEMSwith OAuth tokens to authenticate toMicrosoft 365. In a hybrid environment, authenticates to on-premisesMicrosoft Exchange Server**.- In theAuthentication Authorityfield, enter the Authentication Server URL thatBEMSaccesses and retrieve the OAuth token for authentication withMicrosoft 365(for example, https://login.microsoftonline.com/<tenantname>). By default, the field is prepopulated with https://login.microsoftonline.com/common.
- In theClient Application IDfield, enter theEntraapp ID for the credential authentication. For instructions, see the App ID for BEMS using credential authentication.
- In theServer Namefield, enter the FQDN of theMicrosoft 365server. By default, the field is prepopulated with https://outlook.office365.com .
- In theRedirect URIfield, enter the URL that the IDP redirects the administrator to when the client app ID is authorized and the authentication tokens are provided. If you remotely log in to the computer that hosts theBEMSand perform the configuration from the computer's browser, enterhttps://localhost:8443/PassiveAuth), otherwise enterhttps://<FQDN of the computer that hosts the BEMS instance in lower case>:8443/PassiveAuthThe URI must be the same URI as theBEMSURI and whitelisted in theEntraportal for the application ID.
- ClickLogin.
- Enter the credentials for the service account.
- ClickOKto acknowledge that the authentication tokens were obtained.
- Important:BEMSdoesn't automatically refresh the OAuth tokens. Repeat steps e to g to refresh the OAuth tokens. The tokens expiration time depends on your tenant policy (by default, the token expiration is 90 days). When the OAuth tokens expire, email notifications on the users' devices stop. The OAuth token expiration is displayed after you log in to the IDP.
*IfBEMSuses Credential Authentication to authenticate to aMicrosoft 365environment, you must enable Modern Authentication. For more information, see theMicrosoftresource Deprecation of Basic authentication in Exchange Online.**TheMicrosoft Exchange Serveron-premises must be configured to use hybrid modern authentication. For more information, see theMicrosoftresource How to configure Exchange Server on-premises to use Hybrid Modern Authentication. - In aMicrosoft 365environment that uses Credential or Client certificate authentication, enable Modern Authentication and use mutual TLS authentication. Complete the following steps:
- Select theEnable Modern Authenticationcheckbox.
- If your environment uses Client certificate authentication, in theAuthentication Authorityfield, enter the Authentication Server URL thatBEMSaccesses and retrieve the OAuth token for authentication withMicrosoft 365(for example, https://login.microsoftonline.com/<tenantname> or https://login.microsoftonline.com/<tenantid>). By default, the field is prepopulated with https://login.microsoftonline.com/common.
- In theClient Application IDfield, enter one of the followingEntraapp IDs depending on the authentication type you selected:
- In theServer Namefield, enter the FQDN of theMicrosoft 365server. By default, the field is prepopulated with https://outlook.office365.com.
- Optionally, select theUse Credentials if Modern Authentication failscheck box to allowBEMSto communicate withMicrosoft 365in the event thatBEMScan't access the modern authentication source. When you select this check box, you must provide theBEMSservice account credentials.
- Optionally, select theUse Mutual TLS Authenticationcheck box to allowBEMSto respond to mutual TLS authentication requests. This step requires that the mutual TLS certificate is imported intoBEMS. For instructions, see Import the trusted mutual TLS certificates into the BEMS keystore.
When you configure Modern Authentication, all nodes use the specified configuration. - Under theAutodiscover and Exchange Optionssection, complete one of the following actions:TaskStepsOverride Autodiscover URLIf you select to override the autodiscover process,BEMSuses the override URL to obtain user information from theMicrosoft Exchange ServerorMicrosoft 365. For more information about best practices when enabling autodiscover, see Best practice: Enabling autodiscovery.
- Select theOverride Autodiscover URLcheckbox.
- In theAutodiscover URLOverride Autodiscover field, type the autodiscover endpoint (for example, https://autodiscover<domain>.com/autodiscover/autodiscover.svc).
Autodiscover andMicrosoft Exchange Serveroptions- Select theSwap ordering of <check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures.domain.com>/autodiscover and autodiscover. <domain.com>/autodiscover
- Optionally, modify theTCP Connect timeout for Autodiscover url (milliseconds)field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout for the Autodiscover url is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds).
- By default, theEnable SCP record lookupcheckbox is selected. If you clear the checkbox,BEMSdoes not perform aMicrosoft Active Directorylookup of Autodiscover URLs. This option is not available when Override Autodiscover URL is selected.
- Optionally, select theUse SSL connection when doing SCP lookupcheck box to allowBEMSto communicate with theMicrosoft Active Directoryusing SSL. If you enable this feature, you must import theMicrosoft Active Directorycertificate to each computer that hosts an instance ofBEMS. This option is not available when Override Autodiscover URL is selected.
- By default, theEnforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP servercheck box is selected. If you clear this setting and use an un-trusted certificate, then the connection to the on-premisesMicrosoft Exchange Serverfails.
- By default, theAllow HTTP redirection and DNS SRV recordcheck box is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users forBlackBerry WorkPush Notifications.
- Optionally, select theForce re-autodiscover of user on all Microsoft Exchange errorscheckbox to forceBEMSto perform the autodiscover again for the user when theMicrosoft Exchange ServerorMicrosoft 365returns an error message.
- In theEnd User Email Addressfield, type an email address to test connectivity to theMicrosoft Exchange ServerorMicrosoft 365using the service account. ClickTest. You can delete the email address after you complete the test.If the service account is correctly configured and the test fails,BEMSis attempting to communicate with aMicrosoft Exchange Serverthat is not using a trusted SSL Certificate. If yourMicrosoft Exchange Serveris not set up to use a trusted SSL certificate, see "Importing CA certificates for BEMS" in the BEM-Core content.
- ClickSave.