Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Enterprise Mobility Server 3.8
  3. Configuring BlackBerry Mail
  4. BlackBerry Mail (BEMS Push Notifications service)
  5. Steps to configure Push Notifications
  6. Configure BEMS to communicate with the Microsoft Exchange Server, Microsoft Exchange Online, or hybrid environment

Configure
BEMS
 to communicate with the
Microsoft Exchange Server
,
Microsoft Exchange Online
, or hybrid environment

If your
BEMS
 environment uses
Microsoft Graph
 to communicate with
Microsoft Exchange Online
, see Configure BEMS to communicate with a Microsoft Exchange Online environment using Microsoft Graph API. You must allow
BEMS
 to authenticate to
Microsoft Exchange Server
 or
Microsoft Exchange Online
 to access users’ mailboxes and send notifications to users’ devices when new email is received on the device. A hybrid modern authentication environment (for example, both on-premises
Microsoft Exchange Server
 and
Microsoft Exchange Online
), allows the on-premises
Microsoft Exchange Server
 to use a more secure user authentication and authorization by consuming OAuth access tokens obtained from the cloud. For more information, see the
Microsoft
 resource How to configure Exchange Server on-premises to use Hybrid Modern Authentication.
For information on configuring email notifications for
BlackBerry Work
 using
BEMS
 Cloud, see the
BlackBerry Work
 administration content.
Verify that you have the following information and completed the appropriate tasks.
  1. In the
    BlackBerry Enterprise Mobility Server Dashboard
    , under
    BlackBerry Services Configuration
    , click
    Mail
    .
  2. Click
    Microsoft Exchange
    .
  3. In the
    Select Authentication type
     section, select an authentication type based on your environment and complete the associated tasks to allow
    BEMS
     to communicate with the
    Microsoft Exchange Server
     or
    Microsoft Exchange Online
    :
    The Passive authentication type has been deprecated due to
    Microsoft
    's deprecation of the Application Impersonation permission in
    Microsoft Exchange Online
     environments. To avoid email notifications for users in the environment, you must configure
    BEMS
     to use certificate-based authentication for modern authentication, or
    Microsoft Graph
     to communicate to user's mailboxes. The passive authentication type will be removed in a future release. For more information, see BEMS: Customers using Office 365 and EWS with Credential or Passive Authentication will stop receiving notifications.
    Authentication type
    Environment
    Description
    Task
    Integrated
    On-premises
    Microsoft Exchange Server
    This option uses the Windows authentication credentials
    Good Technology Common Services
     service to authenticate to the
    Microsoft Exchange Server
     using Basic Authentication.
    No additional actions are required.
    Credential
    On-premises
    Microsoft Exchange Server
    This option uses a defined
    BEMS
     username and password to authenticate to the
    Microsoft Exchange Server
     using Basic Authentication.
    1. In the
      Username
       field, enter the username of the
      BEMS
       service account. Use the format <
      domain
      >/<
      username
      >.
    2. In the
      Password
       field, enter the password for the service account.
    Client Certificate
    This option uses a client certificate to allow the
    BEMS
     service account to authenticate to the
    Microsoft Exchange Server
     or
    Microsoft Exchange Online
    .
    1. For the
      Upload PFX
       file, click
      Choose File
       and select the client certificate file. For instructions on obtaining the .PFX file, see Associate a certificate with the Entra app ID for BEMS.
    2. In the
      Enter PFX file Password
       field, enter the password for the client certificate.
  4. In a
    Microsoft Exchange Online
     environment that uses Client certificate authentication, enable Modern Authentication and use mutual TLS authentication. When you configure Modern Authentication, all nodes use the specified configuration. Note that the "use Credentials if Modern authentication fails" option has been deprecated due to
    Microsoft
    's deprecation of the Application Impersonation permission for users' mailboxes that are on
    Microsoft Exchange Online
    , enabled for modern authentication, and configured to use credential or passive authentication methods. The option will be removed in a future release. For more information, see BEMS: Customers using Office 365 and EWS with Credential or Passive Authentication will stop receiving notifications. Complete the following steps:
    1. Select the
      Enable Modern Authentication
       checkbox.
    2. In the
      Authentication Authority
       field, enter the Authentication Server URL that BEMS accesses and retrieve the OAuth token for authentication with
      Microsoft Exchange Online
       (for example, https://login.microsoftonline.com/<tenantname> or https://login.microsoftonline.com/<
      tenantid
      >). By default, the field is prepopulated with https:// login.microsoftonline.com/common.
    3. In the
      Client Application ID
       field, enter the Entra app ID. For instructions, see Obtain an Entra app ID for BEMS with certificate-based authentication.
    4. In the
      Server Name
       field, enter the FQDN of the
      Microsoft Exchange Online
      . By default, the field is prepopulated with https://outlook.office365.com.
    5. Optionally, select the
      Use Mutual TLS Authentication
       check box to allow
      BEMS
       to respond to mutual TLS authentication requests. This step requires that the mutual TLS certificate is imported into
      BEMS
      . For instructions, see Import the trusted mutual TLS certificates into the BEMS keystore.
  5. Under the
    Autodiscover and Exchange Options
     section, complete one of the following actions:
    Task
    Steps
    Override Autodiscover URL
    If you select to override the autodiscover process,
    BEMS
     uses the override URL to obtain user information from the
    Microsoft Exchange Server
     or
    Microsoft Exchange Online
    . For more information about best practices when enabling autodiscover, see Best practice: Enabling autodiscovery.
    1. Select the
      Override Autodiscover URL
       checkbox.
    2. In the
      Autodiscover URL
       field, type the autodiscover endpoint (for example, https:// autodiscover<
      domain
      >.com/autodiscover/autodiscover.svc).
    Autodiscover and
    Microsoft Exchange Server
     options
    1. Select the
      Swap ordering of <
      domain.com
      >/autodiscover and autodiscover. <
      domain.com
      >/autodiscover
       check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures.
    2. Optionally, modify the
      TCP Connect timeout for Autodiscover url (milliseconds)
       field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout for the Autodiscover url is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds).
    3. By default, the
      Enable SCP record lookup
       checkbox is selected. If you clear the checkbox,
      BEMS
       does not perform a
      Microsoft Active Directory
       lookup of Autodiscover URLs. This option is not available when Override Autodiscover URL is selected.
    4. Optionally, select the
      Use SSL connection when doing SCP lookup
       check box to allow
      BEMS
       to communicate with the Microsoft Active Directory using SSL. If you enable this feature, you must import the
      Microsoft Active Directory
       certificate to each computer that hosts an instance of
      BEMS
      . This option is not available when Override Autodiscover URL is selected.
    5. By default, the
      Enforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP server
       check box is selected. If you clear this setting and use an un-trusted certificate, then the connection to the on-premises
      Microsoft Exchange Server
       fails.
    6. By default, the
      Allow HTTP redirection and DNS SRV record
       check box is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users for
      BlackBerry Work
       Push Notifications.
    7. Optionally, select the
      Force re-autodiscover of user on all Microsoft Exchange errors
       checkbox to force
      BEMS
       to perform the autodiscover again for the user when the
      Microsoft Exchange Server
       or
      Microsoft Exchange Online
       returns an error message.
  6. In the
    End User Email Address
     field, type an email address to test connectivity to the
    Microsoft Exchange Server
     or
    Microsoft Exchange Online
     using the service account. Click
    Test
    . You can delete the email address after you complete the test.
    If the service account is correctly configured and the test fails,
    BEMS
     is attempting to communicate with a
    Microsoft Exchange Server
     that is not using a trusted SSL Certificate. If your
    Microsoft Exchange Server
     is not set up to use a trusted SSL certificate, see "Importing CA certificates for BEMS" in the BEM-Core content.
  7. Click
    Save
    .