Skip Navigation

Configure
BEMS
to communicate with the
Microsoft Exchange Server
,
Microsoft 365
, or hybrid environment

If your
BEMS
environment uses
Microsoft Graph
to communicate with
Microsoft 365
, see Configure BEMS to communicate with a Microsoft 365 environment using Microsoft Graph API. You must allow
BEMS
to authenticate to
Microsoft Exchange Server
or
Microsoft 365
to access users’ mailboxes and send notifications to users’ devices when new email is received on the device. A hybrid modern authentication environment (for example, on-premises
Microsoft Exchange Server
and
Microsoft 365
), allows the on-premises
Microsoft Exchange Server
to use a more secure user authentication and authorization by consuming OAuth access tokens obtained from the cloud. For more information, see the
Microsoft
resource How to configure Exchange Server on-premises to use Hybrid Modern Authentication.
For information on configuring email notifications for
BlackBerry Work
using
BEMS
Cloud, see the
BlackBerry UEM Cloud
content
.
Verify that you have the following information and completed the appropriate tasks.
  1. In the
    BlackBerry Enterprise Mobility Server Dashboard
    , under
    BlackBerry Services Configuration
    , click
    Mail
    .
  2. Click
    Microsoft Exchange
    .
  3. In the
    Select Authentication type
    section, select an authentication type based on your environment and complete the associated tasks to allow
    BEMS
    to communicate with the
    Microsoft Exchange Server
    or
    Microsoft 365
    :
    Authentication type
    Environment
    Description
    Task
    Integrated
    Microsoft Exchange Server
    on-premises
    This option uses the
    Windows
    authentication credentials
    Good Technology Common Services
    service to authenticate to the
    Microsoft Exchange Server
    using Basic Authentication.
    No additional actions are required.
    Credential
    • On-premises
      Microsoft Exchange Server
    • Microsoft 365
    This option uses a defined
    BEMS
    username and password to authenticate to
    • Microsoft Exchange Server
      using Basic Authentication
    • Microsoft 365
      requires Modern Authentication
      *
    1. In the
      Username
      field, enter the username of the
      BEMS
      service account.
      • For
        Microsoft 365
        , enter the service account's User Principal Name (UPN
      • For on-premises
        Microsoft Exchange Server
        , use the format <
        domain
        >\<
        username
        >.
    2. In the
      Password
      field, enter the password for the service account.
    Client Certificate
    • On-premises
      Microsoft Exchange Server
    • Microsoft 365
    This option uses a client certificate to allow the
    BEMS
    service account to authenticate to the
    Microsoft Exchange Server
    or
    Microsoft 365
    .
    1. For the
      Upload PFX file
      , click
      Choose File
      and select the client certificate file. For instructions on obtaining the .PFX file, see Associate a certificate with the Entra app ID for BEMS
    2. In the
      Enter PFX file Password
      field, enter the password for the client certificate.
    Passive Authentication
    • Microsoft 365
    • In a hybrid environment, on-premises
      Microsoft Exchange Server
      **
    This option uses an identity provider (IDP) to authenticate the user and provide
    BEMS
    with OAuth tokens to authenticate to
    Microsoft 365
    . In a hybrid environment, authenticates to on-premises
    Microsoft Exchange Server
    **
    .
    1. In the
      Authentication Authority
      field, enter the Authentication Server URL that
      BEMS
      accesses and retrieve the OAuth token for authentication with
      Microsoft 365
      (for example, https://login.microsoftonline.com/<
      tenantname
      >). By default, the field is prepopulated with https://login.microsoftonline.com/common.
    2. In the
      Client Application ID
      field, enter the
      Entra
      app ID for the credential authentication. For instructions, see the App ID for BEMS using credential authentication.
    3. In the
      Server Name
      field, enter the FQDN of the
      Microsoft 365
      server. By default, the field is prepopulated with https://outlook.office365.com .
    4. In the
      Redirect URI
      field, enter the URL that the IDP redirects the administrator to when the client app ID is authorized and the authentication tokens are provided. If you remotely log in to the computer that hosts the
      BEMS
      and perform the configuration from the computer's browser, enter
      https://localhost:8443/PassiveAuth
      ), otherwise enter
      https://<FQDN of the computer that hosts the BEMS instance in lower case
      >:8443/PassiveAuth
      The URI must be the same URI as the
      BEMS
      URI and whitelisted in the
      Entra
      portal for the application ID.
    5. Click
      Login
      .
    6. Enter the credentials for the service account.
    7. Click
      OK
      to acknowledge that the authentication tokens were obtained.
    8. Important:
      BEMS
      doesn't automatically refresh the OAuth tokens. Repeat steps e to g to refresh the OAuth tokens. The tokens expiration time depends on your tenant policy (by default, the token expiration is 90 days). When the OAuth tokens expire, email notifications on the users' devices stop. The OAuth token expiration is displayed after you log in to the IDP.
    *
    If
    BEMS
    uses Credential Authentication to authenticate to a
    Microsoft 365
    environment, you must enable Modern Authentication. For more information, see the
    Microsoft
    resource Deprecation of Basic authentication in Exchange Online
    **
    The
    Microsoft Exchange Server
    on-premises must be configured to use hybrid modern authentication. For more information, see the
    Microsoft
    resource How to configure Exchange Server on-premises to use Hybrid Modern Authentication
  4. In a
    Microsoft 365
    environment that uses Credential or Client certificate authentication, enable Modern Authentication and use mutual TLS authentication. Complete the following steps:
    1. Select the
      Enable Modern Authentication
      checkbox.
    2. If your environment uses Client certificate authentication, in the
      Authentication Authority
      field, enter the Authentication Server URL that
      BEMS
      accesses and retrieve the OAuth token for authentication with
      Microsoft 365
      (for example, https://login.microsoftonline.com/<
      tenantname
      > or https://login.microsoftonline.com/<
      tenantid
      >). By default, the field is prepopulated with https://login.microsoftonline.com/common.
    3. In the
      Client Application ID
      field, enter one of the following
      Entra
      app IDs depending on the authentication type you selected:
    4. In the
      Server Name
      field, enter the FQDN of the
      Microsoft 365
      server. By default, the field is prepopulated with https://outlook.office365.com.
    5. Optionally, select the
      Use Credentials if Modern Authentication fails
      check box to allow
      BEMS
      to communicate with
      Microsoft 365
      in the event that
      BEMS
      can't access the modern authentication source. When you select this check box, you must provide the
      BEMS
      service account credentials.
    6. Optionally, select the
      Use Mutual TLS Authentication
      check box to allow
      BEMS
      to respond to mutual TLS authentication requests. This step requires that the mutual TLS certificate is imported into
      BEMS
      . For instructions, see Import the trusted mutual TLS certificates into the BEMS keystore.
    When you configure Modern Authentication, all nodes use the specified configuration.
  5. Under the
    Autodiscover and Exchange Options
    section, complete one of the following actions:
    Task
    Steps
    Override Autodiscover URL
    If you select to override the autodiscover process,
    BEMS
    uses the override URL to obtain user information from the
    Microsoft Exchange Server
    or
    Microsoft 365
    . For more information about best practices when enabling autodiscover, see Best practice: Enabling autodiscovery.
    1. Select the
      Override Autodiscover URL
      checkbox.
    2. In the
      Autodiscover URL
      Override Autodiscover field, type the autodiscover endpoint (for example, https://autodiscover<
      domain
      >.com/autodiscover/autodiscover.svc).
    Autodiscover and
    Microsoft Exchange Server
    options
    1. Select the
      Swap ordering of <
      domain.com
      >/autodiscover and autodiscover. <
      domain.com
      >/autodiscover
      check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures.
    2. Optionally, modify the
      TCP Connect timeout for Autodiscover url (milliseconds)
      field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout for the Autodiscover url is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds).
    3. By default, the
      Enable SCP record lookup
      checkbox is selected. If you clear the checkbox,
      BEMS
      does not perform a
      Microsoft Active Directory
      lookup of Autodiscover URLs. This option is not available when Override Autodiscover URL is selected.
    4. Optionally, select the
      Use SSL connection when doing SCP lookup
      check box to allow
      BEMS
      to communicate with the
      Microsoft Active Directory
      using SSL. If you enable this feature, you must import the
      Microsoft Active Directory
      certificate to each computer that hosts an instance of
      BEMS
      . This option is not available when Override Autodiscover URL is selected.
    5. By default, the
      Enforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP server
      check box is selected. If you clear this setting and use an un-trusted certificate, then the connection to the on-premises
      Microsoft Exchange Server
      fails.
    6. By default, the
      Allow HTTP redirection and DNS SRV record
      check box is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users for
      BlackBerry Work
      Push Notifications
      .
    7. Optionally, select the
      Force re-autodiscover of user on all Microsoft Exchange errors
      checkbox to force
      BEMS
      to perform the autodiscover again for the user when the
      Microsoft Exchange Server
      or
      Microsoft 365
      returns an error message.
  6. In the
    End User Email Address
    field, type an email address to test connectivity to the
    Microsoft Exchange Server
    or
    Microsoft 365
    using the service account. Click
    Test
    . You can delete the email address after you complete the test.
    If the service account is correctly configured and the test fails,
    BEMS
    is attempting to communicate with a
    Microsoft Exchange Server
    that is not using a trusted SSL Certificate. If your
    Microsoft Exchange Server
    is not set up to use a trusted SSL certificate, see "Importing CA certificates for BEMS" in the BEM-Core content.
  7. Click
    Save
    .