Configure BEMS to communicate with a Microsoft Exchange
Online environment using Microsoft Graph API
BEMS
to communicate with a Microsoft Exchange
Online
environment using Microsoft Graph
APIBefore
BEMS
can send email notifications to users' devices, it must subscribe to changes on a user's mailbox. You can configure BEMS
to subscribe to mailboxes using Microsoft Graph
API. Microsoft Graph
push notifications are sent (or pushed) from Microsoft 365
to the reverse proxy server to the BEMS
instance. BEMS
then accesses the user's mailbox and sends email notifications to the user's device. For more information, see Architecture: BEMS notification flow using the Microsoft Graph API. BEMS
subscribes to the Microsoft Graph
API change notifications using webhooks. You can configure BEMS
to use the Microsoft Graph
API in the following scenarios:
- YourBEMSis configured to use modern authentication.
- YourBEMSconnects withMicrosoft Exchange Onlinemailboxes.
If you have an existing
BEMS
instance that is configured to use Microsoft Exchange Web
Services
(EWS) for Exchange Online to access Microsoft 365
mailboxes, when you enable "Use Microsoft Graph", BEMS
will automatically migrate all Microsoft 365
users from using EWS to Microsoft Graph
at a rate of 50 users every 5 minutes. For information on configuring email notifications for
BlackBerry Work
using BEMS
Cloud, see the BlackBerry Work Administration content. Verify that you obtained the following:
- If you use Client secret authentication: Obtain a copy of the keyValue. This is used as theClient Secret. For instructions, see Obtain an Entra app ID for BEMS with client secret authentication.
- If you use Client certificate authentication:
- Obtain a copy of theApplication (client) ID. This is used as theClient Application ID.
- In environments where the metadata endpoint is protected by mutual TLS authentication, make sure that you imported the mutual TLS certificate into theBEMSkeystore. For instructions, see Import the trusted mutual TLS certificates into the BEMS keystore.
- In theBlackBerry Enterprise Mobility Server Dashboard, underBlackBerry Services Configuration, clickMail.
- ClickMicrosoft Graph.
- Select theUse Microsoft Graphcheck box.
- In theSelect Authentication typesection, select an authentication type based on your environment and complete the associated tasks to allowBEMSto communicate withMicrosoft Exchange Online:Authentication typeDescriptionTaskClient CertificateThis option uses a client certificate to allow theBEMSservice account to authenticate toMicrosoft Exchange Online.
- For theUpload PFX file, clickChoose Fileand select the client certificate file. For instructions on obtaining the .PFX file, see Associate a certificate with the Entra app ID for BEMS
- In theEnter PFX file Passwordfield, enter the password for the client certificate.
Client SecretThis option uses a client secret to allow theBEMSservice account to authenticate toMicrosoft Exchange Online. The client secret is created during the application registration process.In theClient Secretfield, enter the Client secret Value. - In theAuthentication Authorityfield, enter the Authentication Server URL thatBEMSaccesses and retrieve the OAuth token for authentication withMicrosoft Exchange Online. The authentication server URL must be in the format of https://login.microsoftonline.com/tenantnameor https://login.microsoftonline.com/tenantid.
- In theClient Application IDfield, enter theEntraapp.
- In theServer Namefield, enter the FQDN of theMicrosoft Graphserver. By default, the field is prepopulated with https://graph.microsoft.com
- In theExternal Notification URLfield, enter the URL that your IT provided. Enter https://<BEMS_server_name:port>/notificationClient (for example, bems.example.com:443/notificationClient). The External Notification URL is an externally routable address, such as a reverse proxy, where Graph will send the notifications. For more information, see the Port requirements in theBEMSInstallation content.
- In theEnd User Email Addressfield, type an email address to test connectivity toMicrosoft Exchange Onlineusing the service account. ClickTest. You can delete the email address after you complete the test.
- ClickSave.
- Configure the Autodiscover and Exchange Options. For instructions see one of the following:
- In on on-premisesBEMSenvironment: see Configure BEMS to communicate with the Microsoft Exchange Server, Microsoft Exchange Online, or hybrid environment. This environment supports Credential, Credentials + Modern Authentication, and Client Certificate + Modern authentication types.
- In aMicrosoft Exchange Onlineand hybridMicrosoft Exchange Onlineenvironments: see Configure BEMS to communicate with a Microsoft 365 environment using Microsoft Graph API. This environment supports Client and Client Certificate +Modern authentication types.
If you selected
Client Certificate
authentication, you can view the certificate information. Click Mail
. The following certificate information is displayed:
- Subject
- Issuer
- Validation period
- Serial number