Skip Navigation

Obtain an
Entra
app ID for the
BEMS-Docs
component service

When your environment is configured for
Microsoft SharePoint Online
,
Microsoft OneDrive for Business
, or
Microsoft Entra ID
-IP, you must register the
BEMS
component services in
Entra
. You can register one or more of the services in
Entra
. In this task, the
Docs
services and
Microsoft Entra ID
-IP are registered in
Entra
.
  • To grant permissions, you must use an account with tenant administrator permissions.
  • Verify that you have recorded the Application ID for
    BlackBerry Work
    . For more information, see Obtained an
    Entra
    app ID for
    BlackBerry Work
    .
  1. Sign in to entra.microsoft.com.
  2. In the left column, click
    Applications > App registrations
    .
  3. Click
    New registration
    .
  4. In the
    Name
    field, enter a name for the app. For example, AzureAppIDforBEMS.
  5. Select a supported account type. 
  6. In the
    Redirect URI
    drop-down list, select
    Web
    and enter
    https://localhost:8443
    .
  7. Click
    Register
    .
  8. Record the
    Application (client) ID
    .
    This is used as the
    BEMS Service Azure Application ID
    value in the
    BlackBerry UEM
    management console. This is used as the
    BEMS Service Azure Application ID
    value for the Docs > Settings service in the
    BEMS
    dashboard.
  9. In the
    Manage
    section, click
    API permissions
    .
  10. Click
    Add a permission
    .
  11. Complete one or more of the following tasks:
    Service
    Permissions
    If you configure
    BEMS-Docs
    to use
    Microsoft SharePoint Online
    or
    Microsoft OneDrive for Business
    1. Search for and click
      SharePoint
      .
    2. Set the following permissions:
      • In application permissions, clear all of the permissions.
        1. Click
          Application permissions
          .
        2. Click
          expand all
          . Make sure that all options are cleared.
      • In
        Delegated permissions
        , click
        AllSites
        and select the
        AllSites.Manage
        checkbox to grant
        Read and write items and lists in all site collections
        . Verify that all other options are cleared.
    3. Click
      Add permissions
      .
    If you use
    Microsoft Entra ID
    -IP
    1. Click
      Microsoft Graph
      . If
      Microsoft Graph
      is not listed, add
      Microsoft Graph
      .
    2. Set the following permissions:
      • In application permissions, select the
        Read directory data
        checkbox (
        Directory > Directory.Read.All
        ).
      • In delegated permissions, select the
        Read directory data
        checkbox (
        Directory > Directory.Read.All
        ).
    3. Click
      Update permissions
      .
    4. Add a permission
      .
    5. In the
      Select an API
      section, click
      Azure Rights Management Services
      . Set the following permissions:
      • In application permissions, select all of the permissions.
        1. Click
          Application permissions
          .
        2. Make sure that all Content options are selected.
      • In delegated permissions, select the
        user_impersonation
        checkbox.
    6. Click
      Add permissions
      .
    7. Click
      Add a permission
      .
    8. In the
      Select an API
      section, click
      APIs my organization uses
      .
    9. Search for and click
      Microsoft Information Protection Sync Service
      . In delegated permissions, select the
      Read all unified policies a user has access to
      checkbox (
      UnifiedPolicy > UnifiedPolicy.User.Read
      ).
    10. Click
      Add permissions
      .
  12. Wait a few minutes, then click
    Grant admin consent
    . Click
    Yes
    .
    This step requires tenant administrator privileges.
  13. To allow autodiscovery to function as expected, set the authentication permissions. Complete the following steps:
    1. In the
      Manage
      section, click
      Authentication
      .
    2. Under the
      Allow public client flows
      section, select
      Yes
      to
      Enable the following mobile and desktop flows
      .
    3. Click
      Save
      .
  14. Define the scope and trust for this API. In the
    Manage
    section, click
    Expose an API
    . Complete the following tasks.
    Task
    Steps
    Add a scope
    The scope restricts access to data and functionality protected by the API.
    1. Click
      Add a scope
      .
    2. Click
      Save and continue
      .
    3. Complete the following fields and settings:
      • Scope name: Provide a unique name for the scope.
      • Who can consent: Click
        Admins and user
        .
      • Admin consent display name: Enter a descriptive name.
      • Admin consent description: Enter a description for the scope.
      • State: Click
        Enabled
        . By default, the state is enabled.  
    4. Click
      Add Scope
      .
    Add a client application
    Authorizing a client application indicates that the API trusts the application and users shouldn't be prompted for consent.
    1. Click
      Add a client application
      .
    2. In the
      Client ID
      field, enter the
      BlackBerry Work
      Application ID that you recorded when you obtained an
      Entra
      app ID for
      BlackBerry Work
      .
    3. Select the
      Authorized scopes
      checkbox to specify the token type that is returned by the service.
    4. Click
      Add application
  15. In the
    Manage
    section, click
    Certificates & secrets
    and do the following:
    1. Click
      New client secret
      .
    2. In the
      Description
      field, enter a key description up to a maximum of 16 characters including spaces.
    3. Set an expiration date. 
    4. Click
      Add
      .
    5. Copy the key
      Value
      .
      The Value is available only when you create it. You cannot access it after you leave the page. If you do not record the value, you must create a new one. This is used as the
      BEMS Service Azure Application Key
      in the dashboard and
      BlackBerry UEM
      management console.