System requirements
Steps to set up modern authentication for BlackBerry Dynamics apps
Configure BlackBerry Work for iOS and Android app settings for Office 365 modern authentication
Enabling modern authentication for the Mail service in BEMS
- Configure BEMS to communicate with a Microsoft Office 365 environment using Microsoft Graph API
  - Obtain an Entra app ID for BEMS with client secret authentication
- Enable modern authentication for the Mail service in BEMS
Enable modern authentication for the Docs service in BEMS
Configure BlackBerry Work for Windows and macOS app settings for Office 365 modern authentication
- Obtain an Entra app ID for BlackBerry Work for Windows and macOS
Configure BlackBerry Notes and BlackBerry Tasks app settings for Office 365 modern authentication
- Obtain an Entra app ID for BlackBerry Tasks and BlackBerry Notes
Configuring Good Enterprise Services in BlackBerry UEM or Good Control
- Verify that Good Enterprise Services are available in BlackBerry UEM
- Add the BEMS instance to the Good Enterprise Services and BlackBerry Work entitlement app
Additional configuration options
- Configure single sign-on for BlackBerry Access in BlackBerry UEM
- Configure alternate login and Office 365 resource URLs
Troubleshooting

Authentication fails when email address and UPN do not match

By default, users authenticate using their email address when they use modern authentication. In most environments, the user’s email address and username in

Microsoft Entra ID

are the same and authentication is successful. In hybrid environments, the username attribute in

Entra

is synchronized from the UPN value from

Active Directory

. This requires the users' email address and UPN values to match for authentication to be successful.

In some environments, users' email addresses and UPN values do not match. In this scenario, authentication will fail because the authentication token returned to the client from

Entra

is identified as being for the wrong user and is rejected.

The following client versions provide support for administrators to allow users to authenticate using the UPN instead of their email addresses:

BlackBerry Work for iOS

BlackBerry Work for Android

BlackBerry Notes for Android

BlackBerry Notes for iOS

BlackBerry Tasks for Android

BlackBerry Tasks for iOS

For instructions about how to enable users to use UPN to authenticate, see Allow users to use the UPN to authenticate to Microsoft Exchange Online.

For instructions about how to configure

BEMS

to use an alternate email address to authenticate to

BEMS-Docs

, see Enable the use of an alternate email address to authenticate to BEMS-Docs.

If users are running earlier versions of the client in your environment, the user email addresses and UPN values match. If these values do not match, modern authentication will fail because the token being returned from

Entra

does not match the email address of the

BlackBerry Dynamics

app.

Microsoft

recommends that the email address and UPN match. For more information, visit https://support.blackberry.com/community/s/article/50721 to read article 000050721.

Section:

Troubleshooting