Enable modern authentication for the Mail service in BEMS
BEMS
If your
BEMS
environment uses Microsoft Graph
to communicate with Microsoft Exchange
Online
, see Configure BEMS to communicate with a Microsoft Exchange Online environment using Microsoft Graph API.
You must allow
BEMS
to authenticate with Microsoft Exchange
Online
to access users’ mailboxes and send notifications to users’ devices when new email is received on the device. If you have a hybrid environment, (for example, on-premises Microsoft Exchange
Server
and Microsoft Exchange
Online
), you can configure the environment for hybrid modern authentication. Hybrid modern authentication allows the on-premises Microsoft Exchange
Server
to use a more secure user authentication and authorization by consuming OAuth access tokens obtained from the cloud. For more information on how to configure an on-premises Microsoft Exchange
Server
to use hybrid modern authentication, see the Microsoft
resource How to configure Exchange Server on-premises to use Hybrid Modern Authentication.For information on configuring modern authentication for the Mail service using
BEMS
Cloud, see the BlackBerry Work Administration content. Verify that you have the following information and completed the appropriate tasks.
- If you have a hybrid environment, and you enable Modern Authentication, make sure that the on-premisesMicrosoft Exchange Serveris configured to use hybrid modern authentication. For more information, see theMicrosoftresource How to configure Exchange Server on-premises to use Hybrid Modern Authentication. If theMicrosoft Exchange Serveris not configured appropriately, users won't receive email notifications.
- Verify that you have the following information and completed the following tasks:
- Obtained theClient Application ID with certificate based authentication. For instructions, see Obtain an Entra app ID for BEMS with certificate-based.
- In theBlackBerry Enterprise Mobility Server Dashboard, underBlackBerry Services Configuration, clickMail.
- ClickMicrosoft Exchange.
- In theSelect Authentication typesection, select an authentication type based on your environment and complete the associated tasks to allowBEMSto communicate withMicrosoft Exchange Online:The Passive authentication type has been deprecated due toMicrosoft's deprecation of the Application Impersonation permission inMicrosoft Exchange Onlineenvironments. To avoid email notifications interruptions for users in the environment, you must configureBEMSto use certificate-based authentication for modern authentication, orMicrosoft Graphto communicate to user's mailboxes. The passive authentication type will be removed in a future release. For more information, see BEMS: Customers using Office 365 and EWS with Credential or Passive Authentication will stop receiving notifications.Authentication typeDescriptionTaskClient CertificateThis option uses a client certificate to allow theBEMSservice account to authenticate toMicrosoft Exchange Onlineusing Basic Authentication.
- For theUpload PFX file, clickChoose Fileand select the client certificate file. For instructions on obtaining the .pfx file, see associate a certificate to theEntraapp ID forBEMS.
- In theEnter PFX file Passwordfield, enter the password for the client certificate.
- Select theEnable Modern Authenticationcheckbox.
- In theAuthentication Authorityfield, enter the Authentication Server URL that BEMS accesses and retrieve the OAuth token for authentication withMicrosoft Exchange Online(for example, https://login.microsoftonline.com/<tenantname> or https://login.microsoftonline.com/<tenantid>). By default, the field is prepopulated with https://login.microsoftonline.com/common.
- In theClient Application IDfield, enter theEntraapp ID.
- In theServer Namefield, enter the FQDN of theMicrosoft Graphserver. By default, the field is prepopulated with https://graph.microsoft.com. When you configure modern authentication, all nodes use the specified configuration.
- If the metadata endpoint is protected by mutual TLS authentication, select theUse Mutual TLS Authenticationcheck box to allowBEMSto respond to mutual TLS authentication requests. This step requires that the mutual TLS certificate is imported intoBEMS. For instructions, see Import the mutual TLS certificates into the BEMS keystore. When you configure modern authentication, all nodes use the specified configuration.
- Under theAutodiscover and Exchange Optionssection, complete one of the following actions. Most environments only require the default settings. Before modifying the settings, test the change in your environment.TaskStepsOverride Autodiscover URLIf you select to override the autodiscover process,BEMSuses the override URL to obtain user information from theMicrosoft Exchange ServerorMicrosoft Exchange Online.
- Select theOverride Autodiscover URLcheckbox.
- In theAutodiscover URLfield, type the autodiscover endpoint (for example, https:// autodiscover<domain>.com/autodiscover/autodiscover.svc).
Autodiscover andMicrosoft Exchange Serveroptions- Select theSwap ordering of <check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures.domain.com>/autodiscover and autodiscover. <domain.com>/autodiscover
- Optionally, modify theTCP Connect timeout for Autodiscover url (milliseconds)field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout for the Autodiscover url is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds).
- By default, theEnable SCP record lookupcheckbox is selected. If you clear the checkbox,BEMSdoes not perform aMicrosoft Active Directorylookup of Autodiscover URLs. This option is not supported when Override Autodiscover URL is selected. This option is not available if modern authentication is enabled.
- Optionally, select theUse SSL connection when doing SCP lookupcheck box to allowBEMSto communicate with the Microsoft Active Directory using SSL. If you enable this feature, you must import theMicrosoft Active Directorycertificate to each computer that hosts an instance ofBEMS. This option is not supported when Override Autodiscover URL is selected. This option is not available if modern authentication is enabled.
- By default, theEnforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP servercheck box is selected. If you clear this setting and use an un-trusted certificate, then the connection to the on-premisesMicrosoft Exchange Serverfails.
- By default, theAllow HTTP redirection and DNS SRV recordcheck box is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users forBlackBerry WorkPush Notifications.
- Optionally, select theForce re-autodiscover of user on all Microsoft Exchange errorscheckbox to forceBEMSto perform the autodiscover again for the user when theMicrosoft Exchange ServerorMicrosoft Exchange Onlinereturns an error message.
- In theEnd User Email Addressfield, type an email address to test connectivity toMicrosoft Exchange Onlineusing the service account. ClickTest. You can delete the email address after you complete the test.
- ClickSave.