Skip Navigation

Enable modern authentication for the Mail service in
BEMS

If your
BEMS
environment uses
Microsoft Graph
to communicate with
Microsoft Exchange Online
, see Configure BEMS to communicate with a Microsoft Exchange Online environment using Microsoft Graph API.
You must allow
BEMS
to authenticate with
Microsoft Exchange Online
to access users’ mailboxes and send notifications to users’ devices when new email is received on the device. If you have a hybrid environment, (for example, on-premises
Microsoft Exchange Server
and
Microsoft Exchange Online
), you can configure the environment for hybrid modern authentication. Hybrid modern authentication allows the on-premises
Microsoft Exchange Server
to use a more secure user authentication and authorization by consuming OAuth access tokens obtained from the cloud. For more information on how to configure an on-premises
Microsoft Exchange Server
to use hybrid modern authentication, see the
Microsoft
resource How to configure Exchange Server on-premises to use Hybrid Modern Authentication.
For information on configuring modern authentication for the Mail service using
BEMS
Cloud, see the BlackBerry Work Administration content.
Verify that you have the following information and completed the appropriate tasks.
  1. In the
    BlackBerry Enterprise Mobility Server Dashboard
    , under
    BlackBerry Services Configuration
    , click
    Mail
    .
  2. Click
    Microsoft Exchange
    .
  3. In the
    Select Authentication type
    section, select an authentication type based on your environment and complete the associated tasks to allow
    BEMS
    to communicate with
    Microsoft Exchange Online
    :
    The Passive authentication type has been deprecated due to
    Microsoft
    's deprecation of the Application Impersonation permission in
    Microsoft Exchange Online
    environments. To avoid email notifications interruptions for users in the environment, you must configure
    BEMS
    to use certificate-based authentication for modern authentication, or
    Microsoft Graph
    to communicate to user's mailboxes. The passive authentication type will be removed in a future release.  For more information, see BEMS: Customers using Office 365 and EWS with Credential or Passive Authentication will stop receiving notifications.
    Authentication type
    Description
    Task
    Client Certificate
    This option uses a client certificate to allow the
    BEMS
    service account to authenticate to
    Microsoft Exchange Online
    using Basic Authentication.
    1. For the
      Upload PFX file
      , click
      Choose File
      and select the client certificate file. For instructions on obtaining the .pfx file, see associate a certificate to the
      Entra
      app ID for
      BEMS
      .
    2. In the
      Enter PFX file Password
      field, enter the password for the client certificate.
  4. Select the
    Enable Modern Authentication
    checkbox.
  5. In the
    Authentication Authority
    field, enter the Authentication Server URL that BEMS accesses and retrieve the OAuth token for authentication with
    Microsoft Exchange Online
    (for example, https://login.microsoftonline.com/<
    tenantname
    > or https://login.microsoftonline.com/<
    tenantid
    >). By default, the field is prepopulated with https://login.microsoftonline.com/common.
  6. In the
    Client Application ID
    field, enter the
    Entra
    app ID.
  7. In the
    Server Name
    field, enter the FQDN of the
    Microsoft Graph
    server. By default, the field is prepopulated with https://graph.microsoft.com. When you configure modern authentication, all nodes use the specified configuration.
  8. If the metadata endpoint is protected by mutual TLS authentication, select the
    Use Mutual TLS Authentication
    check box to allow
    BEMS
    to respond to mutual TLS authentication requests. This step requires that the mutual TLS certificate is imported into
    BEMS
    . For instructions, see Import the mutual TLS certificates into the BEMS keystore. When you configure modern authentication, all nodes use the specified configuration.
  9. Under the
    Autodiscover and Exchange Options
    section, complete one of the following actions. Most environments only require the default settings. Before modifying the settings, test the change in your environment.
    Task
    Steps
    Override Autodiscover URL
    If you select to override the autodiscover process,
    BEMS
    uses the override URL to obtain user information from the
    Microsoft Exchange Server
    or
    Microsoft Exchange Online
    .
    1. Select the
      Override Autodiscover URL
      checkbox.
    2. In the
      Autodiscover URL
      field, type the autodiscover endpoint (for example, https:// autodiscover<
      domain
      >.com/autodiscover/autodiscover.svc).
    Autodiscover and
    Microsoft Exchange Server
    options
    1. Select the
      Swap ordering of <
      domain.com
      >/autodiscover and autodiscover. <
      domain.com
      >/autodiscover
      check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures.
    2. Optionally, modify the
      TCP Connect timeout for Autodiscover url (milliseconds)
      field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout for the Autodiscover url is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds).
    3. By default, the
      Enable SCP record lookup
      checkbox is selected. If you clear the checkbox,
      BEMS
      does not perform a
      Microsoft Active Directory
      lookup of Autodiscover URLs. This option is not supported when Override Autodiscover URL is selected. This option is not available if modern authentication is enabled. 
    4. Optionally, select the
      Use SSL connection when doing SCP lookup
      check box to allow
      BEMS
      to communicate with the Microsoft Active Directory using SSL. If you enable this feature, you must import the
      Microsoft Active Directory
      certificate to each computer that hosts an instance of
      BEMS
      . This option is not supported when Override Autodiscover URL is selected. This option is not available if modern authentication is enabled.
    5. By default, the
      Enforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP server
      check box is selected. If you clear this setting and use an un-trusted certificate, then the connection to the on-premises
      Microsoft Exchange Server
      fails.
    6. By default, the
      Allow HTTP redirection and DNS SRV record
      check box is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users for
      BlackBerry Work
      Push Notifications.
    7. Optionally, select the
      Force re-autodiscover of user on all Microsoft Exchange errors
      checkbox to force
      BEMS
      to perform the autodiscover again for the user when the
      Microsoft Exchange Server
      or
      Microsoft Exchange Online
      returns an error message.
  10. In the
    End User Email Address
    field, type an email address to test connectivity to
    Microsoft Exchange Online
    using the service account. Click
    Test
    . You can delete the email address after you complete the test.
  11. Click
    Save
    .