Skip Navigation

Configure
BEMS
to communicate with a
Microsoft Office 365
environment using
Microsoft Graph
API

Complete this task only if your environment requires new client app registrations. Optionally, you can update an existing app registration.
Before
BEMS
can send email notifications to users' devices, it must subscribe to changes on a user's mailbox. You can configure
BEMS
to subscribe to mailboxes using Microsoft Graph API.
BEMS
subscribes to the
Microsoft Graph
API change notifications using webhooks. You can configure
BEMS
to use the
Microsoft Graph
API in the following scenarios:
  • Your
    BEMS
    is configured to use modern authentication.
  • Your
    BEMS
    connects with
    Microsoft Office 365
    (Exchange Online) mailboxes.
For information on configuring email notifications for
BlackBerry Work
using
BEMS
Cloud, see the BlackBerry Work Administration content.
Verify that you obtained the following:
  1. In the
    BlackBerry Enterprise Mobility Server Dashboard
    , under
    BlackBerry Services Configuration
    , click
    Mail
    .
  2. Click
    Microsoft Graph
    .
  3. Select the
    Use Microsoft Graph
    check box.
  4. In the
    Select Authentication type
    section, select an authentication type based on your environment and complete the associated tasks to allow
    BEMS
    to communicate with
    Microsoft Office 365
    :
    Authentication type
    Description
    Task
    Client Certificate
    This option uses a client certificate to allow the
    BEMS
    service account to authenticate to
    Microsoft Office 365
    .
    1. For the
      Upload PFX file
      , click
      Choose File
      and select the client certificate file. For instructions on obtaining the .PFX file, see Associate a certificate with the Entra app ID for BEMS
    2. In the
      Enter PFX file Password
      field, enter the password for the client certificate.
    Client Secret
    This option uses a client secret to allow the
    BEMS
    service account to authenticate to
    Microsoft Office 365
    . The client secret is created during the application registration process.
    In the
    Client Secret
    field, enter the Client secret Value. For instructions on obtaining the client secret, see Obtain an Entra app ID for BEMS with client secret authentication.
  5. In the
    Authentication Authority
    field, enter the Authentication Server URL that
    BEMS
    accesses and retrieve the OAuth token for authentication with
    Microsoft Office 365
    . The authentication server URL must be in the format of https://login.microsoftonline.com/
    tenantname
    or https://login.microsoftonline.com/
    tenantid
    .
  6. In the
    Client Application ID
    field, enter the
    Entra
    app ID for the credential authentication. For instructions, see the App ID for BEMS using credential authentication.
  7. In the
    Server Name
    field, enter the FQDN of the
    Microsoft Graph
    server. By default, the field is prepopulated with https://graph.microsoft.com
  8. In the
    External Notification URL
    field, enter the URL that your IT provided. Enter https://<
    BEMS_server_name
    :
    port
    >/notificationClient (for example, bems.example.com:443/notificationClient). The External Notification URL is an externally routable address, such as a reverse proxy, where Graph will send the notifications. For more information, see the BlackBerry Push Notifications (Mail) prerequisites in the BEMS Installation content.
  9. In the
    End User Email Address
    field, type an email address to test connectivity to
    Microsoft Office 365
    using the service account. Click
    Test
    . You can delete the email address after you complete the test.
  10. Click
    Save
    .
  11. Configure the Autodiscover and Exchange Options in Enable modern authentication for the Mail service in BEMS (step 10). You can configure the Autodiscovery and Exchange Options settings (Mail > Microsoft Exchange) using one of the following authentication types: Credential, Credentials + Modern Authentication, Client Certificate +Modern Authentication, or Passive Authentication. 
If you selected
Client Certificate
authentication, you can view the certificate information. Click
Mail
. The following certificate information is displayed:
  • Subject
  • Issuer
  • Validation period
  • Serial number