Skip Navigation

Configure
Entra ID
conditional access

  1. In the
    UEM
    management console, on the menu bar, click
    Settings > External integration > Entra ID Conditional Access
    .
  2. Click The Add icon..
  3. Type a name for the configuration.
  4. In the
    Entra cloud
    drop-down list, click
    GLOBAL
    .
  5. In the
    Entra tenant ID
    field, type your organization’s tenant name in FQDN format or unique tenant ID in GUID format.
  6. Under
    Device mapping override
    , click
    UPN
    or
    Email
    .
    If you choose UPN, verify that the
    Entra ID
    tenant and all mapped directories share the same UPN value for users before you save the connection. After you save the connection, you cannot change the device mapping override.
  7. In the
    Available company directories
    list, select and add the appropriate company directories.
  8. Click
    Save
    .
  9. Select the administrator account that you want to use to log in to your organization's
    Entra
    tenant.
  10. Accept the
    Microsoft
    permission request.
  11. On the menu bar, click
    Policies and Profiles > Policy > BlackBerry Dynamics
    . Perform the following steps for any BlackBerry Dynamics profile that you plan to assign to device users (for example, the default profile and any custom profiles).
    1. Open and edit the profile.
    2. Select
      Enable UEM Client to enroll in BlackBerry Dynamics
      .
    3. If you want to delay the conditional access enrollment process until the
      Microsoft Authenticator
      app is installed on devices, select
      Start conditional access enrollment after authentication broker is installed
      .
    4. Click
      Save
      .
    5. Assign the profile to users and groups as necessary.
  12. On the menu bar, click
    Policies and Profiles > Networks and Connections > BlackBerry Dynamics connectivity
    . Perform the following steps for any BlackBerry Dynamics connectivity profile that you plan to assign to device users (for example, the default profile and any custom profiles).
    1. Open and edit the profile.
    2. In the
      App servers
      section, click
      Add
      .
    3. Search for and click
      Feature - Azure Conditional Access
      .
    4. Click
      Save
      .
    5. In the
      Azure Conditional Access
      table, click The Add icon..
    6. In the
      Server
      field, type
      gdas-
      <UEM_SRP_ID>
      .
      <region_code>
      .bbsecure.com
      .
    7. In the
      Port
      field, type 443.
    8. Under
      Route type
      , click
      Direct
      .
    9. Click
      Save
      .
    10. Assign the profile to users and groups as necessary.
  13. Assign the
    Feature – Azure Conditional Access
    app to users or groups. For more information, see Manage user accounts and Manage a user group.
  14. Create and configure a compliance profile and assign the profile to users and groups as necessary. The following table details how
    UEM
    compliance actions are reported to
    Intune
    :
    UEM
    compliance enforcement action
    Behavior
    Enforcement action: Monitor and log
    Nothing is reported to
    Intune
    .
    Enforcement action:
    • Untrust
    • Delete only work data
    • Delete all data
    UEM
    notifies
    Entra ID
    after all user prompts have expired.
    Enforcement action for
    BlackBerry Dynamics
    apps: Monitor and log
    Nothing is reported to
    Intune
    .
    Enforcement action for
    BlackBerry Dynamics
    :
    • Do not allow
      BlackBerry Dynamics
      apps to run
    • Delete
      BlackBerry Dynamics
      app data
    UEM
    notifies
    Entra ID
    as soon as the compliance violation is detected.
  15. Install both the
    UEM Client
    and the
    Microsoft Authenticator
    app on users' devices. You can assign and deploy the
    Microsoft Authenticator
    app with
    UEM
    (see Adding public apps to the app list), or you can instruct users to download it themselves.
  16. Depending on the email client that your organization wants to use, you must complete additional steps to ensure that the mail client can validate and communicate with
    Entra
    :
  • When a user activates their device, the
    UEM Client
    prompts the user to register with
    Entra
    conditional access. Users with activated devices are prompted to register with
    Entra
    conditional access the next time they open the
    UEM Client
    .
    Instruct users to initiate the registration with
    Entra
    using the
    UEM Client
    , not using any sign-in options within
    Microsoft Authenticator
    . The registration prompt from the
    UEM Client
    will open
    Microsoft Authenticator
    to prompt the user for credentials and to complete the registration process.
  • After a user activates a device with
    UEM
    , you can check the user's device properties in
    Microsoft
    Endpoint Manager to confirm that it was registered with
    Entra
    as expected. The name of the device will be in the following format:
    <username>
    -
    <platform>
    unknown unknown -
    <xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx>
    .
  • If you change the scope of users or groups in the
    Entra
    partner compliance configuration, in the
    Entra
    portal, navigate to the security permissions for
    BlackBerry UEM
    Conditional Access and grant administrator consent for
    BlackBerry
    again.
  • When you remove a device from
    UEM
    , the device remains registered for
    Entra ID
    conditional access. Users can remove their
    Entra ID
    account from the account settings in the
    Microsoft Authenticator
    app, or you can remove the device from the
    Entra
    portal.