This article contains information on Mimecast's Directory Synchronization security recommendations, covering Azure, LDAP Active Directory, and Domino Directory integrations, including secure connectivity, password updates, and synchronization best practices to maintain account security.
Mimecast recommends that customers periodically take specific measures to ensure the security of their non-Mimecast accounts and infrastructure. This guide has been assembled to consolidate our recommendations and applies to customers utilizing Directory Synchronization. It covers:
- Azure Directory Synchronization for Microsoft 365
- LDAP Active Directory Synchronization to on-premise Microsoft Active Directory
- Domino Directory Synchronization to Domino Directory environments
For further information, see the Configuring Google Workspace for Directory Synchronization page.
The graphic below displays the Directory Sync workflow:
Azure Directory Synchronization for Microsoft 365
To increase the secure connectivity between your Mimecast account and your Azure tenant, your Azure Directory Synchronization uses a Connector to communicate with Microsoft Azure.
- The Connector uses the OAuth 2.0 standard for authentication and uses the Principle of Least Privilege (PoLP).
- Because of the Connector, you don't have to create and manage an Azure application within your Azure tenant. Instead, Mimecast takes you through a consent workflow, and once consent has been granted, Mimecast will use secure tokens to communicate with your Azure tenant.
- The certificate used to obtain the secure token is rotated by Mimecast on a daily basis.
LDAP Active Directory Synchronization to On-Premises Active Directory
Considerations
- Ensure your administrator's accounts can authenticate via alternative means other than LDAP Directory Integration (such as a Mimecast cloud password). This ensures they maintain access while refreshing the Microsoft service account password. For further assistance, see the Configuring an Authentication Profile guide. If you fail to have alternate login credentials, this could result in administrators being unable to access the Administration Console.
- While refreshing your Service Account password, ensure that your firewall and local Access Control Lists are restricted to only allow inbound connections to your Directory Server from the Mimecast Data Centers and URLs, IPs/ports (and any other 3rd party services that you use).
- The Microsoft account used for Directory Synchronization needs only Read permissions.
Once the service account password has been reset within your Active Directory environment, the new password will need to be applied to your Active Directory (LDAP) Directory Integration as detailed in the Enabling LDAP Directory Synchronization for Active Directory guide.
To update your On-Premises Active Directory service account password:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Directory Synchronization.
- Select the Directory Integration to be updated.
- In your Active Directory environment, navigate to the User Distinguished Name field in your Mimecast Directory Integration settings.
- Reset the password for the service account.
- Enter the newly refreshed service account password into the Password field of your Mimecast Directory Integration settings.
- Click on the Save and Exit button.
- Click on Sync All to verify functionality or open the integration to run a Test Connection.
Once you have completed a successful Synchronization in step 8, this action is complete. Again, support is available for technical questions, but you do not need to notify us when you complete these changes.
Domino Directory Synchronization to Domino Directory environments
Considerations
- Ensure your administrator's accounts can authenticate via alternative means other than LDAP Directory Integration (such as a Mimecast cloud password). This ensures they maintain access while refreshing the Microsoft service account password. For further assistance, see the Configuring an Authentication Profile guide. If you fail to have alternate login credentials, this could result in administrators being unable to access the Administration Console.
- During any interruption to the Directory Synchronization process, object changes will not be synchronized from your environment. Therefore, following the completion of this refresh, a manual synchronization should be initiated via Administrator-Initiated Directory Synchronization.
- While refreshing your Service Account password, ensure that your firewall and local Access Control Lists are restricted to only allow inbound connections to your Directory Server from the Mimecast Data Centers and URLs IPs/ports (and any other 3rd party services you may use)
- The Domino account used for Directory Synchronization only needs Read permissions.
Once the service account password has been reset within your Domino Directory environment, the new password will need to be applied to your Domino Directory (LDAP) Directory Integration as detailed in the Enable LDAP Directory Sync for Domino Directory guide.
To update your on-premise Domino Directory service account password:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Directory Synchronization.
- Select the Directory Integration to be updated.
- In your Domino Directory environment, navigate to the User Distinguished Name field in your Mimecast Directory Integration settings.
- Reset the password for the service account.
- Enter the newly refreshed service account password into the Password field of your Mimecast Directory Integration settings.
- Click on the Save and Exit button.
- Click on Sync All to verify functionality or open the integration to run a Test Connection.
Once you have completed a successful Synchronization in step 8, this action is complete. Again, support is available for technical questions, but you do not need to notify us when you complete these changes.
Comments
Please sign in to leave a comment.