Step 1
During your Mimecast Email Security Cloud Integrated setup, you will be redirected to Microsoft to sign in to your Microsoft account and grant consent for the permissions indicated in the below image.
The Microsoft account you sign in with must have Global Administrator access privileges in your Microsoft 365 environment.
Step 2
Once you have signed in to your chosen account, you must consent to the permissions request (detailed below.) Accepting these permissions is essential to ensure Mimecast Email Security Cloud Integrated functions as intended, and protects your users from identified threats.
Clicking Accept will begin an automated process in which the installer creates and configures the Azure Enterprise App along with the necessary Mail Transport Rules and Send Connectors to your environment.
Trusted ARC Sealer
To preserve message authentication results, such as SPF, DKIM, and DMARC, Mimecast will be automatically added as a Trusted ARC Sealer in your Microsoft 365 environment.
if you discontinue your Mimecast Email Security Cloud Integrated trial or service, this must be manually removed from your Microsoft 365 tenant. For more details on Trusted ARC sealers, please refer to Microsoft's documentation.
| Display Name | Type | Justification |
| Manage Exchange As An Application | Application | For the application object to access resources, it must have the Application permission Exchange.ManageAsApp. This allows us to run the Powershell cmdlets to install the rules/connectors. |
| Sign-In & Read User Profile | Delegated | Required for when the customer is giving consent for the app with the URL link |
| Read Domains | Delegated | Allows the app to read and write domains without a signed-in user. |
| Read & Write All Directory RBAC Settings | Application | This permission is required by the automated sign-up process. It is used to assign the "Exchange Administrator" role to the app in the customer tenant. |
| Read All User's Full Profiles | Application | To read all the users for the directory-sync feature (currently runs twice daily). |
| Read & Write All Applications | Application | Required for potential planned product improvements. |
| Read & Write Mail In All Mailboxes | Application | We allow users to "remediate" malicious emails, and this permission allows us to delete those emails from the target mailbox. |
| Read All Groups | Application | To read all the groups for the directory-sync feature (currently runs twice a day). |
| Read Directory Data | Application | To be able to read all the users and groups for the directory-sync feature (currently runs twice a day) |
| Read Domains | Application | Allows the app to read domains without a signed-in user. |
Step 3
Once you have consented to the necessary permissions, a connection is established. You will be forwarded to the Mimecast Email Security Cloud Integrated Home page, where you will see a banner at the top similar to the one shown below, indicating the progress made on your initial setup and scans.
This confirms that Mimecast Email Security Cloud Integrated ) has the correct permissions and access to the Microsoft 365 environment to complete the connection process.
Comments
Please sign in to leave a comment.