Authentication Profiles - Enabling Cloud Authentication

This article contains information on preparing and managing Mimecast Cloud Passwords, including configuring password complexity, creating passwords, defining authentication profiles, setting permitted IP ranges, and applying profiles to enhance security and user access control.

Cloud Password Authentication is available for all customers and is typically used when your organization wants to manage and use specific Mimecast passwords when accessing Mimecast.

Preparing Cloud Passwords

Defining Password Complexity and Expiration

These settings affect Mimecast Cloud Passwords only and are applied to all users in the organization.

You can configure Password Complexity and Expiration settings, by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Account | Account Settings.
3. Expand the Password Complexity and Expiration section.
4. Change the Settings as required.

Create a Mimecast Cloud Password

You can create a Mimecast cloud password, by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Internal Directories.
3. Select the Primary Domain of the user you want to set a cloud password for.
4. Select the Primary Email Address of the user you want to set a Cloud Password for.
5. In the permissions section of the Email Address Update page, enter and confirm the new password.
6. Optionally select whether the:

• • • Passwords should expire or not, using the Password Never Expires option.
    • Users should be required to change their passwords the next time they log in, using the Force Change at Logon setting.

Create an Authentication Profile

An Authentication Profile is referenced by a Mimecast Application Setting, which is in turn applied to a group of users. It is possible to edit existing Authentication Profiles or create new ones, depending on your requirements.

You can create or edit an existing Authentication Profile, by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Select Authentication Profiles.
4. To edit an existing Authentication Profile, select it from the list. Alternatively, to create a new profile, select the New Authentication Profile button.
5. Add a Description. This will be used to reference the profile when it is later selected in an Application Setting.
6. Select the option you would like to apply from the Allow Cloud Authentication drop-down list.

7. Select a time period from the Authentication TTL drop-down list. When the time elapses and the binding expires, the application uses the credentials originally entered by the user to automatically request a new binding. The user is only prompted to re-enter a password if the password has changed.

8. Select Save and Exit to complete the configuration.

Defining Permitted IP Ranges

To add a layer of security, Mimecast provides optional Permitted IP Range settings for the Mimecast Administration Console, End User Applications, and Gateway Authentication attempts.

You can configure Permitted IP Ranges by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Account | Account Settings.
3. Expand the User Access and Permissions section.
4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

Configuring Permitted IP Ranges for End User Applications

You can configure Permitted Application Login IP Ranges by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Click Authentication Profiles.
4. To edit an existing Authentication Profile, select it from the list. Alternatively, to create a New Profile, select the New Authentication Profile button.
5. Select the check box to enable Permitted Application Login IP Ranges.
6. In the Permitted Application Login IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
7. Select Save and Exit to apply the new settings.

Configuring Permitted IP Ranges for Gateway authentication using SMTP or POP

You can configure Permitted Gateway Login IP Ranges by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Select Authentication Profiles.
4. To edit an existing Authentication Profile, select it from the list. Alternatively, to create a New Profile, select the New Authentication Profile button.
5. Select the check box to enable Permitted Gateway Login IP Ranges.
6. In the Permitted Gateway Login IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
7. Select Save and Exit to apply the new settings.

Other Options

An Authentication Profile is applied to a group of users. Each user can only have one effective profile at a time. Consequently, it may be useful to add additional authentication options to your Authentication Profile.

Applying the Authentication Profile to an Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting for it to be applied, by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to the Users & Groups | Applications menu item.
3. Select the Application Setting that you want to use.
4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.

5. Select Save and Exit to apply the change.

Next Steps

You can test your configuration and verify that your Authentication Profile has been configured correctly by using the following steps:

1. Open or navigate to a Mimecast application.
2. Enter your primary email address.
3. You should be able to select and enter a Cloud Password.
4. Enter your Cloud Password and log in. You should be granted access to the application.