Web Security - Transparent User ID

Updated April 03, 2025 15:07

This article describes how the Transparent User ID functionality removes the need for users to log into or interact with the Mimecast Security Agent and is intended for Administrators.
It achieves this by automatically identifying the domain user's primary email address.

Prerequisites

Before using Transparent User ID, ensure the following requirements are met:

- - A directory connector is configured on your Mimecast account. See the Directory Synchronization Overview for further details.
  - The Windows or Mac device is joined to a domain.
  - The user has an email address in the User Properties in Active Directory.
  - The same email address is synchronized to Mimecast, denoted by the Extracted from Directory icon. See the Managing User Email Addresses for more information.

The Transparent User ID functionality does not authenticate or validate the user's credentials.

Identification Process

When the user logs on to the Operating System (OS), the Mimecast Security Agent initiates a request to the OS for the user’s email address (mail attribute).
The OS passes this request to the local Active Directory (AD). If the AD holds this information, it passes the information back to the OS and finally to the Mimecast Security Agent.

If the device is joined to Azure AD and provisioned by Intune, then the user email discovery is automatic through the Windows API.

The agent verifies the email address against what is available in the Mimecast internal directories.
If the email address matches, the identification process has been successful. The user’s Discovery Method will be displayed as a Domain User.

The email address is verified several times a day to ensure it is valid, and the Domain User status is preserved when the user is no longer on the network, thereby allowing for user-level policy application to continue off the network.

To determine how a user has been identified, view the Discovery Method column available in the following Web Security screens:

- - Activity Report.
  - Protected Devices.

The Policy Scope column in the table below shows which users the web security policy can be applied to.
See Managing Policies.

Discovery Method	Description	Policy Scope
Authenticated	The user has logged into their Mimecast profile using an email address and password. This overrides other discovery methods.	User, Group, Location, or Everyone
Domain User	The user has been automatically identified as a valid domain user, as it has been matched against the internal directory.	User, Group, Location, or Everyone
Unknown Domain User	The user has been automatically identified as a domain user, but the Mimecast Security Agent was unable to match it against the internal directory. This could be because it's a new user and directory synchronization hasn't taken place.	Location or Everyone
Local User	The user is local to the device and not a domain user.	Location or Everyone
Multiple Users	Mimecast Security Agent has determined that more than one user is logged into the device. The policy application will fall back to a location-based policy, or a policy that covers everyone.	Location or Everyone
No Logged In User	There are no users logged in to the device.	Location or Everyone
Network Protection Only	A device on a protected network that doesn't have Mimecast Security Agent installed (e.g., it is using a guest Wi-Fi).	Location or Everyone
Supervised User	This is the username or email address on an iOS device set by an administrator or MDM solution.	User, Group, Location, or Everyone

Enabling Transparent User ID

You can enable Transparent User ID by using the following steps:

Log on to the Mimecast Administration Console.

You can optionally select whether the user email address is taken from the Mail Attribute or userPrincipalName attribute in AD. This feature only applies to Mimecast Security Agent for Windows 1.10 and above. Mimecast Security Agent for Mac will continue to use the Mail Attribute.
Navigate to Web Security | Agent Settings menu item.
Click on the Settings tab.
Enable the Transparent User ID option.

You can optionally select whether the user email address is taken from the Mail Attribute or userPrincipalName attribute in AD. This feature only applies to Mimecast Security Agent for Windows 1.10 and above. Mimecast Security Agent for Mac will continue to use the Mail Attribute.

Troubleshooting

Issue	Troubleshooting Steps
The user is not identified as a Domain User.	This issue could be caused by one of the following: The OS is unable to connect to the local AD. To address this, ensure that the user’s device is on the network or the corporate VPN. The user can disconnect from the network once they have been correctly identified. The local domain the device is joined to doesn't hold an email attribute for that user. Check that the device is joined to the correct local domain.
The user is identified as Unknown Domain User.	This means the MSA has been given an email address by the OS/AD. However, the same email address hasn’t been found in your Mimecast internal directories, denoted by the Extracted from Directory icon.

Issue

Troubleshooting Steps

The user is not identified as a Domain User.

This issue could be caused by one of the following:

The OS is unable to connect to the local AD. To address this, ensure that the user’s device is on the network or the corporate VPN. The user can disconnect from the network once they have been correctly identified.
The local domain the device is joined to doesn't hold an email attribute for that user. Check that the device is joined to the correct local domain.

The user is identified as Unknown Domain User.

This means the MSA has been given an email address by the OS/AD. However, the same email address hasn’t been found in your Mimecast internal directories, denoted by the Extracted from Directory icon.

Web Security - Transparent User ID

Prerequisites

Identification Process

Enabling Transparent User ID

Troubleshooting

Related to

Comments