This article describes managing your administrators and the assigned administrator levels in the Mimecast Email Security Cloud Integrated product platform. It is intended for Administrators.
You can also find details on Authentication methods used for those Administrators.
Managing Administrators
You can manage your Administrators in Mimecast Email Security Cloud Integrated by using the following steps:
- Log in to Mimecast Email Security Cloud Integrated with an active Super Administrator account.
- Navigate to Configuration | Admin Management.
The User Management screen enables you to change an existing Administrator account. By selecting their respective row, you can choose from the following options:
- Edit: This will open the user details screen for that particular user.
- Reset Password: This will allow resetting a particular user's password.
- Delete: This will delete the account if you no longer wish it to be used in the future.
Mimecast accounts, and accompanying Administrator Roles, depend on Primary SMTP Address. If your User Principal Name (UPN) changes, but no change to Primary SMTP Address occurs, no effect should occur on Mimecast. If both are changed, or just Primary SMTP Address, it may automatically remove your existing Administrator roles in the Mimecast Administration Console. In such cases, you'll need to go through a formal process to reinstate your Super Administrator access, which involves getting approval from Director-level or higher authority in your organization.
Authentication Methods
Authentication options are individually set per user when creating the admin or selecting their account from the Configuration | Admin Management screen.
The options available to select from are either:
- M365
If set only to use M365 authentication: The user will log in using your existing M365 authentication configuration.
- Local Password (Enforced 2FA)
If set to use Local Password authentication, the user will receive an email containing a temporary password and a link to log into Email Security (CI). They must set a new password and scan a QR code to register 2FA with an Authenticator app as part of this process.
New Administrators will be given the choice of authenticating using their Local Password, or authenticating using Microsoft 365. For added security, Local Password authentication enforces 2FA.
The Local Password authentication option always takes priority over any other enabled method. So, if this option is enabled, the user will be forced to use this method only.
For administrative users requiring an MFA reset, you'll need to contact your organization's support team. Due to the elevated permissions of administrative accounts, direct self-service reset might not be available. Your support team can help trigger a force registration process to reset your Multi-Factor Authentication.
Adding New Administrators
- Only users within your Microsoft 365 tenant domain can be searched and added as administrators.
- Mimecast Email Security Cloud Integrated synchronization with your environment will be a live sync when adding administrators.
- When adding a new admin user, verify the user exists in your Azure AD environment and perform a manual directory sync if needed by going to Users & Groups > Directory Synchronization > Sync All button.
You can add new Administrators, by using the following steps:
- Log in to Mimecast Email Security Cloud Integrated with an active Super Administrator account.
- Navigate to Configuration | Admin Management.
- Select 'Add New Admin' from the main Admin Management screen.
- Search for the desired user in the search box.
- Select an Admin Role to assign the user. Details on Roles and Permissions can be found in the below tables.
- Select the desired Authentication Method.
- Click the 'Invite' button to send them the Invitation to complete the process.
- If set only to use Microsoft 365 authentication: The user will log in using your existing Microsoft 365 authentication configuration.
- If set to use Local Password authentication, The user will receive an email containing a temporary password and a link to log into Mimecast Email Security Cloud Integrated. They must set a new password and scan a QR code to register 2FA with an Authenticator app as part of this process.
Administrator Roles & Permissions
The following tables describe the available roles and permissions administrators can be assigned.
Super Admin
| FUNCTION | READ | CREATE | EDIT | DELETE | TAKE ACTION |
|---|---|---|---|---|---|
| Admin Management | |||||
| Policies and Detection Engine Configuration | |||||
| Allow / Block Rules | |||||
| Detections | |||||
| Reports | |||||
| Audit Logs |
Full Administrator
| FUNCTION | READ | CREATE | EDIT | DELETE | TAKE ACTION |
|---|---|---|---|---|---|
| Admin Management | |||||
| Policies and Detection Engine Configuration | |||||
| Allow / Block Rules | |||||
| Detections | |||||
| Reports | |||||
| Audit Logs |
Triggering a new QR Code for the Authenticator App
If, for any reason, a user's Authenticator App gets reset, a new QR code will be required.
To trigger a new authentication QR code, you need to reset the user's Local Password via Configuration | Admin Management. A new QR code will be presented for scanning when the user next attempts to log in and set a new password.
When performing a reset using the "Can't log in?" button on the login screen, no QR code will be presented - only an administrative reset will cause this.
Comments
This is outdated. There is no “Configuration” option. Brilliant
hi David,
Thank you for the comment. I've taken a look at the navigation steps in the article for you, and they are accurate for use within the Mimecast Email Security Cloud Integrated platform.
Please note that this article does not cover the Mimecast Administration Console, which is for Mimecast Security Cloud Gateway.
Noticed today:
Full Administrator rights is unable to view email body content (403 forbidden response per Network tab). Verified on multiple detections in quarantine.
Upgrading to Super Administrator resolved the issue immediately.
I do not see email body/view content listed as a line-item specific permission to know if this is expected behavior, or not.
Hi Jacob Durig,
Thank you for your feedback. As a Full Administrator, you should be able to see email body/view content. If you still can’t, please raise a case for assistance with this. See Mimecast Customer Care - Raising a Case for information on how to raise a case.
Hi - We need to assign Helpdesk staff a role that does NOT permit Content View (Message Body display) How we can enable non-content admin roles ( eg: Basic Admin or Help Desk Admin roles).
Hello Mohamed, many thanks for your feedback.
You can only choose from the Super or Full Administrator roles in Email Security Cloud Integrated; both have access to the email content.
There is not a view for choosing custom roles, as there is for Email Security Cloud Gateway.
Please sign in to leave a comment.