This article contains information on managing Directory Synchronization in Mimecast, focusing on Maximum Sync Deletions and Delete Users options to prevent mail flow issues and manage directory misconfigurations.
Maximum Sync Deletions can help to prevent mail flow issues and manage misconfiguration for users and groups made in your directory. Delete Users helps you automatically remove addresses from your Mimecast account that are no longer being synchronized from your environment.
This doesn't affect shared mailboxes, as the user is not being removed from Mimecast and there’s no impact on mail flow or archiving.
The Problem
When you synchronize your external Directory with your Mimecast account using a Directory Integration, the extracted addresses display with the type Extracted From Directory. If an address is no longer synchronized via your Directory integration, the address type is updated to Created by Message in Transit. This change is important for the Inbound Check of the Internal domain, as well as for policies that have been configured based on Directory Group membership.
The Inbound Check is one of the first checks that the Mimecast Message Transfer Agent (MTA) performs to ensure that we only accept items for further investigation if they adhere to the Inbound Check that has been configured. It is best practice to set the Inbound Check to Accept inbounds for valid Directory Users Only. This ensures that the Mimecast MTA only accepts items for addresses that have been retrieved from your external Directory.
However, if a misconfiguration is made within your external Directory, a large number of email addresses may no longer be presented for synchronization. The addresses that are no longer being retrieved from your directory will be updated to Created by Message in Transit and they will be removed from all the Directory Groups they were a member of. As a result, the Mimecast MTA would no longer accept items for these addresses, and policies applied to these addresses via group membership would no longer be applied.
The Solution
Maximum Sync Deletions
By default, the Directory integration will only update the address type and group membership of 10 email addresses per sync when they are no longer being presented during the Directory Synchronization.
If you regularly remove a higher number of addresses from your external Directory, you can update this setting to a higher value. The following values are supported: 0, 5, 10, 20, 50, 100, 300, 500, 1000, 2000, 5000, 10000, 50000, 100000, Unlimited.
To view and edit this option:
- Navigate to Users & Groups | Directory Integration.
- Select an existing integration to edit or create a new one.
- Use the wizard to navigate to the Options page.
- Use the Maximum Sync Deletions drop-down to select your deletion limit per synchronization.
Deleted Users
If you want to remove the addresses from your Mimecast account instead of their address type and Directory Group membership being updated, you can enable the Delete Users option. This will result in the addresses being added to the Purge List. The value configured for Maximum Sync Deletions represents the maximum number of addresses that will be added to the Purge List.
To enable this option:
- Navigate to Users & Groups | Directory Synchronization.
- Select an existing integration to edit or create a new one.
- Use the wizard to navigate through to the Options page.
- Toggle the Deleted Users switch to enable/disable.
When creating an Azure Active Directory Integration with Delete Users selected, accounts that would have been set to Created by Message in transit will instead be deleted, subject to the limits set in Maximum Sync Deletions. Please note addresses already marked as Created by Message in transit will not be affected.
To manually remove users, you can purge them through the Internal Directories feature in Mimecast. For detailed instructions, refer to the article titled Directories - Deleting Users from Mimecast. This resource will guide you through the necessary steps to ensure a smooth deletion process.
Audit Logs
You can view Audit Logs for Directory Synchronization, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Account | Audit Logs.
- In the Filter by field, select Account Logs and click on Apply.
- Data is displayed for Completed Directory Sync data.
Comments
How would this impact Exchange Shared Mailboxes that are converted from user to mailboxes? Assume they are receiving email but might not be sending.
Thank you for your feedback; we have reviewed the article and updated it.
There are few users which have left the organization, and their Azure AD accounts are deleted from AAD, instead of removal of those accounts in mimecast, it is marking them inactive, how to clear those inactive accounts from mimecast.
Hi North Foundation
Thank you for your comment.
This can be due to the Setup on the Directory Sync connector. The default is set to Disable accounts when they are removed from the AD. The setting to remove from Mimecast internal directories needs to be set to Delete https://mimecastsupport.zendesk.com/hc/en-us/articles/34000698543123-Directory-Synchronization-Maximum-Sync-Deletions-Deleted-Users
If you want to remove these manually, this can be done by purging Via the Internal Directories on the specific address https://mimecastsupport.zendesk.com/hc/en-us/articles/34000303232275-Directories-Deleting-Users-from-Mimecast
I hope this answer helps
where are the LDAP sync logs? Why does searching “LDAP sync log” in your knowledge base not return an article with the location of the logs as the first result?
hi saskin_adm,
Many thanks for your feedback.
The article has been updated with information on how to find these logs, and a link has been added to our Audit Logs article.
Please sign in to leave a comment.