Mimecast Essentials for Outlook - Configuration

Updated

This article contains information on deploying, configuring, and managing Mimecast Essentials for Outlook, including supported environments, authentication, application settings, Nested Application Authentication, and integration with Microsoft 365 and Graph API.
For more details on its features, see Mimecast Essentials for Outlook Overview.

 

Prerequisites

You will need:

  • The user performing the integration must have the Exchange Administrator, Application Administrator, and Privileged Role administrator roles.
  • Global Administrator access in Microsoft 365.

Supported Environments

Currently, Mimecast Essentials for Outlook is supported in the following environments:

Exchange Server
  • Microsoft 365 (Exchange Online)
  • Exchange 2016 or 2019 (On-Premises)
Outlook Desktop Client

Windows

  • Microsoft 365 Outlook Classic Windows
  • Microsoft 365 New Outlook Windows
  • Outlook (2016, 2019, 2021, and 2024)

macOS

  • Microsoft 365 Outlook for Mac
  • Outlook (2021 or 2024 for Mac)

Mimecast Essentials for Outlook follows the Microsoft Office Lifecycle for supported clients. Please ensure you are using the latest version of Outlook.

Windows

macOS
Web Browser

Windows

  • Chrome
  • Edge
  • Firefox

macOS

  • Chrome
  • Edge
  • Firefox
  • Safari*
  • Use the most recent version of any browser listed.
  • Ensure the browser is set to allow cookies from Mimecast.
  • *Prevent Cross-site tracking must be disabled in Safari.
  • Mimecast Essentials for Outlook is not supported on mobile browsers.
Mobile

Outlook Mobile iOS*

Outlook Mobile for Android*
  • *Supported if the mailbox is hosted in Microsoft 365 / Exchange Online.
  • The latest version of Outlook Mobile is supported.

For Mimecast Essentials for Outlook to function correctly when using Safari, you must ensure that Prevent Cross-site tracking is disabled within the Privacy settings. If this setting is enabled, you cannot log in to Mimecast Essentials for Outlook.

 

Deploying the Application

Microsoft 365 Admin Center

The Mimecast Essentials for Outlook plugin can be deployed to mailboxes hosted in Microsoft Exchange Online, through Integrated Applications in the Microsoft 365 Admin Center (Recommended,) or Centralized Deployment.

Integrated Applications

You can deploy the Mimecast Essentials for Outlook Add-in by using the following steps:

  1. In the Microsoft 365 Admin Center, click Settings (click Show All to expand the menu).
  2. In the Settings menu, select Integrated Apps.
  3. Click Get apps.

Integrated Applications - Get Apps

  1. Search for the Mimecast Essentials for Outlook App.
  2. Confirm to continue by selecting Get it Now.
  3. Click on Continue to accept the licensing agreement.
  4. Select the users you wish to assign the add-in to, and how they can access it.
  5. If you are a MEIR customer deploying from a manifest supplied to you by Mimecast:
    • Select the Upload custom apps option.

        Integrated Applications - Upload Custom Apps
    • Select the Choose File option.
    • From the file browser, select the supplied manifest (.xml).
    • Click on the Upload button.
    • Select the users you wish to assign the add-in to and how they can access it.

You will receive an email notification confirming your successful deployment. The add-in will take up to 12 hours to be displayed on users' ribbons. Users might need to relaunch Microsoft Outlook.​

When deployed from the store, the add-in automatically updates with each release. There’s no need to push a new version when a new version of Mimecast Essentials for Outlook becomes available.

Centralized Deployment

For more information, visit Deploy add-ins in the admin center, the Microsoft documentation.
To avoid errors, make sure that your Microsoft Exchange server can connect to the store.

You can configure Microsoft Outlook Add-ins in the Exchange Admin Center, by using the following steps:

  1. Log on to Microsoft 365.
  1. In the Microsoft Admin Center, navigate to Integrated Apps.
  2. Click on Add-ins.
  3. If deploying from the store:
    • Click Deploy Add-in.
    • Click Next.
    • Select the Choose from the Store option.
    • On the Add-Ins for Outlook page, enter "Mimecast" in the search box and select Mimecast Essentials for Outlook from the search results.
  1. If you are a MEIR customer deploying from a manifest supplied to you by Mimecast:
    • Click Deploy Add-in.
    • Click Next.
    • Select the I have the manifest file (.xml) on this device option.
    • From the file browser, select the supplied manifest (.xml) file.
    • On the Manage Add-in page, set one of these options depending on how you want your users to access Mimecast Essentials for Outlook:
      • Optional, enabled by default.
      • Optional, disabled by default.
      • Mandatory, always enabled. Users cannot disable this add-in.
    • Click on Deploy.

You will receive an email notification confirming your successful deployment. The add-in will take up to 12 hours to be displayed on users' ribbons. Users might need to relaunch Microsoft Outlook.

Exchange 2016 and 2019 Deployment

For more information, visit the Use Exchange Admin Center to deploy add-ins.
Ensure your Microsoft Exchange Server can access the Office Store. If the Office Store is unavailable in your region, contact Mimecast Support for a copy of the Mimecast Essentials for Outlook XML manifest.

You can configure Microsoft Outlook Add-ins in the Exchange Admin Center, by using the following steps:

  1. Log in to the Exchange Admin Center (EAC) for your organization.
  2. Navigate to the Organization section and select Add-ins.
  3. Click on  New.
  4. Select Add from the Office Store*.
  5. Search for Mimecast Essentials.
  6. Select the App to add and install it.
  7. Click  on Save.

*If you are a MEIR customer, select Add from file, and upload the Mimecast Essentials for Outlook XML file you received from Support.

 

Authentication

Mimecast Essentials for Outlook is a web-based application that uses the same authentication cookie as other Mimecast web applications. This means users are subject to the authentication session time limits set for web applications. If you still need to do so, you will be prompted to authenticate for Mimecast Essentials for Outlook. Users can authenticate using the Authentication Profile applied to the user, and it supports Cloud, Domain, and SAML.

Microsoft is set to disable Legacy Exchange Tokens, which will impact JSON Web Token Authentication. We strongly encourage organizations to migrate to Nested App Authentication (NAA) as soon as possible; however you can request an extension from Microsoft until October 2025.

For further information, see Turn legacy Exchange Online tokens on or off.

 

Using Nested Application Authentication (NAA) - Microsoft 365 / Microsoft Exchange Online

Enabling JSON Web Token Authentication within the Authentication Profile and creating a Nested Application Authentication for Mimecast Essentials for Outlook integration within the Integration Hub allows us to verify user identity via Microsoft and accept tokens issued by M365 as authorization for future requests. Please see Nested app auth requirement set for Microsoft's prerequisites for Nested Application Authentication.  

Customers on Government Community Cloud (GCC) High are not supported for Nested Application Authentication for Mimecast Essentials for Outlook.

You can configure Nested Application Authentication by using the following steps:

Updating an Authentication Profile

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Services | Applications.
  3. Select an existing profile or create a New Authentication Profile.
  4. Tick the Enable JSON Web Token Authentication option.
  5. Click on  Save and Exit.

Creating the Integration

  1. Navigate to IntegrationsIntegrations Hub.
  2. Select Nested Application Authentication for Mimecast Essentials for Outlook from the available integrations.
  3. Select Configure.
  4. Click on Create New Integration.
  5. Enter a Name and Description (The Tenant ID will be added to the description).
  6. Click Authorize, you will now be presented with a Microsoft 365 login.
  7. Log in to Microsoft 365 with a user who has permission to authorize the following:
      • Enable token (NAA for Mimecast Essentials for Outlook): Allows for token to be sent.
      • Sign in and read user profile:  Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
  1. Once you click Accept, you will be returned to the list of configured Nested Application Authentication for Mimecast Essentials for Outlook integrations.

    The status of the NAA Integration will not change from Unavailable once it is configured.

We recommend that after creating the Integration for NAA, if no longer required, or causing login issues, that you disable Exchange Identity Tokens as per Turn legacy Exchange Online tokens on or off - Office Add-ins.

Removing a Nested Application Authentication for Mimecast Essentials for Outlook integration

  1. Log in to Microsoft Entra Admin Center.
  2. Search for NAA for Mimecast Essentials for Outlook.
  3. Click on the Service Principal.
  4. Click on Properties.
  5. Click Delete.
The above will remove the integration from Microsoft 365, however, it will still be visible within the Integrations Hub. You can delete it by viewing the list of Nested Application Authentication for Mimecast Essentials for Outlook integrations and selecting delete from the drop-down menu.

Nested Application Authentication - Frequently Asked Questions

Q: Which versions of Office support NAA?
A:

The latest builds of Microsoft 365 and Microsoft Office 2024 support NAA when connected to a mailbox hosted in Microsoft Exchange Online.

Microsoft Office 2021, 2019, and 2016 Volume License (Pro Plus) do not support NAA. Support for Microsoft Office 2019 and 2016 ends in October 2025. Customers should plan to move to Microsoft 365 based Microsoft Office licensing, or purchase Microsoft Office 2024.
Q: Which versions of Outlook has NAA been tested with?
A: NAA has been tested in Microsoft Outlook on the following versions of Microsoft 365: 2506, 2505, 2504. For a better user experience, we strongly recommend updating to the latest version of Microsoft Outlook before using NAA.
Q: Where can I find documentation about NAA Outlook support?
A:

Microsoft keeps a list of the minimum builds of Office to use NAA. We recommend using the latest available build of Microsoft Office.
Q: Does the status change in the NAA Integration once it is configured?
A: No. The status will remain at Unavailable. Check the sign in logs in the NAA Application in Microsoft Entra (previously Azure Active Directory) under Enterprise Applications for authentication attempts. Look under User Sign-Ins (non-interactive).
Q: What's the best way to test if NAA is active in Mimecast Essentials for Outlook?
A:

The best way to test is to have a user log into Outlook on the Web (OWA) in an InPrivate or Incognito browser window.

  • Log in to Mimecast Essentials for Outlook.
  • In the Mimecast Essentials for Outlook logs, the call for NAA looks like this:
[6/10/2025, 7:20:07 PM] executeQueryAsyncInternal() - generate CallId.

[6/10/2025, 7:20:07 PM] executeQueryAsyncInternal() - ssoGetToken.

[6/10/2025, 7:20:07 PM] executeQueryAsyncInternal() - JWT token retrieved.
  • Close Mimecast Essentials for Outlook.
  • Select another message, and re-open Mimecast Essentials for Outlook.
  • Mimecast Essentials for Outlook should authenticate silently using the NAA token. The activity should be visible in Microsoft Entra.
Q: Can Exchange Legacy Tokens (JWT) affect the Mimecast Essentials for Outlook's ability to use NAA?
A:

Yes. It's recommended that Microsoft 365 Administrators disable JWT tokens during the NAA configuration process. The token can be disabled by connecting to Microsoft Exchange Online via PowerShell and running the following command.

Set-AuthenticationPolicy -BlockLegacyExchangeTokens -Identity "LegacyExchangeTokens"

It can take up to 24 hours for JWT to be deactivated on the tenant. Existing tokens can remain active for up to 7 days. 
Q: Can Exchange Legacy Tokens be cleared from Outlook if they cause issues with Mimecast Essentials for Outlook?
A:

Yes. Clear the Microsoft Outlook add-ins cache on the machine. For Microsoft Outlook classic, delete the contents of the folder:

%LOCALAPPDATA%\Microsoft\Office\16.0\Wef\


To clear the Microsoft Outlook cache on other platforms, see this article.
Q: Can I track if Mimecast Essentials for Outlook has requested a Exchange Legacy Token (JWT) recently? How do I verify Exchange Legacy Tokens are turned off in my M365 tenant?
A:

Verify the tokens are turned off by running the following command:

Get-AuthenticationPolicy -AllowLegacyExchangeTokens


If AllowLegacyExchangeTokens: is set to False, JWT is off. Mimecast Essentials for Outlook is identified in that report as 9b4919b5-728c-49f4-8a78-2d4abcfbb7dc. If it is listed under Allowed, there are JWT tokens still active in the tenant. If it's listed under Blocked, new tokens requested by users will be blocked and Mimecast Essentials for Outlook will be forced to use NAA.
Q:

What should I do if I see “Application '{appId}'({appName}) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.” listed in the Entra sign in logs as the reason for a failed authentication attempt?
A:

In Microsoft Entra, navigate to the Permissions section of the NAA for Mimecast Essentials Enterprise Application. Click Grant Admin Consent (you must have Global Administrator permissions to consent for your organization). The API permission granted is “Enable token”. The claim value is “mimecast.essentials”.

 

Using Exchange Identity Tokens - Exchange On Premise

Exchange Identity Tokens have been deprecated for Microsoft Exchange Online. We recommend that customers using Microsoft Exchange Online refer to the Using Nested Application Authentication section.

Enabling JSON Web Token Authentication within the Authentication Profile allows us to verify your identity using a one-time verification and accept the token as authorization for future requests.

You can authenticate your profile using a Microsoft Exchange identity token by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Services Applications.
  3. Select an existing profile or create a New Authentication Profile.
  4. Tick the Enable JSON Web Token Authentication option.
  5. Click Save and Exit.

You will not have to re-authenticate unless:

  • You have logged out of the application.
  • An administrator revokes your authentication.
  • The cookies are cleared from the browser cache.

 

Application Settings

If a Non-administrator attempts to access the Managed Senders in Mimecast Essentials for Outlook, they are subject to the Same IP range restrictions as entered in your Account | Settings.

If you have not already done so, you will need to ensure the Outlook Add-in option is enabled within the Application Settings by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Services Applications.
  3. Select existing application settings or create new ones.
  4. Click on the Outlook heading.
  5. Tick the Enable Mimecast Essential for Outlook option.

To report messages, you will need to ensure the Block and View Managed Senders option is enabled within the Application Settings relevant to the user account, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Services | Applications.
  3. Select existing application settings or create new ones.
  4. Click on the Gateway Settings heading.
  5. Tick the Block and View Managed Senders option.

The message seen by users after successfully reporting a message can be customized via the Application Settings by using the following steps.

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Services | Applications.
  3. Select existing application settings or create new ones.
  4. Click on the Outlook heading.
  5. Enter your messages in the Custom Report message Acknowledgement field.

If no custom message is specified, the default of “Thanks for Making Email Safer for Business” will be used.

Microsoft 365 customers who use Awareness Training or Engage Phishing Campaigns can also specify a custom message when users report a simulated phishing message via the Custom Awareness Training Report Success Message. If no custom message is specified, the default “Nice work! You correctly reported a simulated phishing message. Thanks for making email safer for your business” will be used.

 

Creating Connectors

A connector can be created for environments that support the Microsoft Graph API (Microsoft 365). This will authorize Mimecast Essentials for Outlook to carry out actions (reading message details and moving reported messages) within users' mailboxes via the Graph API. 

You can configure a Graph API Connector for Mimecast Essentials for Outlook by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Services | Connectors.
  3. Click Create New Connector.
  4. Select the Mimecast Essentials for Outlook from the list and click Next.
  5. Select the M365 tile and click Next.
  6. Click Log In to begin the OAuth 2.0 authorization process with the third-party provider.
  7. Review and grant the requested permissions.
MEO permissions
MS Entra App Permission Common Name Application /Delegate Identifier Permission Description MS KB Permissions Reference
Domain.Read.All Read domains dbb9058a-0e50-45d7-ae91-66909b5d4664 Allows the app to read all domain properties without a signed-in user. Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
Mail.ReadBasic Read basic mail in all mailboxes 7ab1d382-f21e-4acd-a863-ba3e13f7da61 Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, preview body, attachments, and any extended properties. Microsoft Graph permissions reference - Microsoft Graph
Mail.ReadWrite Read and write mail in all mailboxes e2a3a72e-5f79-4c64-b1b1-878b674786c9 Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. Microsoft Graph permissions reference - Microsoft Graph
User.Read Sign in and read user profile e1fe6dd8-ba31-4d61-89e7-88639da4683d Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
  1. Once the permissions have been successfully granted, click Next.
  2. Enter a connector Name and an optional Description and click Next.
  3. Review the connector summary and click Create Connector. Admin consent must be granted to the Enterprise Application via the Azure portal.

The first Mimecast Essentials for Outlook connector handles any actions that Mimecast Essentials for Outlook may take against a message (e.g., moving a message marked as spam to junk).

You will also need to configure an Integration for Mimecast Essentials for Outlook, for NAA.

NAA Permissions required

Related to

Was this article helpful?
9 out of 19 found this helpful

Comments

15 comments
Date Votes
  • Avatar
    Gary Smith

    Need more details of exactly what this does.

    Creating a Graph API Connector 

    A connector can be created for environments that support the Microsoft Graph API (Microsoft 365). This will authorize Mimecast Essentials for Outlook to carry out actions (reading message details and moving reported messages) within users' mailboxes via the Graph API. 

    Configure a Cloud Connector for Mimecast Essentials for Outlook 

    0
  • Avatar
    Admin - LI

    Thank you for your feedback. Kindly note that the article has been updated.

    0
  • Avatar
    Subramani, Dhanasekaran (D.)

    We have enabled Mimecast for Outlook Addin on user machine. On Office network the Add-in not working properly, user sees only Blank screen after authentication. But in home network the add-in is working as expected.

    Please help us to fix this issue

    0
  • Avatar
    Admin - CL

    Thank you for the comment! In order to get you the best solution possible, would you please post it into our Community? Not only will it be addressed by Cybersecurity peers, but the Mimecast team as well. Once you receive a solution, it can be bookmarked for easy retrieval.

    If your issue is more urgent and/or you wish to open a new Support case, please do so here.

    0
  • Avatar
    ryan molter

    If we just created the connector in the Mimecast console are we having to remove that application from Exchange Online? 

    0
  • Avatar
    saskin _adm

    Which client versions are supported?  There's conflicting info about that.

    0
  • Avatar
    Terry Henkels

    Mimecast news has a "Critical Update: Mimecast Essentials for Outlook".  That news item takes us to this article for more info.  However this article seems to need significant updating… it references multiple times going to Administration | Services | Connectors or Administration | Services | Applications, however there are no such choices under Services.

    0
  • Avatar
    Admin - VM

    Thank you for your feedback; we have reviewed the article and updated it.

    0
  • Avatar
    Meier, Dennis (US)

    When I click to set up the nested application authentication, it doesn't allow me to specify the tenant location.  It defaults to M365 Commercial and we are in a GCC High.  The window that opens does not let me change the URL for login either.

    0
  • Avatar
    Admin - KP

    Hi ryan molter, thank you for your feedback. To answer your question, you do not need to remove the application. The administrator should only remove the application from their M365 tenant if they are troubleshooting or completely removing the MEO application.

    0
  • Avatar
    Dakota Hourie

    We are having issues with the NAA authentication. We are on v1.3.16 on the MEO app. 

    NAA connector has been configured integrations, JSON Web Token Authentication is enabled in the authentication profile… Is there anything I'm missing here? 

    0
  • Avatar
    Admin - CL

    hi Dakota Hourie,

    Many thanks for raising this with us.

    We've updated the article, please review and see if this answers your questions.

    0
  • Avatar
    Admin-TM

    Hi Meier Dennis 

    Thank you for your feedback. We have revised our article to better address your question.

    If you would like to discuss this topic further, please post it in our Community. Not only will your questions be addressed by your cybersecurity peers, but the Mimecast team will also respond. Once you receive a solution, you can bookmark it for easy retrieval.

    If your issue is urgent or if you need to open a new support case, please do so here.

    0
  • Avatar
    Apgear, Ben

    The last step that states "You will also need to configure a second Connector for Mimecast Essentials for Outlook, for NAA.
    This connector handles authentication."  got any more on this step?  I'm not seeing this as an option anywhere. 

     

    0
  • Avatar
    Admin - KP

    Hi Ben, 

    Thank you for your feedback. Apologies for any confusion, but the article has been updated with clearer instructions in that section.

    0

Please sign in to leave a comment.