Directories - Exchange User & Group Management

This guide describes how administrators can manage users and groups on the Mimecast Administration Console.

Overview

Mimecast offers a number of ways to manage users and groups. The steps below describe how to best leverage the available features.

Step 1: Adding Your Internal Email Domains

Before users can be created, you will need to add your organization's internal email domains to Mimecast. When your account was originally provisioned, at least 1 internal domain would have already been added. See the Managing Internal Domains guide to learn about adding and managing Mimecast Internal Domains.

Step 2: Setting Up your Director Synchronization

Once all of your internal email domains have been added, you can sync users and groups from Active Directory to Mimecast. This allows you to automate user and group management and optionally add user attributes to Mimecast users that can be used to apply policies or in Stationery layouts. The following options are available for Active Directory sync:

LDAP Active Directory Synchronization

Using an inbound LDAP(S) connection, Active Directory users and groups are automatically synchronized to Mimecast. This requires a firewall change to allow connectivity from Mimecast to your Domain Controllers.

See the Enabling LDAP Directory Synchronization for Active Directory guide for more information.

Active Directory Synchronization using the Mimecast Synchronization Engine

Using the Mimecast Synchronization Engine and a secure outbound connection from your internal network, Active Directory users and groups are securely and automatically synchronized to Mimecast. See the LDAP Directory Synchronization Enabling Active Directory Synchronization guide for more information.

Step 3: Setting Up Additional Sign In Options for Mimecast Applications

All Mimecast applications allow users to sign in using a Mimecast Cloud password. To allow users to sign in to Mimecast applications using their Active Directory password, there are a number of options available. See below for details:

Mimecast Application Domain SAML SSO IWA
Administration Console  
Mimecast Personal Portal  
Secure Messaging Portal (internal users)    
Mimecast for Outlook
Mimecast for Mac    
Mimecast Mobile    

Domain (Same Sign-On)

      • A user provides their primary email address and password to the application.
      • The Mimecast Administration Console, Mimecast Personal Portal, and the Secure Messaging Portal require the user to enter these details each time the user accesses the application.
      • Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only require the user to enter these details the first time they use the application and then again each time the user's password changes.
      • Behind the scenes, Mimecast contacts Active Directory to verify the user.

Active Directory can be contacted using 3 different methods to verify a user's credentials:

Name Description Help
Directory Connector If you are using LDAP Directory Sync the same connection is reused to verify users credentials over LDAP. Enabling Directory Connector Domain Authentication
ADFS Using a secure HTTPS connection, a user’s credentials are verified using the ADFS WStrust endpoint. Enabling Domain Password Authentication Using AD FS
Exchange Web Services (EWS) Using a secure HTTPS connection, a user's credentials are verified using Basic Authentication against the Exchange EWS endpoint. Enabling EWS Domain Authentication

 

Integrated Windows Authentication (IWA) for Mimecast for Outlook

      • Using this method, users are never prompted to enter their credentials
      • Mimecast for Outlook automatically detects the user's primary email address and uses Integrated Windows Authentication to authenticate the user.

Learn more: Mimecast for Outlook: Integrated Windows Authentication

SAML Single Sign-On (SSO) Using a Third Party IdP

See the Single Sign-On (SSO) section for guidance on this.

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.