This guide describes how administrators can manage users and groups on the Mimecast Administration Console.
Overview
Mimecast offers a number of ways to manage users and groups. The steps below describe how to best leverage the available features.
Step 1: Adding Your Internal Email Domains
Before users can be created, you will need to add your organization's internal email domains to Mimecast. When your account was originally provisioned, at least 1 internal domain would have already been added. See the Managing Internal Domains guide to learn about adding and managing Mimecast Internal Domains.
Step 2: Setting Up your Director Synchronization
Once all of your internal email domains have been added, you can sync users and groups from Active Directory to Mimecast. This allows you to automate user and group management and optionally add user attributes to Mimecast users that can be used to apply policies or in Stationery layouts. The following options are available for Active Directory sync:
LDAP Active Directory Synchronization
Using an inbound LDAP(S) connection, Active Directory users and groups are automatically synchronized to Mimecast. This requires a firewall change to allow connectivity from Mimecast to your Domain Controllers.
See the Enabling LDAP Directory Synchronization for Active Directory guide for more information.
Active Directory Synchronization using the Mimecast Synchronization Engine
Using the Mimecast Synchronization Engine and a secure outbound connection from your internal network, Active Directory users and groups are securely and automatically synchronized to Mimecast. See the LDAP Directory Synchronization Enabling Active Directory Synchronization guide for more information.
Step 3: Setting Up Additional Sign In Options for Mimecast Applications
All Mimecast applications allow users to sign in using a Mimecast Cloud password. To allow users to sign in to Mimecast applications using their Active Directory password, there are a number of options available. See below for details:
| Mimecast Application | Domain | SAML SSO | IWA |
|---|---|---|---|
| Administration Console | ✔ | ✔ | |
| Mimecast Personal Portal | ✔ | ✔ | |
| Secure Messaging Portal (internal users) | ✔ | ||
| Mimecast for Outlook | ✔ | ✔ | ✔ |
| Mimecast for Mac | ✔ | ||
| Mimecast Mobile | ✔ |
Domain (Same Sign-On)
-
-
- A user provides their primary email address and password to the application.
- The Mimecast Administration Console, Mimecast Personal Portal, and the Secure Messaging Portal require the user to enter these details each time the user accesses the application.
- Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only require the user to enter these details the first time they use the application and then again each time the user's password changes.
- Behind the scenes, Mimecast contacts Active Directory to verify the user.
-
Active Directory can be contacted using 3 different methods to verify a user's credentials:
| Name | Description | Help |
|---|---|---|
| Directory Connector | If you are using LDAP Directory Sync the same connection is reused to verify users credentials over LDAP. | Enabling Directory Connector Domain Authentication |
| ADFS | Using a secure HTTPS connection, a user’s credentials are verified using the ADFS WStrust endpoint. | Enabling Domain Password Authentication Using AD FS |
| Exchange Web Services (EWS) | Using a secure HTTPS connection, a user's credentials are verified using Basic Authentication against the Exchange EWS endpoint. | Enabling EWS Domain Authentication |
Integrated Windows Authentication (IWA) for Mimecast for Outlook
-
-
- Using this method, users are never prompted to enter their credentials
- Mimecast for Outlook automatically detects the user's primary email address and uses Integrated Windows Authentication to authenticate the user.
-
Learn more: Mimecast for Outlook: Integrated Windows Authentication
SAML Single Sign-On (SSO) Using a Third Party IdP
See the Single Sign-On (SSO) section for guidance on this.
Comments
Please sign in to leave a comment.