This article contains information on managing user attributes in Mimecast, including finding Azure Active Directory attribute names, creating and verifying extended attributes, and synchronizing them with Mimecast.
Introduction
A user attribute is a specific property linked to a Mimecast user (e.g. telephone number, address). Attributes can be used in Mimecast in a number of ways, including:
- User-centric business card information in advanced disclaimers.
- Sender or recipient values of a gateway policy.
Prerequisites
- An active Mimecast Directory Integration.
- A Mimecast Administrator with edit permissions to the Users & Groups | Attributes menu in the Mimecast Administration Console.
- The name(s) of the Active Directory attributes you want to synchronize.
Finding Azure Active Directory Attribute Names
When adding names of Azure Active Directory attributes on user accounts to your Mimecast directory, it is important that the names match exactly.
A way to find the names of user attributes stored in Azure Active Directory is to use the Graph Explorer tool provided by Microsoft.
This tool is not owned or maintained by Mimecast, and the guidance provided is correct at the time of writing.
You can find user attribute names using the Graph Explorer, by using the following steps:
- Navigate to the Graph Explorer.
- Click the Sign In link.
- Sign in to Microsoft with the credentials of an administrator account. Ensure you have selected beta as the endpoint. The following is displayed where "mimecastercentral.com" is your tenant domain.
- Append /users/auser@mimecastercentral.com after the tenant domain where "auser@mimecastercentral.com" is the email address of the user whose attribute names you want to find.
- Click on the Run Query button. A query is sent to the Microsoft Graph API, and a user object in JSON format is returned.
- Open the JSON file and note the attribute names to be synchronized with Mimecast. They will be used in the next section.
Only string attributes are supported.
Creating an Attribute
You can create an attribute, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Attributes.
- Click the Add Attribute button.
- Complete the Attribute Properties dialog as follows:
| Field / Option | Description |
|---|---|
| Description | Specify the name of the Active Directory attribute as it appears in Active Directory. |
| Prompt | |
| Prompt Group | Specify a name that the attribute will be grouped under. The group name is displayed on the user settings page, once the attribute has been synchronized. |
| Prompt Type | Select the "Directory Linked Attribute" option from the drop down list. |
| Prompt Order | Enter a numeric value to specify the order in which the attributes are listed in a Prompt Group. This is used purely to keep the attributes organized, and has no bearing on their use. |
| Prompt Options | Leave this field empty. |
- Click on Save and Exit.
Extended Attributes
An extended attribute is an attribute that has been synchronized from an On-Premises AD to an Azure AD, using the Azure AD Connect application. See Microsoft Entra Connect Sync: Directory extensions for more details.
Extended attributes appear in the user object via the latest Microsoft Graph API as follows:
"extension_c107e5b6b8274332accae1b03a7bb999_company": "My Company"
Where the:
- extension indicates an extended attribute.
- c107e5b6b8274332accae1b03a7bb999 is an ID unique to the Azure tenant.
- company is the name of the attribute as viewed in the On-Premises AD
Verifying Extended Attributes are Synchronized
Once the Azure AD synchronization has completed, the attribute can be created using the "Directory Linked Attribute" prompt type. Read the Creating an Attribute section above for full details. You can verify that an attribute has been synchronized in Azure AD by displaying a user's attributes.
You can display a user's attributes by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Internal Directories.
- Click on the required Domain. A list of users is displayed.
- Click on the required User. The attribute and its synchronized value should be displayed in the Prompt field inside the General Attributes section of the page.
Comments
Please sign in to leave a comment.