This article provides information on configuring and managing the default Administrator Authentication Profile in Mimecast, including enabling, editing and securing it with Two-Step or SAML Authentication, and adding phone numbers for SMS-based authentication.
Every other Authentication Profile is overridden by the default administrator Authentication Profile. For example, if you're an administrator with an Authentication Profile applied to your logon that uses a third party application as your two factor authentication, however, the default administrator's Authentication Profile is SMS. You're always challenged with SMS for two factor authentication.
To secure administrators, the profile must implement either Two Step or SAML Authentication.
While you can configure authentication settings to suit your organization, the administrator's Authentication Profile cannot be removed.
Enabling the Default Administrator Authentication Profile
You can enable the default Administrator Authentication Profile, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Services | Applications.
- Click on the Authentication Profiles button.
- Click on the Create Default Admin Authentication Profile option. The profile is created with a name of "Account_Administrators_Authentication_Profile".
- Creating this profile immediately activates this authentication profile for all administrators on your account. Ensure your configuration options are valid before saving this profile.
- Once it is enabled, it will override any other previously created profiles.
Editing the Default Administrator Authentication Profile
You can edit the default Administrator Authentication Profile, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Services | Applications.
- Click on the Authentication Profiles button.
- Select the Account_Administrators_Authentication_Profile profile from the list. The settings dialog displays.
- Edit the Settings as required.
- Click on the Save and Exit button.
To edit an existing Administrator Authentication Profile so that it's no longer the default Administrator Authentication Profile, you will need to raise a case with Support.
Configuring Two-Step Authentication
When configuring Two-Step Authentication, consider the following:
- To configure trusted networks from a trusted location (e.g. the corporate office), use the Trusted IP Ranges feature.
- It is not currently possible to apply settings to different groups of administrators. If the settings in the Administration Authentication Profile are causing an issue for your organization, contact our Support Team.
- If the user's SMS attribute contains the phone number, the in-line registration of that number ID is displayed.
- Using SMS as the delivery mechanism for one time passwords requires that the user's phone number be recorded in the SMS attribute on their user record. To prevent specific users or administrators from being prompted to enter a phone number, ensure the SMS attribute is repopulated only for the impacted users. This can be done:
- Manually, one user at a time.
- Via a spreadsheet import.
- Via Directory Synchronization.
- Manually, one user at a time.
Adding a Phone Number Manually
You can add a phone number manually, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Services | Applications.
- Navigate to Account | Account Settings.
- Expand the System Notification Options section and make a note of the SMS Attribute value.
- Navigate to Directories | Internal Directories.
- Click on the Domain of the user you want to change.
- Click on the User you want to change.
- Find the SMS Attribute in the General Attributes section.
- Enter the user's Phone Number without spaces and including the country code (e.g., +1 for a US number or +44 for a UK number).
- Click on the Save and Exit button.
Adding a Phone Number via Spreadsheet Import
See Spreadsheet Import for full information on populating user's phone numbers via a spreadsheet.
Adding a Phone Number via Directory Synchronization
To use Directory Synchronization to populate the user's phone number in Mimecast, you must have successfully synchronized your directory. See Directory Synchronization.
You can populate a user's phone number via Directory Synchronization, by using the following steps:
- Identify your Directory's SMS Attribute. The default values are:
| Exchange | Default Attribute |
| Active Directory | telephoneNumber |
| Azure Active Directory | mobilePhone |
- Create an Attribute. See the Managing Directory Attributes page for full details.
- Select the Directory Linked Attribute option as the "Prompt Type".
- Add the attribute to your account settings:
- Navigate to Accounts | Account Settings.
- Click on the System Notification Options tab.
- Click on the Lookup button in the SMS Attribute field.
- Locate the Directory Linked attribute.
- Click on the Select Attribute button.
- Click on the Save button. The next time your directory synchronizes, the attribute will be populated.
Comments
Please sign in to leave a comment.