Application Consent for Single Sign-On Authentication

This article contains information on providing Application Consent when using Single Sign-On (SSO) authentication for Email Security Cloud Integrated (CI) customers.

Mimecast will be implementing an SSO application with minimal permissions, which will require users to grant consent for permissions that are specific to Microsoft 365 SSO only, upon logging in to the Email Security Cloud Integrated console. Completing this process will assist in ensuring greater security and simplifying the SSO process.

Important Dates

See the table below for specific dates

Considerations

• Consent can be granted by an administrator with the appropriate role as detailed in Prerequisites.
• Administrators can review the Granting Consent section to go through the process in detail.
• If Administrator consent is not granted, end users will be prompted to grant individual consent when logging in.
• New users signing up for Email Security Cloud Integrated will see an additional mandatory consent prompt during the signup process.
• If you see Cloud Authentication when your organization uses SSO, this may indicate an issue with your SSO configuration or email validation. This can occur when your email address doesn't match the expected format, or is not found in a user list assigned to SSO Authentication. Contact your IT support to verify your account details and SSO setup.

Prerequisites

In order to grant tenant-wide administrator consent, a Microsoft Entra user account with one of the following roles is required:

• Privileged Role Administrator: With this role, application consent can be granted for all permissions and any API.

• Cloud Application Administrator or Application Administrator: With one of these roles, application consent can be granted for all permissions and any API except Microsoft Graph App roles (application permissions).

• A custom directory role that has the permission to grant permissions to applications.

Granting Consent

Administrators can grant consent provided they have one of the required roles listed above. A Grant Consent Now link will be displayed in an orange banner on the Email Security Cloud Integrated Home Page. Users will then be directed to sign in to Microsoft and grant consent at this stage.

The steps involved in granting consent are outlined below:

1. Once logged in to the Cloud Integrated Console, click Grant Consent Now, which appears in the orange banner. You will then be directed to sign in to Microsoft.

2. From the Microsoft sign-in page, enter the account Email Address and select Next.

3. Enter the Password and select Sign in.

4. Select the tick box to Consent on behalf of your organization, and select Accept to complete the process.

5. Once you have selected Accept consent, you will be redirected to the Cloud Integrated Home Page. You will see a notification confirming that SSO consent has been granted successfully, or, a notification informing you that it has not been successfully granted.

Permissions Requested

The new SSO Application permissions that are requested are only basic profile access in order to authenticate users for Mimecast. These permissions do not impact the Cloud Integrated Email Application permissions, which will still be required for Email Protection.

The specific permissions requested are listed and shown below:

• View users' email address
• View users' basic profile
• Sign users in

If you require any further assistance with this process, please contact support by visiting Mimecast Community Portal and selecting Raise a Support Case.