Roles - Backup Administrator Account

Updated
This article contains information on why Backup Administrator Accounts are essential, how to create them, and recommendations for secure access management.

Why You Need a Backup Administrator Accounts

When organizations create a single Super Administrator account tied to a specific employee, they risk losing specific administrative access if that employee leaves. This forces customers through a complex approval process to regain control.

Backup Admin Accounts Prevents This By:

  • Eliminating lockout when administrators leave.
  • Avoiding complex approval processes.
  • Providing emergency recovery access.
  • Ensuring business continuity.

Creating a Backup Administrator Account

Prerequisites

  • Super Administration access to the Mimecast Administration Console.
  • The email address must exist in Users&Groups | Internal Directories.

Setup Instructions

You can set up a Backup Administrator by using the following instructions.

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Account | Admin Roles.
  3. Right-click on Super Administrator (or Full Administrator).
  4. Select Add User to Role.
  5. Search for and select your backup admin email address.
  6. Click Add Selected Users.

Choosing the Right Role

Role Use For Key Capabilities
Super Administrator Primary Backup Full access, including protected content and role management. Can create new Super/Full Admins and can reset the passwords of these accounts.
Full Administrator Secondary Backup High-level privileges without Super Admin management rights.

These are protected roles (indicated by 🔒) and can only be managed by Mimecast Support for security.

Please read Roles - Administrator Role Permissions for more information on the roles and permissions.

Recommended Setup

Confirm Authentication Security

By default, the Account_Administrators_Authentication_Profile controls authentication for all administrator accounts and overrides any other Authentication Profiles. Ensure Two-Step Authentication has been configured.

If the default Account_Administrators_Authentication_Profile does not exist or has been disabled, and you’re using custom profiles, check the Users & Groups | Internal Directories to find the Backup Administrator Account. Click into the account to confirm which Application Settings are applying. Navigate to Users & Groups | Applications to determine which Authentication Profile is applying and ensure Two-Step Authentication is configured.

Alongside Two-Step Authentication, it is recommended you use a Mimecast Cloud Password in case of Account Directory (AD) failure and you’re unable to use SSO. Make sure you change your passwords periodically, and they should be set to not expire.

Configuration instructions:

Store Credentials Securely

  • Store credentials in the enterprise password management system.
  • Document who has access to these credentials.
  • Record the credentials location in the IT emergency procedure.
  • Never store in an unsecured location.

Access Management

Access Control:

  • Limit to senior IT staff and security administrators.
  • Review access quarterly.
  • Update documentation when staff changes.
  • Use only for emergency access—not day-to-day administration.

Recommended Setup:

Minimum:

  • 2 primary Super Administrators (person-specific) [preferred]

OR

  • 1 primary Super Administrator (person-specific)
  • 1 backup Super Administrator (system account)

Enhanced (larger organizations): 

  • 1 primary Super Administrator
  • 2 backup Super Administrators
  • 2-3 Full Administrators for daily operations

System admin accounts provide full administrative access to your Mimecast environment. Any actions performed using these accounts will be logged under the system account name, not the individual who accessed the credentials. 

We strongly encourage you to store system admin credentials in an enterprise password management system that provides: 

  • Audit trails showing who accessed the credentials.
  • Access controls limiting who can retrieve the credentials.
  • Secure, encrypted credential storage.
  •  Activity logging for compliance and security review

Testing and Maintenance

After setup, you should check the following:

  1. Verify login with backup credentials.
  2. Confirm Multi-Factor Authentication (MFA) functions correctly.
  3. Test appropriate permissions.
  4. Document test results.

You should check the following on a regular basis:

  • Test access quarterly.
  • Update passwords as needed.
  • Review and update the access list.

If You Lose Access

Contact Mimecast Support immediately. Be prepared to verify identity and organization ownership. Recovery can be time-consuming, which is why backup accounts are critical.

Common Mistakes

❌ Avoid:

  • Using employee email as only admin.
  • Skipping MFA setup.
  • Never testing backup access.
  • Storing credentials insecurely.

✅ Recommendations:

  • Create backups during initial deployment.
  • Store in an enterprise password manager.
  • Test quarterly.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.