Enabling Azure Active Directory Synchronization for Office 365

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.Yo2IBgvWqr on Dec 20, 2017
Version 33Show Document
  • View in full screen mode

If you are using Office 365, or already synchronizing your On Premises Active Directory with Windows Azure Active Directory, we can automatically synchronize with Windows Azure to add and manage all your user, group, group membership, and user attributes. This removes the administrative overhead of performing these tasks manually.

Passwords are not synchronized using this feature. To allow users to log on to Mimecast applications using their Office 365 / Windows Azure credentials, you need additionally to configure your Office 365 Domain Authentication or SAML Authentication using Windows Azure Active Directory as an Identity Provider.

What You'll Need


  • Access to your Windows Azure Management Portal for the Active Directory you want to synchronize with us.
  • Access to the Mimecast Administration Console with edit permissions to the Administration | Services | Directory Synchronization functionality.

Creating a Windows Azure Active Directory Application

For detailed, but non-Mimecast specific, instructions on creating a Windows Azure Active Directory application, read the "How to Configure Your App Service Application to use Azure Active Directory Login" page on the Windows Azure website.

To create a Windows Azure Active Directory application:

  1. Log on to the Office 365 Admin Center.
  2. Click on the Admin / Azure AD menu item.
  3. Click the Active Directory menu item.
  4. Click on the App Registration tab at the top of the page.
  5. Click on the Add button at the top of the screen to start a guided wizard.
  6. Specify the options as follows:

    Field / OptionComments
    NameSpecify a name for the application (e.g. Mimecast Directory Synchronization).
    Application TypeWeb Application and / or Web API
    Sign-on URLSpecify an arbitrary URL in both these fields, making sure the same URL is used in both fields. As this application will not be used for authentication, the values entered are not important.
    Do not specify portal.office.com as this will cause problems accessing Office 365.
  7. Click on the Create button at the bottom of the section.
  8. Select the newly created App from the list.
  9. Make a note of the Application ID value. It will be needed when you are creating your Directory Synchronization Connection.
  10. Create an Application Key. See the "Get Application ID and Authentication Key" section of the Create Identity for Azure App in Portal page in the Microsoft Azure documentation for further details.
  11. Make a note of the application key. It will be needed when you are creating your Directory Synchronization Connection.
    The key is only valid for the duration specified in step 10. If you do not create a directory synchronization connection before it expires, another key must be created.
  12. Click on the Required Permission button.
  13. Ensure Windows Azure Active Directory has the following permissions granted:
    • Read directory data
    • Read all users full profiles
  14. Click the Save menu item at the foot of the page.
  15. Click on the Grant Permissions button.
  16. Click on the Yes button. All users in the tenant are delegated the required permissions.


Adding a Directory Synchronization Connection


To add a directory synchronization connection:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Directory Synchronization menu item.
  4. Select the New Directory Connector button.
  5. Configure the following settings:

    DescriptionType a description to identify the connector.
    TypeSelect Office 365. This will reveal Windows Azure Active Directory specific settings.
    Client IDThis value needs to be the Client ID from the Windows Azure configuration. Enter the value collected in step 8 of the previous section.
    KeyThis value needs to be the Key from Windows Azure configuration. Enter the value collected in step 11 of the previous section.
    Tenant DomainAdd your Tenant Domain.
    • In the new Admin Center has a different URL that doesn't display the domain. To find this information navigate to the Setup | Domains menu item. The primary domain has (default) in parenthesis after the domain name.
    • In the old Admin Center, this information is found in the URL in the address bar of the Windows Azure Management Portal and is the domain name printed after this part of the URL - https://manage.windowsazure.com/.
    Acknowledge Disabled Accounts in Active DirectoryOptionally specify whether user accounts disabled Azure Active Active Directory should be disabled in the Mimecast platform.
    Optional Email Domains FilterOptionally list the domains the Directory Connector will synchronize with. These can be specified where:
    • There are multiple Directory Connectors, and where each Connector is dedicated to certain domains.
    • The account is part of an Advanced Account Administration setup.
    Entries must be comma separated. No spaces should be used.
  6. Select Save and Exit to create the connector.


Finalizing the Integration


To complete the directory integration, activate the automatic synchronization, and enable users to log on using Active Directory passwords:

  1. Click on the Administration toolbar menu item.
  2. Click on the Services | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Click on the Default Authentication Profile to enable you to change it.
  5. Select the Office 365 option in the Domain Authentication Mechanisms drop down.
  6. Click on the Save and Exit button.


Validating Your Directory Synchronizations


Once these steps are complete, we will synchronize with your Active Directory automatically three times per day, at 8am, 1pm, and 11pm. The synchronization timing is taken from the region your account is in (e.g. Europe, North America, South Africa, Australia). For the Europe region, timing is in GMT. For the North America region, timing is in EST.


To validate that your scheduled synchronizations are completing successfully, you can view the status of a directory connection:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Directory Synchronization menu item.
  4. Click the Sync Directory Data button to test the connection immediately.

5 people found this helpful