Enabling Azure Active Directory Synchronization for Office 365

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on Aug 11, 2017
Version 25Show Document
  • View in full screen mode

If you are using Office 365 or already synchronizing your on premises Active Directory with Windows Azure Active Directory Mimecast can automatically sync with Windows Azure to add and manage all of your user, group, group membership and user attributes removing the administrative overhead of performing these tasks manually.

Passwords are not synchronized using this feature. To allow users to log in to Mimecast applications using their Office 365 / Windows Azure credentials, you need additionally to configure your Office 365 Domain Authentication or SAML Authentication using Windows Azure Active Directory as an Identity Provider.

What You'll Need

 

  • Access to your Windows Azure management portal for the Active Directory you would like to sync with Mimecast.
  • A Mimecast Administrator account with edit permissions to the Administration | Services | Directory Synchronization toolbar button.

 

Creating a Windows Azure Active Directory Application

 

This step is performed in the Office 365 Admin Center. 

For detailed, but non-Mimecast specific, instructions on creating a Windows Azure Active Directory application, read the "How to Configure Your App Service Application to use Azure Active Directory Login" page on the Windows Azure website. 

To create a Windows Azure Active Directory application:

  1. Log on to the Office 365 Admin Center.
  2. Click on the Admin / Azure AD menu item.
  3. Click the Active Directory menu item.
  4. Click on the App Registration tab at the top of the page.
  5. Click on the Add button at the top of the screen to start a guided wizard.
  6. Specify the options as follows:

    Field / OptionComments
    NameSpecify a name for the application (e.g. Mimecast Directory Synchronization).
    Application TypeWeb Application and / or Web API
    Sign-on URLSpecify an arbitrary URL in both these fields, making sure the same URL is used in both fields. As this application will not be used for authentication, the values entered are not important.
    Do not specify portal.office.com as this will cause problems accessing Office 365.
  7. Click on the Create button at the bottom of the section.
  8. Select the newly created App from the list.
  9. Make a note of the Application ID value. It will be needed when you are creating your Directory Synchronization Connection.
  10. Create an Application Key. See the "Get Application ID and Authentication Key" section of the Create Identity for Azure App in Portal page in the Microsoft Azure documentation for further details.
  11. Make a note of the application key. It will be needed when you are creating your Directory Synchronization Connection.
    The key is only valid for the duration specified in step 10. If you do not create a directory synchronization connection before it expires, another key must be created.
  12. Click on Required Permission and ensure Windows Azure Active Directory has the Read Directory Data Application Permission.
  13. Click the Save menu item at the foot of the page.
  14. Click on the Grant Permissions button.

 

Adding a Directory Synchronization Connection

 

This step is performed in Mimecast.

 

To add a directory synchronization connection:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Directory Synchronization menu item.
  4. Select the New Directory Connector button.
  5. Configure the following settings:

    SettingDescription
    DescriptionType a description to identify the connector.
    TypeSelect Office 365. This will reveal Windows Azure Active Directory specific settings.
    Client IDThis value needs to be the Client ID from the Windows Azure configuration. Enter the value collected in step 8 of the previous section.
    KeyThis value needs to be the Key from Windows Azure configuration. Enter the value collected in step 11 of the previous section.
    Tenant DomainAdd your Tenant Domain.
    • In the new Admin Center has a different URL that doesn't display the domain. To find this information navigate to the Setup | Domains menu item. The primary domain has (default) in parenthesis after the domain name.
    • In the old Admin Center, this information is found in the URL in the address bar of the Windows Azure Management Portal and is the domain name printed after this part of the URL - https://manage.windowsazure.com/.
    Acknowledge Disabled Accounts in Active DirectoryOptionally specify whether user accounts disabled Azure Active Active Directory should be disabled in the Mimecast platform.
    Optional Email Domains FilterOptionally list the domains the Directory Connector will synchronize with. These can be specified where:
    • There are multiple Directory Connectors, and where each Connector is dedicated to certain domains.
    • The account is part of an Advanced Account Administration setup.
    Entries must be comma separated. No spaces should be used.
  6. Select Save and Exit to create the connector.

 

Finalizing the Integration

 

To complete the Directory Integration, activate the automatic synchronization, and enable users to login using Active Directory passwords:

  1. Select the Administration | Services | Applications menu item.
  2. Click on the Authentication Profiles button.
  3. Click on the Default Authentication Profile to enable you to change it.
  4. Select the Office 365 option in the Domain Authentication Mechanisms drop down.
  5. Click the Save and Exit button.

 

Validating Your Directory Synchronizations

 

Once these steps are complete, Mimecast will synchronize with your Active Directory automatically three times per day, at 8am, 1pm, and 11pm. The synchronization timing is taken from the Mimecast region your account is in (e.g. Europe, North America, South Africa, Australia). For the Europe region, timing are in GMT. For the North America region, timing are in EST.

 

To validate that your scheduled synchronizations are completing successfully, you can view the status of a Directory Connection:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Directory Synchronization menu item.
  4. Click the Sync Directory Data button to test the connection immediately.

3 people found this helpful

Attachments

    Outcomes