Enabling Azure Active Directory Synchronization for Office 365

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on Aug 22, 2019
Version 44Show Document
  • View in full screen mode

If you are using Office 365, or already synchronizing your On-Premises Active Directory with Azure Active Directory, we can automatically synchronize it with Azure to add and manage all your user, group, group membership, and user attributes. Once the service is activated, synchronization between Mimecast and Azure Active Directory occurs automatically at 8am, 1pm, and 11pm daily. This removes the administrative overhead of performing these tasks manually.


The Mimecast platform uses the Office 365 / Azure tenant name and a predefined Azure Active Directory application, to query the Windows Azure Graph API. The workflow is:

  1. User, user attribute, group, and group membership data is requested from the Azure Active Directory.
  2. Azure Active Directory returns the requested data, which is processed and committed to the Mimecast platform.




  • We don't support replicating members of Office 365 Dynamic Distribution groups, due to limitations in the Windows Azure graph API.
  • Passwords aren't synchronized. To allow users to log on to Mimecast applications using their Office 365 / Windows Azure credentials, you must also configure your Office 365 Domain Authentication or SAML Authentication using Windows Azure Active Directory as an Identity Provider.
  • You won't be able to pull in mail enabled public folder email addresses from the Azure Directory Sync, as it isn't supported in the Microsoft platform. You can manually import these as needed, as not doing so interrupts mail flow as it will not pass our default recipient validation checks.


What You'll Need


You'll need access to:

  • Your Azure Management Portal for the Active Directory you want to synchronize with us.
  • The Mimecast Administration Console with edit permissions to the Services | Directory Synchronization functionality.

Creating an Azure Active Directory Application


To create an Azure Active Directory application, follow the Configuring an Azure Active Directory Application guide.


Adding a Directory Synchronization Connection


To add a directory synchronization connection:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Directory Synchronization menu item.
  4. Select the New Directory Connector button.
  5. Configure the dialog as follows:
    Field / OptionDescription
    DescriptionType a description to identify the connector.
    TypeSelect Office 365. This will reveal Windows Azure Active Directory specific settings.
    Application IDEnter the Application ID value noted in step 8 of the Configuring an Azure Active Directory Application guide.
    KeyThis value needs to be the Key from Windows Azure configuration. Enter the value collected when creating your Azure AD application.
    The symmetric key that is generated by the Azure app is only valid for one year. To continue working with your Mimecast LDAP and Microsoft Azure integration after this time, you must re-issue a new key for the app. View the Renew the symmetric key in Azure guide on the Microsoft site for more information.
    Tenant DomainAdd your Tenant Domain.
    • In the new Admin Center has a different URL that doesn't display the domain. To find this information, navigate to the Setup | Domains menu item. The primary domain has (default) in parentheses after the domain name.
    • In the old Admin Center, this information is found in the URL in the address bar of the Windows Azure Management Portal and is the domain name printed after this part of the URL - https://manage.windowsazure.com/.
    Acknowledge Disabled Accounts in Active DirectoryOptionally specify whether user accounts disabled Azure Active Directory should be disabled in the Mimecast platform.
    Optional Email Domains FilterDomain Filtering allows you to whitelist a particular domain (e.g. company.com) for directory synchronization. Optionally select this option to list the domains the Directory Connector will synchronize with to ensure that all users, groups and user attributes containing the domain are always updated. This is useful when there are separate company accounts being synchronized, and can be specified where:
    • There are multiple Directory Connectors, and where each Connector is dedicated to certain domains.
    • The account is part of an Advanced Account Administration setup, where multiple Mimecast accounts are linked to one overall master account.
    Entries must be comma separated. No spaces should be used.
  6. Select Save and Exit to create the connector.


Finalizing the Integration


To complete the directory integration, activate the automatic synchronization, and enable users to log on using Active Directory passwords:

  1. Click on the Administration toolbar menu item.
  2. Select the Services | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Click on the Default Authentication Profile to enable you to change it.
  5. Select the Office 365 option in the Domain Authentication Mechanisms drop down.
  6. Click on the Save and Exit button.


Validating Your Directory Synchronizations


Once these steps are complete, we will synchronize with your Active Directory automatically three times per day, at 8am, 1pm, and 11pm. The synchronization timing is taken from the region your account is in (e.g. Europe, North America, South Africa, Australia). For the Europe region, timing is in GMT. For the North America region, timing is in EST.


To validate that your scheduled synchronizations are completing successfully, you can view the status of a directory connection:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Select the Services | Directory Synchronization menu item.
  4. Click on the Sync Directory Data button to test the connection immediately.


See Also...


9 people found this helpful