Enabling Azure Active Directory Synchronization for Office 365

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on May 13, 2019
Version 42Show Document
  • View in full screen mode

If you are using Office 365, or already synchronizing your On-Premises Active Directory with Azure Active Directory, we can automatically synchronize it with Azure to add and manage all your user, group, group membership, and user attributes. Once the service is activated, synchronization between Mimecast and Azure Active Directory occurs automatically at 8am, 1pm, and 11pm daily. This removes the administrative overhead of performing these tasks manually.


The Mimecast platform uses the Office 365 / Azure tenant name and a predefined Azure Active Directory application, to query the Windows Azure Graph API. The workflow is:

  1. User, user attribute, group, and group membership data is requested from the Azure Active Directory.
  2. Azure Active Directory returns the requested data, which is processed and committed to the Mimecast platform.





What You'll Need


You'll need access to:

  • Your Azure Management Portal for the Active Directory you want to synchronize with us.
  • The Mimecast Administration Console with edit permissions to the Services | Directory Synchronization functionality.

Creating an Azure Active Directory Application


To create an Azure Active Directory application, follow the Configuring an Azure Active Directory Application guide.


Adding a Directory Synchronization Connection


To add a directory synchronization connection:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Administration toolbar button. A menu dropdown is displayed.
  3. Click on the Services | Directory Synchronization menu item.
  4. Select the New Directory Connector button.
  5. Configure the dialog as follows:
    Field / OptionDescription
    DescriptionType a description to identify the connector.
    TypeSelect Office 365. This will reveal Windows Azure Active Directory specific settings.
    Application IDEnter the Application ID value noted in step 8 of the Configuring an Azure Active Directory Application guide.
    KeyThis value needs to be the Key from Windows Azure configuration. Enter the value collected in step 11 of the previous section.
    The symmetric key that is generated by the Azure app is only valid for one year. To continue working with your Mimecast LDAP and Microsoft Azure integration after this time, you must re-issue a new key for the app. View the Renew the symmetric key in Azure guide on the Microsoft site for more information.
    Tenant DomainAdd your Tenant Domain.
    • In the new Admin Center has a different URL that doesn't display the domain. To find this information navigate to the Setup | Domains menu item. The primary domain has (default) in parenthesis after the domain name.
    • In the old Admin Center, this information is found in the URL in the address bar of the Windows Azure Management Portal and is the domain name printed after this part of the URL - https://manage.windowsazure.com/.
    Acknowledge Disabled Accounts in Active DirectoryOptionally specify whether user accounts disabled Azure Active Active Directory should be disabled in the Mimecast platform.
    Optional Email Domains FilterDomain Filtering allows you to whitelist a particular domain (e.g. company.com) for directory synchronization. Optionally select this option to list the domains the Directory Connector will synchronize with to ensure that all users, groups and user attributes containing the domain are always updated. This is useful when there are separate company accounts being synchronized, and can be specified where:
    • There are multiple Directory Connectors, and where each Connector is dedicated to certain domains.
    • The account is part of an Advanced Account Administration setup, where multiple Mimecast accounts are linked to one overall master account.
    Entries must be comma separated. No spaces should be used.
  6. Select Save and Exit to create the connector.


Finalizing the Integration


To complete the directory integration, activate the automatic synchronization, and enable users to log on using Active Directory passwords:

  1. Click on the Administration toolbar menu item.
  2. Select the Services | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Click on the Default Authentication Profile to enable you to change it.
  5. Select the Office 365 option in the Domain Authentication Mechanisms dropdown.
  6. Click on the Save and Exit button.


Validating Your Directory Synchronizations


Once these steps are complete, we will synchronize with your Active Directory automatically three times per day, at 8am, 1pm, and 11pm. The synchronization timing is taken from the region your account is in (e.g. Europe, North America, South Africa, Australia). For the Europe region, timing is in GMT. For the North America region, timing is in EST.


To validate that your scheduled synchronizations are completing successfully, you can view the status of a directory connection:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu dropdown is displayed.
  3. Select the Services | Directory Synchronization menu item.
  4. Click on the Sync Directory Data button to test the connection immediately.


See Also...