Active Directory Sync using the Mimecast Synchronization Engine allows you to synchronize your organization's Active Directory with Mimecast using a secure outbound connection from your internal network to Mimecast. This article explains the data flow process for this feature.
Stage 1 - Active Directory to the Mimecast Synchronization Engine
The Mimecast Synchronization Engine uses a combination of LDAP and Global Catalog queries to extract user, group and group membership data from Active Directory. The initial query used is:
This returns any object with an email address OR group objects OR dynamic distribution list objects. Active Directory will return all results that the Mimecast Synchronization Engine service account user or the user specified in the advanced settings in the Administration Console has permission to read. The Mimecast Synchronization Engine then issues additional queries to extract more information about each object.
Stage 2 - Data Transfer
Once all of the objects have been successfully extracted, they are securely transmitted from the Mimecast Synchronization Engine to Mimecast.
- Data is secured during transmission using HTTPS.
- The Mimecast API that receives this data:
- accepts connections using either the TLS 1.0, TLS 1.1, or TLS 1.2 protocols,
- uses an SSL certificate with a 2048 bit RSA key, issued by the Symantec Corporation,
- and supports several industry standard strong cipher suites with a minimum key length of 128 bits.
Stage 3 - Apply the results
Once the data is received Mimecast commits the user and group information to your account.
- New users are added.
- Existing users are updated to Directory Generated users.
- Groups that contain objects with a mail or proxyAddresses attribute are added.
- Group membership is updated.
- Additional attributes specified for the sync are updated.
- Alias addresses are linked to their primary user / address (assuming the Automatically Link Aliases setting is enabled).
- Disabled Active Directory users are disabled as Mimecast users as well (assuming the Acknowledge Disabled Accounts in Active Directory setting is enabled).