Synchronizing User Attributes with Azure Active Directory

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on Aug 4, 2019
Version 12Show Document
  • View in full screen mode

This guide describes how to synchronize user attributes from Azure Active Directory to Mimecast.

A user attribute is a specific property linked to a Mimecast user (e.g. telephone number, address). Attributes can be used in Mimecast in a number of ways, including:

  • User-centric business card information in advanced disclaimers.
  • Sender or recipient values of a gateway policy.


What You'll Need


  • An active Mimecast Directory Connector.
  • A Mimecast Administrator with edit permissions to the Directories | Attributes menu in the Administration Console.
  • The name(s) of the Active Directory attributes you want to synchronize.


Finding Azure Active Directory Attribute Names


One way to find the names of user attributes stored in Azure Active Directory, is to use the Azure Graph API Explorer tool provided by Microsoft.

This is tool is not owned or maintained by Mimecast, and the guidance provided is correct at the time of writing.

To find user attribute names using the Azure Graph API Explorer:

  1. Click on this link to open the Azure Graph API Explorer URL in your browser.
  2. Click the Sign In link.
  3. Sign in to Microsoft with the credentials of an administrator account. The following is displayed where "/" is your tenant domain.
    Azure Graph API URL
  4. Append /users/ after the tenant domain where "" is the email address of the user whose attribute names you want to find.
    Azure Graph API URL

  5. Click on the Run Query button. A query is sent to the Azure Graph API, and a user object in JSON format is returned.

  6. Open the JSON file and note the attribute names to be synchronized with Mimecast. They will be used in the next section.

    Only string attributes are supported.

Creating an Attribute

Attribute Properties


To create an attribute:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Directories | Attributes menu item.
  4. Click the Add Attribute button.
  5. Complete the Attribute Properties dialog as follows:

    Field / OptionDescription
    DescriptionSpecify the name of the Active Directory attribute as it appears in Active Directory.
    Prompt GroupSpecify a name that the attribute will be grouped under. The group name is displayed on the user settings page, once the attribute has been synchronized.
    Prompt TypeSelect the "Directory Linked Attribute" option from the drop down list.
    Prompt OrderEnter a numeric value to specify the order in which the attributes are listed in a Prompt Group. This is used purely to keep the attributes organized, and has no bearing on their use.
    Prompt OptionsLeave this field empty.
  6. Click the Save and Exit button.


Extended Attributes


An extended attribute is an attribute that has been synchronized from an On-Premises AD to an Azure AD, using the Azure AD Connect application. See the Integrate On-Premises Active Directory Domains with Azure Active Directory page on the Microsoft website for further details. 


Extended attributes appear in the user object via the latest Azure Graph API like:


      "extension_c107e5b6b8274332accae1b03a7bb999_company": "My Company"


Where the:

  • extension indicates an extended attribute.
  • c107e5b6b8274332accae1b03a7bb999 is an ID unique to the Azure tenant.
  • company is the name of the attribute as viewed in the On-Premises AD


Verifying Extended Attributes are Synchronized


Once the Azure AD synchronization has completed, the attribute can be created using the "Directory Linked Attribute" prompt type. Read the Creating an Attribute section above for full details. You can verify that an attribute has been synchronized in Azure AD by displaying a user's attributes.


To display a user's attributes:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Directories | Internal Directories menu item. A list of domains is displayed.
  4. Click on the required Domain. A list of users is displayed.
  5. Click on the required User. The attribute and it's synchronized value should be displayed in the Prompt field inside the General Attributes section of the page.
3 people found this helpful