Enabling Office 365 Domain Authentication

Document created by user.oxriBaJeN4 Employee on Sep 9, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 6Show Document
  • View in full screen mode

Domain Password Authentication is available for all Mimecast customers. It is typically used when your organization wants to manage and use each user's Office 365 password to access Mimecast.

 

This guide describes how to enable Domain Password Authentication using a HTTPS connection to Office 365 to verify a user.

When Office 365 is selected as the Domain Authentication mechanism, Mimecast sends the end user's authentication request to the Exchange Web Services (EWS) endpoint for Office 365. Customers syncing their local Active Directory to Office 365, should be aware that certain special characters are not supported by Microsoft. Accepted characters are:


      @  #  $  %  ^  &  *  -  _  ! +  =  [  ]  {  }  |  \  :  ‘  ,  .  ?  /  `  ~  “  (  )  ;

 

Passwords from your local Active Directory containing characters not listed above will still synchronize and work with Microsoft Outlook.

 

Additionally, it is recommended that the mail attribute and userPrincipalName attribute match. Mimecast use the primary SMTP address (derived from the mail attribute). Office 365 uses the userPrincipalName attribute. If these differ, it's is likely you'll experience authentication failures despite using what appear to be the correct credentials.

Configuring the Authentication Profile

 

An Authentication Profile is referenced by a Mimecast Application Setting which is in turn applied to a group of users. It is possible to edit existing Authentication Profiles or create new ones depending on your requirement.

 

To create or edit an existing Authentication Profile:

  1. Log in to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Add a Description. This will be used to reference the profile when it is later selected in an Application Setting
  6. From the Domain Authentication Mechanisms drop down list, choose Office 365.
  7. Select a time period from the Authentication TTL drop down list.

    This is applicable to Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only and defines the length of time a binding issued after a successful authentication is valid for.

     

    When the time elapses and the binding expires, the application uses the credentials originally entered by the user to automatically request a new binding. The user is only prompted to re-enter a password if the password has changed.

  8. Select Save and Exit to complete the configuration.

 

Defining Permitted IP Ranges

 

To add an additional layer of security, Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

  1. Log in to the Administration Console.
  2. Navigate to the Administration | Account | Account Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

  1. Log in to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Application Login IP Ranges.
  6. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Log in to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Gateway Login IP Ranges.
  6. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

Other Options

 

An Authentication Profile is applied to a group of users. A given user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile.

 

Apply the Authentication Profile to an Application Setting

 

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Application Setting that you want to use. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  4. Select Save and Exit to apply the change.

 

Next Steps

 

To test your configuration and verify that your Authentication Profile has been configured correctly:

  1. Open or navigate to a Mimecast application.
  2. Enter your primary email address.
  3. You should be able to select to enter a Domain password.
  4. Enter your Domain password and login.

 

You should be granted access to the application.

2 people found this helpful

Attachments

    Outcomes