Mimecast offers a number of ways to manage users and groups. The steps below describe how to best leverage the available features.
Step 1: Adding Your Internal Email Domains
Before users can be created you will need to add your organizations internal email domains to Mimecast. When your account was originally provisioned at least 1 internal domain would have already been added.
Please see the Email Domains guide to learn about adding and managing Mimecast Internal Domains.
Step 2: Setting Up your Directory Synchronization
Once all of your internal email domains have been added you can sync users and groups from Active Directory to Mimecast. This allows you to automate user and group management, and optionally add user attributes to Mimecast users that can be used to apply policies, or in Stationery layouts.
There are 2 options available for Active Directory sync:
LDAP Active Directory Synchronization
Using an inbound LDAP(S) connection, Active Directory users and groups are automatically synchronized to Mimecast.
This requires a firewall change to allow connectivity from Mimecast to your Domain Controllers.
Active Directory Synchronization using the Mimecast Synchronization Engine
Using the Mimecast Synchronization Engine and a secure outbound connection from your internal network, Active Directory users and groups are securely and automatically synchronized to Mimecast.
Step 3: Setting Up Additional Sign In Options for Mimecast Applications
All Mimecast applications allow users to sign in using a Mimecast Cloud password. To allow users to sign in to Mimecast applications using their Active Directory password there are a number of options available. See below for details:
|Mimecast Application||Domain||SAML SSO||IWA|
|Mimecast Personal Portal||✔||✔|
|Secure Messaging Portal (internal users)||✔|
|Mimecast for Outlook||✔||✔||✔|
|Mimecast for Mac||✔|
Domain (Same Sign-On)
- A user provides their primary email address and password to the application.
- The Administration Console, Mimecast Personal Portal, and the Secure Messaging Portal require the user to enter these details each time the user accesses the application.
- Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only require the user to enter these details the first time they use the application and then again each time the user' s password changes.
- Behind the scenes Mimecast contacts Active Directory to verify the user.
Active Directory can be contacted using 3 different methods to verify a user's credentials:
|Directory Connector||If you are using LDAP Directory Sync the same connection is re-used to verify users credentials over LDAP.||Learn More|
|ADFS||Using a secure HTTPS connection a users credentials are verified using the ADFS WStrust endpoint.||Learn More|
|Exchange Web Services (EWS)||Using a secure HTTPS connection a users credentials are verified using Basic Authentication against the Exchange EWS endpoint.||Learn More|
Integrated Windows Authentication (IWA) for Mimecast for Outlook
- Using this method users are never prompted to enter their credentials
- Mimecast for Outlook automatically detects the user's primary email address and uses Integrated Windows Authentication to authenticate the user.
SAML Single Sign-On (SSO) using a third party IdP
Please see the SAML Single Sign-On (SSO) section for guidance on this.