On Premises Exchange User and Group Management

Document created by user.oxriBaJeN4 Employee on Sep 14, 2015Last modified by user.oxriBaJeN4 Employee on Jan 11, 2018
Version 5Show Document
  • View in full screen mode


Mimecast offers a number of ways to manage users and groups. The steps below describe how to best leverage the available features.


Step 1: Adding Your Internal Email Domains


Before users can be created you will need to add your organizations internal email domains to Mimecast. When your account was originally provisioned at least 1 internal domain would have already been added.


Please see the Email Domains guide to learn about adding and managing Mimecast Internal Domains.


Step 2: Setting Up your Directory Synchronization


Once all of your internal email domains have been added you can sync users and groups from Active Directory to Mimecast. This allows you to automate user and group management, and optionally add user attributes to Mimecast users that can be used to apply policies, or in Stationery layouts.


There are 2 options available for Active Directory sync:


LDAP Active Directory Synchronization


Using an inbound LDAP(S) connection, Active Directory users and groups are automatically synchronized to Mimecast.


This requires a firewall change to allow connectivity from Mimecast to your Domain Controllers.


Help me configure this...


Active Directory Synchronization using the Mimecast Synchronization Engine


Using the Mimecast Synchronization Engine and a secure outbound connection from your internal network, Active Directory users and groups are securely and automatically synchronized to Mimecast.


Learn more...


Step 3: Setting Up Additional Sign In Options for Mimecast Applications


All Mimecast applications allow users to sign in using a Mimecast Cloud password. To allow users to sign in to Mimecast applications using their Active Directory password there are a number of options available. See below for details:


Mimecast ApplicationDomainSAML SSOIWA
Administration Console
Mimecast Personal Portal
Secure Messaging Portal (internal users)
Mimecast for Outlook
Mimecast for Mac
Mimecast Mobile


Domain (Same Sign-On)

  • A user provides their primary email address and password to the application.
  • The Administration Console, Mimecast Personal Portal, and the Secure Messaging Portal require the user to enter these details each time the user accesses the application.
  • Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only require the user to enter these details the first time they use the application and then again each time the user' s password changes.
  • Behind the scenes Mimecast contacts Active Directory to verify the user.


Active Directory can be contacted using 3 different methods to verify a user's credentials:


Directory ConnectorIf you are using LDAP Directory Sync the same connection is re-used to verify users credentials over LDAP.Learn More
ADFSUsing a secure HTTPS connection a users credentials are verified using the ADFS WStrust endpoint.Learn More
Exchange Web Services (EWS)Using a secure HTTPS connection a users credentials are verified using Basic Authentication against the Exchange EWS endpoint.Learn More


Integrated Windows Authentication (IWA) for Mimecast for Outlook

  • Using this method users are never prompted to enter their credentials
  • Mimecast for Outlook automatically detects the user's primary email address and uses Integrated Windows Authentication to authenticate the user.


Learn more - Mimecast for Outlook: Integrated Windows Authentication


SAML Single Sign-On (SSO) using a third party IdP

Please see the SAML Single Sign-On (SSO) section for guidance on this.

1 person found this helpful