Applies to: version 2.9.1 and earlier.
This article describes the requirements and steps required to configure a the Mimecast Synchronization service account for Office 365 hybrid environments.
For Office 365 hybrid environments the user that is selected to run the Mimecast Synchronization Engine service needs to be mailbox enabled and have permissions to access mailboxes hosted both on-premise and in Office 365. To configure this please follow these steps:
- Create / select a user to run the Mimecast Synchronization Engine service. This user must be hosted in the on-premise part of the Exchange organization and be mailbox enabled.
To ensure that the service account can successfully authenticate when accessing mailboxes hosted in Office 365 you must ensure that the service account's primary email address match's the User Principal Name (UPN) attribute.
- Apply the Full Access mailbox permission for the service account user in order to be able to access on-premise mailboxes.
- Open an Exchange Management Shell as an Exchange Organization Administrator.
- Run this command:
Get-Mailbox | Add-MailboxPermission -User User1 -AccessRights FullAccess
Where User1 is the user account selected to run the Mimecast Synchronization Engine service.
- Apply the Full Access mailbox permission for the service account user in order to be able to access the Office 365 mailboxes.
- On a workstation or server of your choice, start Windows PowerShell
- Set your Office 365 admin credentials using this command:
$cred = Get-Credential
- Import the Office 365 cmdlets using this command:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid -Credential $cred -Authentication Basic -AllowRedirection
- Finally import these cmdlets in to your local session using this command:
- Once connected you can configure the mailbox permissions for mailbox that you created / selected in step 1 using this command:
Get-Mailbox -ResultSize unlimited | Add-MailboxPermission -Useruser1@domain.com -AccessRights fullaccess -InheritanceType allWhere firstname.lastname@example.org is the primary SMTP address of the user that you created / selected in step 1.
- Microsoft best practice recommends to disconnect a PowerShell session from Office 365 once you have completed your tasks. This is done using this command:
Remove-PSSession $SessionWhere $Session is the name of the variable used to create the session.
- Finally, the Mimecast Synchronization Engine uses the Exchange auto-discover service to locate the correct Exchange Web Services endpoint for a given mailbox. Office 365 auto-discover endpoints require authentication, consequently, it is critical that the service account user can authenticate against these endpoints as well as the Exchange Web Services endpoints. This may mean ensuring that the service account can authenticate against the platform that is handling authentication for the federated domain, for example Microsoft AD FS 2.0, Okta, OneLogin, or any other identity provider.
Observations: Mimecast has noticed the following Exchange / Office 365 behaviors when configuring these permissions:
- The PowerShell Script Execution Policy should be set to unrestricted on the workstation being used to configure these permissions.
- Once applied the permissions can take up to 6 hours to propagate through Office 365.
- When new users are added to Office 365 these steps will need to repeated to ensure that the Mimecast Synchronization Engine can access the newly added mailboxes.
Setting the Service Account
Once the Mimecast Synchronization Engine is installed the service account should be set using the Site Configure utility. To do this follow these steps:
- Open the Site Configure Utility from Start | Programs | Mimecast Synchronization Engine
- Navigate to the Accounts Tab.
- Use the button to the left of the User Name text box to launch a Windows account picker dialog box.
- Type the name of the user account to set as the service account and click OK.
- Type the password for the user account.
- The utility will automatically detect the primary SMTP address of the user and populate this in the SMTP address text box of the Microsoft Mailbox section.
Do not edit the auto-populated address or add a password here. Doing so will change the way that the Mimecast Synchronization Engine connects to Exchange and can cause avoidable mailbox access issues down the line.
- Finally leave the Directory | Type to the default Microsoft Active Directory and click Apply.
Post Installation Task
Once the Synchronization Engine is successfully installed you will need to make a manual change to the configuration for the Mimecast Synchronization Engine to enable mailbox discovery for mailboxes hosted in Office 365. To do this:
- Create a file named global.ini in the Mimecast Synchronization Engine "dat" directory, by default C:\Program Files\Mimecast\SynchronizationEngine\dat.
- Add this line to the file:
- Save and close the file.
This option is only available in Mimecast Synchronization Engine version 2.8 and later. If your organization uses an Office 365 hybrid environment it is critical that you are using at least this version of the Mimecast Synchronization Engine.
With the service account configured you are now ready to bind your Mimecast Synchronization Engine site to Mimecast. To learn more about this please see [LEGACY] Binding the Mimecast Synchronization Engine.