Configuring Single Sign-On for End User Applications Using Microsoft Azure AD

Document created by user.oxriBaJeN4 Employee on Dec 30, 2015Last modified by user.oxriBaJeN4 Employee on Jul 25, 2017
Version 14Show Document
  • View in full screen mode

This guide describes the process to enable your users to use single sign-on to log in to end user applications using Microsoft Azure AD as the Identity Provider.



If your UPN and primary email address are different, single sign-on will only work if your'e using Azure Premium. See the Troubleshoot User Name Issues That Occur for Federated Users When They Sign in to Office 365 page on the Microsoft website for further detail. If you aren't using Azure Premium, your UPN and primary email address must be the same for single sign-on to work.

Single sign-on is supported in the following end user applications:

  • Mimecast for Outlook 6.1 and later.
  • Mimecast Mobile 3.1 and later. 
    Windows Phone is not supported.
  • Mimecast for Mac 2.4 and later.


We recommend reading the Understanding Enforce SAML Authentication for End User Applications page to learn about the impact of enabling single sign-on.




Preparing Azure AD


Before you can configure the Mimecast settings, an Azure AD application must exist to accept Service Provider Initiated SAML requests from Mimecast. If you've previously done this for another Mimecast application, copy the Metadata URL from the previous setting and use it on the new application. Once completed, import the certificate.


If you haven't created an Azure AD application:

  1. Log in to the Microsoft Azure management portal.
  2. Select your organization's Active Directory.
    Azure AD Home.png
  4. A list of your organization's applications is displayed.
  5. Select to add an application from the action bar at the bottom of the screen. A wizard is launched.
  6. Select Add an application my organization is developing.
    Azure AD what do you want to do.png
  7. Enter a name for the application, for example, "Mimecast End User Applications" and leave the Web Application and/or web api Type selected. Select to continue.
    Azure AD tell us about your application.png
  8. Complete the App Properties page.
    Azure API App Properties.png
  9. Select the tick icon to complete the configuration.
  10. Select the newly created application from the list of Azure Applications. The application dashboard is displayed.
  11. Select the Enable Users to sign on link from the Get Started section.
  12. Note the FEDERATION METADATA DOCUMENT URL link. This is used in the next section to configure the Mimecast settings.


Configuring Mimecast Settings


Once Microsoft Azure is set up to support Single Sign-On, you need to configure a Mimecast Authentication profile. This profile is applied to the users that you want to use Single Sign-on with the Applications Settings feature.


SAML Settings


  1. Log in to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.

    Authentication profiles
  4. Select an existing Authentication Profile to update or select the New Authentication Profile button to create a new one.
  5. Enter a Description for the new profile.
  6. Select Enforce SAML Authentication for End User Applications.


  7. The screen expands to reveal the SAML Settings:

    Authentication Profile End User Apps Expanded Azure.png

  8. Select Azure Active Directory from the Provider drop down list.
  9. Enter the Federation Metadata URL copied at the end of the Preparing Azure AD section and select Import.
    • Mimecast has observed that Azure AD typically hosts more than one Identity Provider Certificate.
    • In this situation you are presented with a screen allowing you to select which certificate you would like to use.
    • Select the certificate with the latest Expire On date.
    • The Issuer URL, Login URL, and Identity Provider Certificate Metadata is automatically added to your Authentication Profile.
  10. Select Monitor Metadata URL. This option requires a valid Metadata URL, and checks that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change at the Identity Provider.
    Whilst selecting this option isn't necessary in order to properly configure Azure SAML, it greatly increases the chances of success. If not selected, it is necessary to correctly select a certificate presented by Microsoft.
  11. Do not specify the Logout URL. Mimecast only supports basic URL redirect logout methods. Azure AD is known to require a more advanced method that is not currently supported.
  12. Choose which Authentication Context to use. To simplify your implementation deselect both Password Protected and Windows Integrated options. This will enable support for both standalone and federated environments.


Optionally Define Permitted IP Ranges


To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.


To configure Permitted IP ranges for the Administration Console:

  1. Login to the Administration Console.
  2. Navigate to the Administration | Account | Account Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  5. Select Save to apply the new settings.


To configure Permitted IP Ranges for End User Applications:

  1. Select the check box to enable Permitted Application Login IP Ranges.
  2. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.


To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Select the check box to enable Permitted Gateway Login IP Ranges.
  2. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.


Other Options


An Authentication Profile is applied to a group of users and a user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile. Please see the Authentication Options space for information on other authentication methods.


Apply the Authentication Profile to an Application Setting


Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
  5. Select Save and Exit to apply the change.


Next Steps


To test your configuration and verify that your Authentication Profile has been configured correctly,


Mimecast for Outlook


  1. Open Microsoft Outlook.
  2. Click on the Account Settings icon from the Mimecast ribbon.
  3. Click on the Single Sign-On button.
  4. Click on the Login button. You're directed to the Microsoft Azure Login URL.
  5. Once successfully authenticated return to the Account Options page and see that the status is "Validated".


Mimecast Mobile / Mimecast for Mac


  1. Open the application.
  2. Enter your Email Address.
  3. Click on the Next button. You're directed to your Microsoft Azure login URL.
  4. Once successfully authenticated with Microsoft Azure, you're granted access to the Mimecast application.
1 person found this helpful