Configuring a 2-Step Authentication Profile

Document created by user.oxriBaJeN4 Employee on Feb 22, 2016Last modified by user.Yo2IBgvWqr on Oct 4, 2017
Version 20Show Document
  • View in full screen mode

Authentication Profiles enable 2-Step Authentication for your Mimecast administrators and users. You can create more than one Authentication profile to give you flexibility to:

  • Apply the feature to selected users (e.g. administrators, power users).
  • Enable / disable the feature easily.
If both 2-Step Authentication, and Enforce SAML Authentication are enabled in the same profile, SAML will take preference. In this case the user should authenticate with the Identity provider defined in the profile. See the Understanding Enforce SAML Authentication for End User Applications page for further information.



The prerequisites required for 2-Step Authentication depend on the method you choose to deliver / generate one time verification codes.


Email (Available to all Customers)


  • Mimecast must be able to route email to the user's primary email address.
  • The user must be able to receive the email containing the one time verification code.


SMS (Available from July 14th 2017 for Customers Subscribing to the C1, M2, or M2A Products)


  • A single Mimecast attribute must be used for the cell phone number assigned to users.
  • Cell phone numbers must be in the full international format (e.g. +<country code><cell phone number>).
  • All users with an Authentication Profile configured to use 2-step authentication with SMS, must have a cell phone number assigned.
    Users without a cell phone number assigned in the correct format will not be able to login to any Mimecast application when this option is enabled.

For more information on configuring Mimecast SMS services, please see the Setting up Mimecast SMS Services guide.


3rd Party App (Available from July 14th 2017 for all Customers)


This feature allows a 3rd party application to be used to generate one time verification codes. The 3rd party application must be compatible with the Time-based One-Time Password algorithm (TOTP). 

To avoid issues during the registration process, we recommend that you:

  • Inform your users before enabling this feature.
  • Decide and deploy the 3rd party application users should use.
  • Ensure that your users are familiar with the process of registering an account with the chosen 3rd party application.

To use a 3rd party application as a 2-step authentication method:

  • The device on which the TOTP compatible application is installed must be trusted.
  • The trusted device (e.g. smartphone, tablet) must be with the user at all times.


Known compatible 3rd party applications are listed below:

  • Microsoft Authenticator
  • LastPass Authenticator
  • Duo Mobile
  • FortiToken Mobile
  • Okta Verify
  • Google Authenticator
  • Symantec VIP Access
Applications are listed in no particular order, Mimecast has no preference or affiliation with any of these applications.

Configuring a 2-Step Authentication Profile


To configure a 2-Step Authentication profile:

  1. Log on to the Administration Console.
  2. Select the Administration | Services | Applications menu item.
  3. Click the Authentication Profiles button.
  4. Either:
    • Select an existing Authentication Profile to change it.
    • Click the New Authentication Profile button to create a new one.
  5. The Authentication Profile dialog is displayed.
  6. Select the option you would like to enforce from the 2-Step Authentication drop down list. This enables 2-step authentication, and dictates the method used to deliver / generate one time verification codes.

  7. Complete the following optional fields / options as required:

    Field / OptionDescription
    Do not require 2-Step Authentication from trusted IP RangesClick this option to allow you to specify a list of trusted IP addresses where 2-Step Authentication is not enforced. The list of IP addresses are specified in the "Enter IP addresses in CIDR format" field.
    Enter IP addresses in CIDR format

    Specify the trusted IP addresses (one per line) where 2-Step Authentication is not enforced. This field is enabled if the "Do not require 2-Step Authentication from trusted IP Ranges" option is enabled.

    Don't prefix the IP address with CIDR, and don't include leading zeros in IP address octet numbers.
  8. Click the Save and Exit button to save the record and return to the list of Authentication Profiles.


Once created, the Authentication Profile must be selected in an Application Setting for the changes to be applied. The changes will only be applied to users that are members of the group selected in the given Application Setting.


See Also:


2 people found this helpful