Connect Application: Enabling Azure Active Directory Synchronization for Office 365

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.oxriBaJeN4 Employee on Apr 26, 2017
Version 14Show Document
  • View in full screen mode

If you are using an Office 365, or a Hybrid Exchange with Windows Azure Active Directory, we can automatically synchronize with Windows Azure to add and manage all of your user, group, group membership and user attributes. This has the following benefits:

  • The administrative overhead of performing these tasks is removed.
  • Your end users can use their primary email address and Active Directory password to sign in to Mimecast applications.
    Passwords are not synchronized using this feature. To allow users to log in to Mimecast applications using their Office 365 / Windows Azure credentials, configure Office 365 domain authentication or SAML authentication using Windows Azure Active Directory as an identity provider.

What You'll Need

 

  • Access to your Windows Azure management portal for the Active Directory you would like to synchronize with us.

 

Enabling Azure Active Directory Synchronization With Office 365

 

To enabling Azure Active Directory Synchronization with Office 365, the following steps must be performed:

  1. Create a Windows Azure Active Directory application.
  2. Create a Directory Synchronization Connection.

 

Creating a Windows Azure Active Directory Application

 

There are two different user interfaces in the Office 365 Admin Center which Microsoft call:

  • Old Admin Center
  • New Admin Center

Follow the instructions depending on the user interface you are using:

For detailed, but non-Mimecast specific, instructions on creating a Windows Azure Active Directory application, read the "How to Configure Your App Service Application to use Azure Active Directory Login" page on the Windows Azure website.

New Admin Center

 

To create a Windows Azure Active Directory application:

  1. Log on to the Office 365 Admin Center.
  2. Click on the Admin / Azure AD menu item.
  3. Click the Active Directory menu item.
  4. Click on the App Registration tab at the top of the page.
  5. Click on the Add button at the top of the screen to start a guided wizard.
  6. Specify the options as follows:

    Field / OptionComments
    Name

    Specify a name for the application (e.g. Mimecast Directory Synchronization).

    Application Type

    Web Application and / or Web API

    Sign-on URL

    Specify an arbitrary URL in both these fields, making sure the same URL is used in both fields. As this application will not be used for authentication, the values entered are not important.

  7. Click on the Create button at the bottom of the section.
  8. Select the newly created App from the list.
  9. Make a note of the Application ID value. It will be needed when you are creating your Directory Synchronization Connection.
  10. Create an Application Key in the Keys section:

    1. Click in the Select Duration drop down.
    2. Specify a Valid From and Expires On time to specify a time span.
  11. Click the Save menu item at the foot of the page. This displays the application key.
  12. Make a note of the application key. It will be needed when you are creating your Directory Synchronization Connection.
    The key is only valid for the duration specified in step 10b. If you do not create a directory synchronization connection before it expires, another key must be created.
  13. Click on Required Permission and ensure Windows Azure Active Directory has the Read Directory Data Application Permission.
  14. Click the Save menu item at the foot of the page.
  15. Click on the Grant Permissions button.

 

Old Admin Center

 

To create a Windows Azure Active Directory application:

  1. Log on to the Office 365 Admin Center.
  2. Click on the Admin / Azure AD menu item.
  3. Click the Active Directory menu item in the left hand menu.
  4. Click on the Applications tab at the top of the page.
  5. Click on the Add item at the bottom of the screen to start a guided wizard.
  6. Select the Add an Application My Organization is Developing option.
  7. Specify the options as follows:

    Field / OptionComments
    Name

    Specify a name for the application (e.g. Mimecast Directory Synchronization).

    Web Application and / or Web API

    Ensure this option is selected.

  8. Click on the Continue button to display the App Properties page.
  9. Specify the options as follows:

    Field / OptionComments
    Sign-On URL

    Specify an arbitrary URL in both these fields, making sure the same URL is used in both fields. As this application will not be used for authentication, the values entered are not important.

    App Id URL
  10. Click on the Continue button.
  11. Click the tick button to complete the wizard. The Application Getting Started page is displayed.
  12. Click on the Configure tab.
  13. Scroll down to view the Application ID/Client ID making a note of the value. It will be needed when you are creating your Directory Synchronization Connection.azure2.png
  14. Create an Application Key in the Keys section:

    1. Click in the Select Duration drop down.
    2. Specify a Valid From and Expires On time to specify a time span.
  15. Click the Save menu item at the foot of the page. This displays the application key.
  16. Make a note of the application key. It will be needed when you are creating your Directory Synchronization Connection.
    The key is only valid for the duration specified in step 14. If you do not create a directory synchronization connection before it expires, another key must be created.
  17. Update the permissions to the other applications section so that Windows Azure Active Directory has the Read Directory Data Application Permission.
  18. Click the Save menu item at the foot of the page.

 

Creating a Directory Synchronization Connection

 

To create a directory synchronization connection:

  1. Log on to the Connect Application.
  2. Click on the Platform | Synchronize Your Directory menu item.
  3. Click the Start button in the bottom right hand corner of the Azure Active Directory section. The Enter Your Directory Synchronization Details dialog is displayed.
  4. Complete the dialog using the following settings:

    FieldComments
    Application ID / Client IDEnter the value noted from the "Creating a Windows Azure Active Directory Application" section above.
    KeyEnter the value noted from the "Creating a Windows Azure Active Directory Application" section above.
    Tenant Domain

    To determine the tenant domain, hover over the user profile in the top right corner. If you're using the Old Admin Center, locate the domain in the Azure Management Portal address bar: https://manager.windowsazure.com.

  5. Click the Synchronise button.

 

We'll validate the Azure Active Directory connection. Whilst we do this, a validation page is displayed. Once validation is complete, a summary page is displayed listing your directory synchronization details.

 

Directory Synchronization Timings

 

We'll automatically trigger a synchronization of your Active Directory at 8am, 1pm, and 11pm daily. These timings are taken from the region where your account is  held (e.g. Europe, North America, South Africa, Australia). For the Europe region, the timing is in the GMT timezone. For the North America region, the timing is in the EST timezone.

The synchronization timings will not be in your timezone if you are located in a different region than your Mimecast account.

Whilst a synchronization is automatically triggered at set times, there are a number of factors that control when you can see its results. These include the:

  • Size of your Active Directory
  • Number of changes
  • Server load

 

See Also...

 

1 person found this helpful

Attachments

    Outcomes