Connect Application: Enabling Azure Active Directory Synchronization for Office 365 / Hybrid Exchange

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.oxriBaJeN4 Employee on Jan 5, 2018
Version 19Show Document
  • View in full screen mode

If you are using Office 365 or a Hybrid Exchange with Windows Azure Active Directory, we can automatically synchronize with Windows Azure to add and manage all of your user, group, and group membership attributes. This has the following benefits:

  • The administrative overhead of performing these tasks is removed.
  • End users can use their primary email address and Active Directory password to sign in to Mimecast applications.
    Passwords are not synchronized using this feature. To allow users to log in to Mimecast applications using their Office 365 / Windows Azure credentials, configure Office 365 domain authentication or SAML authentication using Windows Azure Active Directory as an identity provider.

What You'll Need

 

  • Access to your Windows Azure management portal for the Active Directory you would like to synchronize with us.
  • Administrative access to the Mimecast Connect Application and Administration Console.

 

Enabling Azure Active Directory Synchronization

 

To enable Azure Active Directory Synchronization:

  1. Azure SynchronizationLog on to the Connect Application.
  2. Click on the Platform | Synchronize Your Directory menu item.
  3. Click on the Start button next to the "Task Steps for Azure Active Directory" section. A list of steps to be performed externally from the Connect Application is displayed. These are:
    • Creating an Azure Active Directory application.
    • Generating an application access key.
    • Adding appropriate permissions to the application.
    • Determining your Azure Active Directory tenant domain.
    These steps must be completed before continuing. See the "Creating an Azure Active Directory Application below for full details.
  4. Click on the Next button. The Enter Your Directory Synchronization Details dialog is displayed.
  5. Complete the dialog, using the settings noted from your previously configured Azure Active Directory application:
    FieldDescription
    Application/Client IDEnter the value noted from the "Creating a Windows Azure Active Directory Application" section above.
    KeyEnter the value noted from the "Creating a Windows Azure Active Directory Application" section above.
    Tenant Domain

    To determine the tenant domain, hover over the user profile in the top right corner.

  6. Click the Synchronize button.

 

The Azure Active Directory connection is validated by us. Whilst we do this, a validation page is displayed. Once validation is complete, a summary page is displayed listing your directory synchronization details. You can also see validated connections via the Administration Console:

  1. Log on to the Mimecast Administration Console.
  2. Click the Services | Directory Synchronization menu item. All validated connections are listed.

 

Creating an Azure Active Directory Application

For detailed, but non-Mimecast specific, instructions on creating a Windows Azure Active Directory application, read the "How to Configure Your App Service Application to use Azure Active Directory Login" page on the Windows Azure website.

To create a Windows Azure Active Directory application:

  1. Log on to the Office 365 Admin Center.
  2. Click on the Admin / Azure AD menu item.
  3. Click the Active Directory menu item.
  4. Click on the App Registrations tab at the top of the page.
  5. Click on the New Application Registration button at the top of the screen to start a guided wizard.
  6. Specify the options as follows:
    Field / OptionComments
    Name

    Specify a name for the application (e.g. Mimecast Directory Synchronization).

    Application Type

    Web Application and/or Web API.

    Sign-on URL

    Specify an arbitrary URL in both these fields, making sure the same URL is used in both fields. As this application will not be used for authentication, the values entered are not important.

  7. Click on the Create button at the bottom of the section.
  8. Select the newly created App from the list.
  9. Make a note of the Application ID value. It will be needed when you are creating your Directory Synchronization Connection.
  10. azure2.pngCreate an Application Key in the Keys section:

    1. Click on the Select Duration drop down.
    2. Specify a Valid From and Expires On time to specify a time span.
  11. Click the Save menu item at the foot of the page. This displays the application key.
  12. Make a note of the application key. It will be needed when you are creating your Directory Synchronization in the Connect Application.
    The key is only valid for the duration specified in step 10b. If you do not create a directory synchronization connection before it expires, another key must be created.
  13. Click on Required Permission and ensure Windows Azure Active Directory has the Read Directory Data Application Permission.
  14. Click the Save menu item at the foot of the page.
  15. Click on the Grant Permissions button.

 

Directory Synchronization Timings

 

We'll automatically trigger a synchronization of your Active Directory at 8am, 1pm, and 11pm daily, with the timings taken from the Mimecast region where your account is held (e.g. Europe, North America, South Africa, Australia). For the Europe region, the timing is in the GMT timezone. For the North America region, the timing is in the EST timezone. If you're located in a different region or timezone than your Mimecast account, this means the synchronization timings won't be in your timezone. For example, if your Mimecast account is:

  • Located in the US region, but you're located in the Pacific Time Zone.
  • Located in the Europe region, but you're located in Germany.

 

Whilst a synchronization is automatically triggered at set times, there are a number of factors that control when you can see its results. These include the:

  • Size of your Active Directory
  • Number of changes
  • Server load

 

See Also...

 

1 person found this helpful

Attachments

    Outcomes