Mimecast Synchronization Engine: Mailbox Permission Synchronization

Document created by user.oxriBv5dM7 Employee on Oct 4, 2017Last modified by user.oxriBaJeN4 on Oct 2, 2018
Version 10Show Document
  • View in full screen mode

This guide describes the steps required to implement and monitor Mailbox Permission Synchronization. Mailbox Permission Synchronization provides one-way synchronization of the Full Access mailbox permission in Exchange, or Office 365, to the Delegate Mailbox Access permission on Mimecast Archive mailboxes. This feature removes the need for Delegate Mailbox Access to be managed by spreadsheet import, or an archive mailbox basis. See the Configuring Delegate Mailbox Access article for more information.


Installing Mimecast Synchronization Engine


Installing / Updating the Mimecast Synchronization Engine


To install / update the Mimecast Synchronization Engine:

  1. Ensure your environment meets the requirements outlined in the Mimecast Synchronization Engine Requirements page.
  2. Install Mimecast Synchronization Engine 4.3 or later, as outlined in the Installing / Upgrading the Mimecast Synchronization Engine page.
    The latest Mimecast Synchronization Engine version is available from the Application Downloads space.

Preparing Your Microsoft Mailbox


Ensure the following is configured to prepare your Microsoft Mailbox:

  • The Mimecast Synchronization Engine requires a standard user mailbox with elevated permissions to user mailboxes in your organization. This mailbox is referred to as the Microsoft Mailbox and requires impersonation rights in order to access user mailboxes.
  • Configure impersonation for your version of Exchange / Office 365. See the Configuring Application Impersonation page for full details.
    Environments with at least one mailbox residing in Office 365 will need to assign an additional permission. When configuring the “Application Impersonation” role, also add “Mail Recipients” to that list.

Configuring / Binding Your Mimecast Synchronization Engine Site


Use the Mimecast Site Configuration utility to configure your installation to:

  • Specify the Microsoft Mailbox to be used.
  • Optionally set any custom connection settings, if you're using a proxy server.
  • Bind your installation to the Mimecast platform and configure scheduled tasks.


See the Configuring a Mimecast Synchronization Engine Site page for more details.


Creating Schedules and Scheduled Tasks


Creating a Scheduled Task


A schedule is configured in the Administration Console and defines the frequency of a task execution. See the Mimecast Synchronization Engine Schedules page for more details. Tasks are also configured in the Administration Console and are where you create a definition and schedule to be applied to a group of users. See the Mimecast Synchronization Engine: Exchange Tasks page for full details. Groups can either be:

  • Selected from a list of group synchronized from your organization's Active Directory.
  • Entered as a full DN describing an Active Directory group.
  • Entered as the email address of an Exchange distribution group.


When creating your scheduled task:

  1. Select a Task Type of "Mailbox Permission Sync".
  2. Enter a Description in the text box that displays when you select this option.


You can view the status of your scheduled task in the Administration Console. See the Monitoring Exchange Tasks page for full details. Once your scheduled task has successfully synchronized mailbox permissions, you can view the results using the Administration Console or any of our end user applications (e.g. Mimecast Personal Portal or Mimecast for Outlook).


Using the Administration Console

To view which mailboxes a given user has delegate access to:

  1. Log on to the Administration Console.
    Administrators must have the Super Administrator role. Users with lesser permissions will not see the delegate access dialogs.
  2. Click on the Administration toolbar menu item.
  3. Click on the Directories | Internal Directories menu item. A list of internal domains is displayed.
  4. Click on the Domain of the user you would like to check. A list of email addresses for the internal domain is displayed.
  5. Click on the Email Address of the user you would like to check.
  6. Click on the Add Delegate Mailboxes button on the user settings page. The delegate mailbox page is displayed. The "Source" column displays which process / application granted the delegate access.


Using End User Applications





In the event a Scheduled Task status is an Error, check that your Microsoft Mailbox has the correct permissions. You can do this using Powershell by following the steps below depending on the version of Exchange.


If the cmdlet in the steps below doesn't complete successfully, take steps to resolve the issue. The Mailbox Permission Sync feature uses this cmdlet programmatically. Therefore as long as this executes successfully, the scheduled task should also.


Office 365


To check your permissions in Office 365:

  1. Open a Powershell Window.
  2. Run the following the command to connect to Office 365.
    $session = new-pssession -connectionuri 'https://ps.outlook.com/powershell' -configurationname microsoft.exchange -credential (get-credential) -AllowRedirection -Authentication Basic
    Import-PsSession $session


  3. Use the Microsoft Mailbox Credentials in the popup dialog.

  4. Import the new Powershell Session using the following command:
    Import-PsSession $session


  5. Check that the Get-MailboxPermission cmdlet completes successfully using the following command (where "a_user" is the user name of a user in your organization):

    Get-MailboxPermission -Identity a_user


Exchange On-Premises


To check your permissions in Exchange On-Premises:

  1. Log on to an Exchange Server as the Microsoft Mailbox.
  2. Open the Exchange Management Shell.
  3. Check the Get-MailboxPermission cmdlet completes successfully by using the following command (where "a_user" is the user name of a user in your organization):
    Get-MailboxPermission -Identity a_user
1 person found this helpful