Configuring SSO Using Microsoft Azure AD: Mismatched UPN to Mail Attribute Troubleshooting

Document created by user.Yo2IBgvWqr Employee on Jan 29, 2018Last modified by user.oxriBaJeN4 on Jul 2, 2019
Version 11Show Document
  • View in full screen mode

Usually, when configuring Single Sign-On (SSO) using Microsoft Azure Active Directory (AD) as the identity provider, your UPN and Primary email address must be the same for SSO to work. This guide offers a workaround solution, in the case where your UPN and Primary email address are different, and you're using Azure Premium. It applies to service provider initiated SAML Single Sign-On (SSO) and will work for all of our apps using this type of authentication. 

See the Troubleshoot User Name Issues document on the Microsoft website for further information.

Applies To...

Administrators configuring SSO with a mismatched UPN and Primary email address, using Microsoft Azure Premium.

Configuration applies to
 the following applications:

  • Mimecast Administration Console
  • Mimecast Personal Portal
  • Mimecast End User Applications


AzureConfiguring an Azure AD Application


  1. Log on to your Microsoft Azure AD application.
  2. Navigate to the Enterprise applications | Categories | Add an application menu item.
  3. Click on Non-Gallery Application.
  4. Enter a name for the application, e.g "Mimecast End User Application", and click Add.
  5. Select SAML-based Sign-on from the Single Sign-on Mode drop down.
    SSO Mode
  6. In the Identifier field, enter the value for your region from the table below. The values entered depend on the Mimecast grid where your organization's Mimecast account is hosted.
    Europe Where ACCOUNTCODE is, enter your unique Mimecast account code as specified in the Administration | Account | Account Settings page of the Administration Console. This should be capitalized, e.g. "CUSA1A1".
    United States 
    South Africa 

  7. In the Reply URL field, enter the value from your region from the table below.
  8. In the User Identifier drop down menu, select user.mail. This ensures that the Name ID sent to Mimecast in the SAML response is your user's primary email address, which is how they need to log in to Mimecast.
    User Identifier 
  9. Copy the federation metadata URL to the clipboard by clicking the button to the right of the App Federation Metadata URL:
  10. User IdentifierYou'll need to assign users / groups to access the app, unlike the normal configuration of Azure SSO. To do so:
    1. Navigate to the Enterprise Applications | All Applications | Users and groups menu item.
    2. Click on + Add user.
    3. Use the Search field to search and select user/s or group/s to give access to the app. The added users display.


Configuring SAML Settings


  1. Log on to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu item. 
  3. Click on Authentication Profiles.
  4. Select an existing Authentication Profile to update, or click on the New Authentication Profile button to create a new one.
  5. Enter a Description for the profile.
  6. Select Enforce SAML Authentication for the application/s you want to enable SSO for:
    • Administration Console
    • Mimecast Personal Portal
    • End User Applications
  7. Complete the SAML Settings section as follows:
    Field / OptionValue
    ProviderSelect "Azure Active Directory" from the drop down list.
    Metadata URLPaste the App Federation Metadata URL copied to the clipboard in step 9, and click on the Import button.
    Monitor Metadata URLTick this option to ensure Mimecast replicates any future certificate changes/renewals.
    Issuer URLThis value will be populated automatically once the federation metadata is imported.
    Login URLThis value will be populated automatically once the federation metadata is imported.
    Identity Provider Certificate (Metadata)This value will be populated automatically once the federation metadata is imported.
    Logout URLThis value will be populated automatically once the federation metadata is imported.
  8. Your SAML settings should look similar to the below. When you're ready, click the Save button to complete configuration.
    We recommend you leave both the "Use Password Protected Context" and "Use Integrated Authentication Context" options unchecked, as this will allow the client device to automatically choose the appropriate context itself. A specific context option can be enabled if there is a requirement to always enforce a particular authentication method.
    SAML Settings


See Also...