How to audit admin access in Mimecast

A silent security risk hiding in plain sight.

One of the most common issues we uncover during Mimecast service optimisation engagements is this: former employees still have elevated admin roles assigned within the platform. Often unnoticed for months, sometimes years, these accounts can represent a significant risk to your organisation's email security posture even when disabled in Active Directory as Cloud Passwords might still be valid.

Introduction

In a recent engagement with a EU-based manufacturer, we discovered a former Security Analyst still had full administrative privileges to the organisation's Mimecast tenant—despite leaving the company nearly a year prior. No malicious intent had occurred, but the exposure was real, and the fix was overdue.

What a Clean Role Assignment Should Look Like

  • Admin roles are limited to those who actively need them.
  • Role permissions are reviewed at least annually, but ideally quarterly.
  • Leavers are removed from the platform as part of the offboarding checklist.
  • There is clarity and consistency in who can do what across services like Administration, Gateway, and Archive.

Why It Matters

  • If ex-staff retain access, your data and services may be vulnerable to exploitation by malicious insiders or threat actors who obtain access to credentials.
  • Over-permissioned accounts become high-value targets for phishing or credential stuffing attacks.
  • Auditors may flag these lapses as failures in identity and access management.

It's not just about bad actors—it's about good hygiene.

How to Review Role Assignments in Mimecast

  1. Access the Roles & Permissions Console
    Go to Administration → Account → Roles.
  2. Review Custom Roles
    Identify who is assigned to each role and cross-check against HR records or Active Directory.
  3. Audit Administrator Accounts
    Go to Administration → Directories → Internal Users and filter by role or access level. Pay attention to:
    • Accounts assigned to all Administrator Roles within your organisation.
    • Inactive or disabled users who still hold roles
    • API / Application accounts that have been provisioned and might no longer be required or active.
  4. Reassign or Revoke Access
    Update assignments and disable or delete accounts where appropriate. Log the changes as part of your compliance process.

Best Practice: Set a Regular Review Cadence

  • Quarterly reviews of all admin roles and critical permissions.
  • Including role reviews as part of your joiner-mover-leaver process.
  • Maintaining an internal tracker or using your IAM system to document changes and authorisations.

A simple calendar reminder or recurring ticket can help ensure this task doesn't slip through the cracks.

How Cydaura Helps

We've worked with organisations across finance, retail, legal, manufacturing, real estate and public sector to streamline their Mimecast configurations and reduce unnecessary risk. In one engagement, we helped a public sector body reduce its privileged user count by over 40%, simply by applying structured role review and access management practices.

Because we're independent of Mimecast and don't have a product quota to hit, our advice is focused on what's best for your security, not just what's easy to implement.

Want Help Reviewing Your Mimecast Setup?

Book a no-pressure consultation with our team. We'll help you:

  • Identify unnecessary risk in your current configuration
  • Simplify permissions and clarify responsibilities
  • Set up a schedule for sustainable, secure access control