Stitchflow
Back to directory
Mimecast logo

Mimecast User Management API Guide

API workflow

How to automate user lifecycle operations through APIs with caveats that matter in production.

UpdatedMar 11, 2026

Summary and recommendation

Mimecast exposes two API generations that must not be conflated. The legacy v1 API uses POST-based request patterns with HMAC-SHA1 signing via an Access Key and Secret Key pair. The v2/REST API uses OAuth 2.0 client credentials flow, with tokens obtained via POST to https://api.services.mimecast.com/oauth/token and passed as Authorization: Bearer headers.

Base URLs are region-specific (us, eu, de, ca, za, au, offshore); using the wrong regional endpoint returns authentication errors, not routing errors, which makes misconfiguration harder to diagnose. OAuth 2.0 access tokens expire in approximately 60 minutes - implement token refresh logic before going to production.

Rate limits are enforced per application but exact numeric thresholds are not publicly documented; the API returns HTTP 429 with X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After headers, and Mimecast recommends exponential back-off. Pagination uses a pageToken cursor with a default page size of 100 and a maximum of 500.

API quick reference

Has user APIYes
Auth methodOAuth 2.0 (client credentials or authorization code flow)
Base URLOfficial docs
SCIM availableYes
SCIM plan requiredEnterprise

Authentication

Auth method: OAuth 2.0 (client credentials or authorization code flow)

Setup steps

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Administration > Services > API and Platform Integrations.
  3. Create a new API application; record the Client ID and Client Secret.
  4. Select the required permission scopes for the application.
  5. POST to https://api.services.mimecast.com/oauth/token with grant_type=client_credentials, client_id, and client_secret to obtain a Bearer access token.
  6. Include the token in all API requests as Authorization: Bearer .

Required scopes

Scope Description Required for
user/read Read user/account data from the Mimecast directory. List users, get user details
user/write Create and update managed user accounts. Create user, update user
user/delete Delete or deactivate managed user accounts. Delete user
account/read Read account-level configuration and metadata. Get account info, list accounts

User object / data model

Field Type Description On create On update Notes
emailAddress string Primary email address / login identifier for the user. required optional Must be unique within the account domain.
name string Display name of the user. required optional
firstName string User's first name. optional optional
lastName string User's last name. optional optional
accountCode string Mimecast account code the user belongs to. required read-only Assigned at account level; cannot be changed post-creation.
domain string Email domain associated with the user. derived read-only Derived from emailAddress.
alias array List of email aliases for the user. optional optional
userType string Type of user account (e.g., internal, external). optional optional
adminRoles array Administrative roles assigned to the user. optional optional Role names must match valid Mimecast role identifiers.
groups array Group IDs the user is a member of. optional optional Managed separately via group membership endpoints.
id string Mimecast-assigned unique identifier for the user. server-generated read-only Use this ID in subsequent GET/PATCH/DELETE calls.
status string Account status (e.g., active, disabled). optional optional Set to 'disabled' to deactivate without deleting.

Core endpoints

List Users

  • Method: GET
  • URL: https://api.services.mimecast.com/api/user/get-internal-users
  • Watch out for: Endpoint returns internal (managed) users only; external/guest users require a separate call.

Request example

GET /api/user/get-internal-users?pageSize=100 HTTP/1.1
Authorization: Bearer <token>
Content-Type: application/json

Response example

{
  "data": [{"id":"abc123","emailAddress":"user@example.com","name":"Jane Doe"}],
  "meta": {"pagination":{"pageToken":"tok_xyz","totalCount":250}}
}

Get User

  • Method: POST
  • URL: https://api.services.mimecast.com/api/user/get-internal-users
  • Watch out for: Mimecast v1 API uses POST for lookups; v2 REST API uses GET with query params. Confirm which API version your app registration targets.

Request example

POST /api/user/get-internal-users HTTP/1.1
Authorization: Bearer <token>
Content-Type: application/json

{"data":[{"emailAddress":"user@example.com"}]}

Response example

{
  "data": [{"id":"abc123","emailAddress":"user@example.com","name":"Jane Doe","status":"active"}]
}

Create User

  • Method: POST
  • URL: https://api.services.mimecast.com/api/user/create-managed-sender
  • Watch out for: User creation via native API is limited; full lifecycle provisioning is recommended via SCIM 2.0 for IdP-driven workflows.

Request example

POST /api/user/create-managed-sender HTTP/1.1
Authorization: Bearer <token>
Content-Type: application/json

{"data":[{"emailAddress":"newuser@example.com","name":"New User"}]}

Response example

{
  "data": [{"id":"def456","emailAddress":"newuser@example.com","status":"active"}]
}

Update User

  • Method: POST
  • URL: https://api.services.mimecast.com/api/user/update-managed-sender
  • Watch out for: Only fields included in the request body are updated; omitted fields retain existing values.

Request example

POST /api/user/update-managed-sender HTTP/1.1
Authorization: Bearer <token>
Content-Type: application/json

{"data":[{"id":"def456","name":"Updated Name"}]}

Response example

{
  "data": [{"id":"def456","emailAddress":"newuser@example.com","name":"Updated Name"}]
}

Delete User

  • Method: POST
  • URL: https://api.services.mimecast.com/api/user/delete-managed-sender
  • Watch out for: Deletion is irreversible. Mimecast may retain email archive data per retention policy even after user deletion.

Request example

POST /api/user/delete-managed-sender HTTP/1.1
Authorization: Bearer <token>
Content-Type: application/json

{"data":[{"id":"def456"}]}

Response example

{
  "data": [{"id":"def456","status":"deleted"}]
}

List Groups

  • Method: POST
  • URL: https://api.services.mimecast.com/api/directory/find-groups
  • Watch out for: Groups can be cloud-managed or LDAP-synced; only cloud groups are writable via API.

Request example

POST /api/directory/find-groups HTTP/1.1
Authorization: Bearer <token>
Content-Type: application/json

{"data":[{"source":"cloud"}]}

Response example

{
  "data": [{"id":"grp001","description":"All Staff","source":"cloud"}]
}

Add User to Group

  • Method: POST
  • URL: https://api.services.mimecast.com/api/directory/add-group-member
  • Watch out for: Adding a user to an LDAP-synced group via API will fail; only cloud-managed groups accept API membership changes.

Request example

POST /api/directory/add-group-member HTTP/1.1
Authorization: Bearer <token>
Content-Type: application/json

{"data":[{"id":"grp001","emailAddress":"user@example.com"}]}

Response example

{
  "data": [{"id":"grp001","emailAddress":"user@example.com","status":"added"}]
}

Get Account Info

  • Method: POST
  • URL: https://api.services.mimecast.com/api/account/get-account
  • Watch out for: Returns the account associated with the authenticating API application; multi-tenant MSP setups require separate credentials per account.

Request example

POST /api/account/get-account HTTP/1.1
Authorization: Bearer <token>
Content-Type: application/json

{"data":[{}]}

Response example

{
  "data": [{"accountCode":"ACCT001","companyName":"Example Corp","maxUsers":500}]
}

Rate limits, pagination, and events

  • Rate limits: Mimecast enforces per-application rate limits. Exact numeric limits are not publicly documented; limits vary by plan and endpoint category.
  • Rate-limit headers: Yes
  • Retry-After header: Yes
  • Rate-limit notes: When rate limited, the API returns HTTP 429. Responses include X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After headers. Mimecast recommends exponential back-off.
  • Pagination method: token
  • Default page size: 100
  • Max page size: 500
  • Pagination pointer: pageToken
Plan Limit Concurrent
Enterprise Not publicly specified; contact Mimecast support for quotas 0
  • Webhooks available: No
  • Webhook notes: Mimecast does not offer a general-purpose outbound webhook system for user lifecycle events. Event-driven integrations rely on polling the API or using SIEM/log streaming integrations.
  • Alternative event strategy: Use Mimecast's SIEM integration or scheduled API polling to detect user changes. Some IdP-driven flows (Okta, Entra ID) push changes via SCIM rather than webhooks.

SCIM API status

  • SCIM available: Yes

  • SCIM version: 2.0

  • Plan required: Enterprise

  • Endpoint: https://api.services.mimecast.com/scim/v2

  • Supported operations: GET /Users, GET /Users/{id}, POST /Users, PUT /Users/{id}, PATCH /Users/{id}, DELETE /Users/{id}, GET /Groups, POST /Groups, PATCH /Groups/{id}, DELETE /Groups/{id}

Limitations:

  • Requires Enterprise plan; not available on lower tiers.
  • SSO must be configured and active before SCIM provisioning can be enabled.
  • Supported IdPs include Okta, Microsoft Entra ID (Azure AD), and OneLogin; Google Workspace is not officially supported.
  • SCIM provisioning manages cloud-directory users only; LDAP-synced users are not writable via SCIM.
  • Group push support varies by IdP connector; verify group writeback capability in the IdP SCIM app configuration.
  • Deprovisioning via SCIM disables the user account but may not immediately remove email archive access.

Common scenarios

The three primary automation scenarios against the Mimecast API each carry distinct constraints that affect integration design. For IdP-driven provisioning, SCIM 2.

0 at https://api.services.mimecast.com/scim/v2 is the correct path - it supports the full Users and Groups lifecycle (GET, POST, PUT, PATCH, DELETE) - but requires Enterprise tier and fully active SSO before the first SCIM push; provisioning fails if SSO is not live.

Supported IdPs are Okta, Microsoft Entra ID, and OneLogin; Google Workspace is not officially supported. For direct REST provisioning, user creation via the native API (POST /api/user/create-managed-sender) is limited in scope; Mimecast's own documentation recommends SCIM for full lifecycle workflows.

Group membership writes via POST /api/directory/add-group-member only succeed against cloud-managed groups - LDAP-synced groups are read-only via API, and the group source field must be checked before attempting any write.

For deprovisioning, SCIM PATCH active=false and SCIM DELETE both result in account disable rather than guaranteed hard deletion; behavior varies by IdP configuration and should be validated in a non-production environment.

Email archive data is retained per the account's retention policy regardless of how deletion is triggered. Bulk operations are not supported; every user create or update is one record per API call.

Provision a new employee via SCIM from Okta

  1. Ensure Mimecast Enterprise plan is active and SSO is configured with Okta as the IdP.
  2. In Okta Admin Console, add the Mimecast SCIM application from the Okta Integration Network.
  3. Configure the SCIM base URL (https://api.services.mimecast.com/scim/v2) and authenticate using an OAuth 2.0 Bearer token generated from a Mimecast API application.
  4. Assign the new employee's Okta profile to the Mimecast SCIM app.
  5. Okta pushes a POST /Users request to Mimecast SCIM; Mimecast creates the cloud-directory user.
  6. Verify user appears in Mimecast Administration Console under Directories > Internal Directories.

Watch out for: If SSO is not active, SCIM provisioning will fail silently or return 401. Always validate SSO login before enabling SCIM push.

Deprovision a user when they leave the organization

  1. Trigger deprovisioning from the IdP (Okta/Entra ID) by removing the user's app assignment or deactivating their account.
  2. IdP sends a PATCH /Users/{id} with active=false (or DELETE /Users/{id}) to the Mimecast SCIM endpoint.
  3. Mimecast disables the user account, blocking email delivery and console access.
  4. Confirm the user status is 'disabled' via GET /Users/{id} or in the Mimecast Admin Console.
  5. Email archive data is retained per the account's configured retention policy.

Watch out for: SCIM DELETE vs. PATCH active=false behavior depends on IdP configuration. Mimecast may treat both as a disable rather than a hard delete; verify behavior in a test environment.

Add a user to a policy group via REST API

  1. Authenticate and obtain an OAuth 2.0 Bearer token via POST to /oauth/token.
  2. Call POST /api/directory/find-groups with source=cloud to retrieve the target group ID.
  3. Call POST /api/directory/add-group-member with the group ID and the user's emailAddress.
  4. Verify membership by calling POST /api/directory/get-group-members with the group ID.
  5. Apply or confirm any Mimecast policies (e.g., content examination, URL protection) that are scoped to this group.

Watch out for: Only cloud-managed groups are writable via API. Attempting to add members to LDAP-synced groups returns an error. Check the group source field before attempting writes.

Why building this yourself is a trap

Integrating Mimecast into an identity graph without accounting for its dual-API architecture introduces silent correctness failures. A pipeline built against v1 HMAC-SHA1 endpoints will break if the app registration is later migrated to v2 OAuth 2.0, and the error surface - auth failures rather than version errors - makes the root cause non-obvious.

The List Users endpoint returns internal managed users only; external and guest users require a separate call, meaning a naive full-sync will produce an incomplete identity graph with no error signal.

SCIM provisioning manages cloud-directory users exclusively - LDAP-synced users are not writable via SCIM - so any identity graph that assumes SCIM write coverage is complete will silently miss a subset of the user population.

Webhooks are not available for user lifecycle events; event-driven architectures must fall back to scheduled polling or SIEM log streaming, which introduces latency between real-world access changes and graph state.

Because SCIM requires SSO to be active as a prerequisite, any SSO configuration change or outage can silently break provisioning without surfacing an explicit SCIM error.

Automate Mimecast workflows without one-off scripts

Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.

Every app coverage, including apps without APIs
60+ app integrations plus browser automation for apps without APIs
IT graph reconciliation across apps and your IdP
Less than a week to launch, maintained as APIs and admin consoles change
SOC 2 Type II. ~2 hours of your team's time
Book a Demo

UpdatedMar 11, 2026

* Details sourced from official product documentation and admin references.

Keep exploring

Related apps

15Five logo

15Five

Full API + SCIM
AutomationAPI + SCIM
Last updatedFeb 2026

15Five uses a fixed role-based permission model with six predefined roles: Account Admin, HR Admin, Billing Admin, Group Admin, Manager, and Employee. No custom roles can be constructed. User management lives at Settings gear → People → Manage people p

Admin guideAPI guide
1Password logo

1Password

Full API + SCIM
AutomationAPI + SCIM
Last updatedFeb 2026

1Password's admin console at my.1password.com covers the full user lifecycle — invitations, group assignments, vault access, suspension, and deletion — without any third-party tooling. Like every app that mixes role-based and resource-level permissions

Admin guideAPI guide
8x8 logo

8x8

Full API + SCIM
AutomationAPI + SCIM
Last updatedFeb 2026

8x8 Admin Console supports full lifecycle user management — create, deactivate, and delete — across its X Series unified communications platform. Every app a user can access (8x8 Work desktop, mobile, web, Agent Workspace) is gated by license assignmen

Admin guideAPI guide