Connecting Vanta & Mimecast

Security and IT teams using Mimecast Engage to deliver and track employee security awareness training who need to demonstrate completion in Vanta

Teams managing training requirements across multiple compliance frameworks, such as SOC 2, HIPAA, PCI-DSS, or GDPR

Training Completion Tracking: Connect Mimecast and we automatically sync each employee's enrollment and completion status across your global training campaigns. Completion data updates consistently, so Vanta always reflects current status without manual uploads or spreadsheet exports.

Automated Compliance Tests: Once you map your Mimecast campaigns to compliance categories in Vanta, we run automated tests on your behalf, verifying that employees have completed required training. We also verify that Mimecast accounts are linked to active employees and that access is revoked when someone leaves.

Evidence Collection: Synced training records feed directly into Vanta's evidence library for supported compliance frameworks. Instead of collecting and uploading completion reports before each audit, we keep that evidence current automatically.

Access Reviews: Mimecast user accounts are surfaced in Vanta's Access Reviews. Reviewers can confirm whether access remains appropriate and generate audit-ready evidence from the same synced data.

Campaign Assignment: After connecting, you can map individual Mimecast training campaigns to specific compliance categories directly in Vanta's integration settings. This controls which completions count toward which tests, so you have precise control over how training maps to your compliance requirements.

Internal user accounts: active users in your Mimecast instance, including name and email address. Used to match employees to Vanta personnel records, power Access Reviews, and evaluate account-level compliance tests.

Awareness Training campaign metadata: global training campaigns in your Mimecast instance. Used to populate the campaign mapping interface in Vanta so you can assign campaigns to SAT categories.

Training enrollment and completion records: per-user enrollment and completion status for each campaign. Used to evaluate training completion against assigned SAT categories and generate evidence in Vanta.

You have a Vanta admin account.

You have a Mimecast admin account with access to the Mimecast Admin Console.

Create a dedicated Read-Only Administrator role in Mimecast following Mimecast's guide. The role must be granted: Directories, Read and Awareness Training, Dashboard, and Read permissions.

Confirm your Mimecast subscription includes the Engage / Awareness Training package. Without it, training endpoints return a Forbidden error and the integration will not validate.

Know which Mimecast API region applies to your account: Global (api.services.mimecast.com), US (us-api.services.mimecast.com), or UK (uk-api.services.mimecast.com). Choose Global unless you have a specific data-residency requirement. According to Mimecast, Global routes to the nearest available region.

Training campaigns are already created and distributed as global campaigns in Mimecast before connecting. We sync enrollment and completion data for global campaigns only. Targeted campaigns are not visible to the API.

Employees' email addresses in Mimecast must exactly match their Vanta personnel records. Any difference (including domain aliases, capitalization, plus-addressing, or alternate email formats) will prevent a match.

The compliance frameworks relevant to your organization are enabled in Vanta. The SAT categories available during setup depend on which frameworks your organization has turned on. To confirm, go to Settings (gear icon) > Frameworks in the Monitoring section.

Log in to the Mimecast Admin Console.

Navigate to Account > Admin Roles. Then click on New Role.

Give the role a name and description of your preference – You'll need it later when setting up the Custom API 2.0 application

In the Security Permissions section, select Cannot Manage Roles

In the Application Roles section, unselect everything, keeping only

Click Save and Exit

Log in to the Mimecast Admin Console.

Navigate to Integrations > API and Platform Integrations, then click Mimecast API 2.0.

Create a new Custom API 2.0 application. Follow Mimecast's setup guide for full detail.

Assign the application both of the following products:

Save the application, then generate a new credential. Copy the Client ID and Client Secret, you will need them in Step 3.

In Vanta, go to Integrations. Click Add integration.

Search for Mimecast. Click the integration card.

Click Connect.

Click Add connection.

Fill in the following fields:

Click Validate and store.

If the credentials validation is successful, Vanta will open the Choose security assignments screen so you can continue setup.
​

In Vanta, go to Integrations and search for Mimecast under the Connected tab.

Click Manage, then click Update Settings.

In the Choose security assignments modal, click Add an Assignment.

Click Choose an assignment and select the Mimecast campaign you want to map.

Select every training category the campaign covers. Assign each relevant campaign to one or more categories: General security awareness, HIPAA, PCI DSS, GDPR, CCPA, Insider threat, Social engineering, AI Risk, or Secure code.

Repeat to map additional campaigns, or click Delete on a row to remove a mapping.

Click Save.

In Vanta, go to Personnel > People. Select the Groups tab, then click the group you want to configure (for example, Engineering).

On the group's page, find the row labeled Trainings and open it. A modal opens where you can configure training for this group.

Each available training category appears as a toggle (General is always first). Turn on the toggle for every category employees in this group must complete.

When you turn a category on, three source options appear:

To use Mimecast, select Integration training. To change which Mimecast campaigns are used for a category, click the three-dot menu on the card and choose Edit.

Click Save inside the Manage trainings modal. The modal closes and you return to the group's page. Your changes are not applied yet.

On the group's page, click Save to review your changes. The Review changes and save modal opens, summarizing what is about to change.

Click Save in the Review changes and save modal to confirm. Employees in this group will now see the assigned Mimecast training in their tasks.

A confirmation dialog appears. From here you can click Dismiss to close the dialog (changes are already applied), or click Enable recurring reminders to configure automatic email reminders for employees with outstanding tasks.

Likely cause: The Client ID or Client Secret is incorrect, the credential has been revoked or rotated in Mimecast, the wrong region was selected, or your Mimecast subscription does not include the Engage / Awareness Training package. The API returns a Forbidden error on training endpoints even if credentials are otherwise valid when the Engage package is not active.

How to confirm: Log in to the Mimecast Admin Console and verify that your Custom API 2.0 application still exists and its credentials (Client ID and Client Secret) have not been revoked. Check that the application has been granted access to both Account Management and Awareness Training. Confirm the administrator role associated with the application includes the Directories | Read and Awareness Training | Dashboard | Read permissions. In Vanta, verify the region you selected (Global, US, or UK) matches the region of your Mimecast tenant. Finally, contact your Mimecast account team to confirm your subscription includes the Engage package because the Awareness Training API requires it.

Fix: Re-enter correct credentials and select the correct region. If the credential was revoked, generate a new one in Mimecast and re-enter it in Vanta. If the Engage package is not included in your subscription, contact Mimecast to add it before connecting.

Likely cause: Mimecast's API exposes only global campaigns distributed to the entire organization. Campaigns assigned to specific individuals or groups are not returned by the API. This is a Mimecast platform limitation.

How to confirm: Check in the Mimecast Admin Console whether the missing campaigns are configured as targeted rather than global.

Fix: To bring a targeted campaign into Vanta, redistribute it in Mimecast as a global campaign. Alternatively, supplement the relevant compliance category using Vanta's built-in training or a custom training source on the affected groups.

Likely cause: The Client ID or Client Secret was rotated or revoked in Mimecast after the integration was connected. When we are unable to authenticate during a sync, we disconnect the integration to prevent stale or incomplete data from persisting in Vanta.

How to confirm: Log in to the Mimecast Admin Console and check whether the credential on the Custom API 2.0 application is still active.

Fix: Generate a new credential in Mimecast, then in Vanta go to Integrations > Mimecast > Manage in Vanta and update the Client ID and Client Secret with the new values.

Likely cause: One or more of the following: the employee's email in Mimecast does not exactly match their Vanta personnel record; the training campaign has not been mapped to a compliance category in Vanta; training has not been enabled in the employee's group in Vanta; the campaign is a targeted campaign (not visible to the API); or the sync has not yet run since the completion was recorded.

How to confirm: Check the employee's email in both Mimecast and Vanta for an exact match. Confirm the campaign is mapped under Integrations > Mimecast > Manage > Update Settings. Confirm training is enabled for the group under Personnel > People > Groups > [group name] > Trainings.

Fix: Correct any email mismatches. Complete campaign mapping in the Assignment Selector. If training is not yet enabled for the group, open the relevant group, find the Trainings row, turn on the required categories, and select Integration training as the source. Allow up to one sync cycle for the completion to appear.

Likely cause: Email address mismatches between Mimecast and Vanta personnel records are the most common cause. We match completion records to employees by exact email address. Any mismatch causes that employee's data to be excluded.

How to confirm: Compare the email on the affected employees' Mimecast profiles with the email on their Vanta personnel records.

Fix: Correct any discrepancies in email addresses across both systems, including differences in capitalization, formatting, or aliases. Allow the next sync to run after making corrections.

Likely cause: Manual evidence documents are not automatically deactivated when an integration is connected.

How to confirm: Navigate to the evidence document and confirm it is still set to active.

Fix: Once you have confirmed the integration is syncing correctly, navigate to the document, click the three-dot menu, and select Deactivate.

Yes. The Mimecast Awareness Training endpoint returns historical completion records, so completions recorded before the integration was connected will appear in Vanta on the first successful sync (subject to the global-campaign and email-match requirements above).

Yes. Each connection is identified by the Account Name you set during setup. Add additional connections from the Mimecast integration page using Add Connection. Training-to-category mappings are saved per connection. Use the Mimecast Connection dropdown in the Assignment Selector to configure each account separately.