Cohesity Alta SaaS Protection Administrator's Guide
- Introduction to Cohesity Alta SaaS Protection
- Cohesity Alta SaaS Protection Copilot (AI chatbot)
- Cohesity Alta SaaS Protection Administrator portal (Web UI)
- Supported SaaS workloads
- Workflow to protect data using Cohesity Alta SaaS Protection
- Manage users and roles
- API permissions
- What is a connector?
- What is a connector?
- About transient errors
- Overview of adding connectors
- Configure General settings
- Configure Capture scope
- Configure User filter
- Configure Group filter
- Configure Folder filter
- Configure credentials
- Configure Custom backup policy and guidelines
- Configure Delete policy for SharePoint Online and guidelines
- Configure Stubbing policy
- Guidelines to configure Stubbing policy for SharePoint Online
- Schedule a backup
- Configure email addresses to get notifications
- Review configuration and edit/save/initiate backup
- Connectors page
- Connector status
- Edit connector configuration
- Delete connectors
- Pre-requisites to setup protection for M365
- Protect Microsoft 365 Multi-Geo tenant
- Protect Exchange Online data
- Protect SharePoint sites and data
- Setting up SharePoint Online protection with Cohesity Alta SaaS Protection
- Backup and restore support for SharePoint Online
- End-user SharePoint data access in Cohesity Alta SaaS Protection
- Run the Delete and Stubbing policies to the SharePoint Online environment
- Backup limitations for SharePoint Online
- Protect Teams sites
- Protect OneDrive data
- Protect Teams chats
- Protect GoogleDrive data
- Protect Gmail data
- Protect Audit logs
- Protect Salesforce data and metada
- Protect Entra ID objects
- Protect Box data
- Protect Slack data
- Protect Email/Message data
- Configure Retention policies
- Perform backups
- View and share backed-up data
- Analytics
- About analytics
- Analytics page and refresh behavior
- Aggregation buckets
- Gain insights into storage utilization
- Gain insights into storage utilization for Entra ID and Salesforce connectors
- Gain insights into blocked activities, most active users, and more
- Gain insights into data volume (size and item count) on legal hold
- Gain insights into data volume (size and item count) saved in different Enhanced cases
- Gain insights into data volume (size and count) under different policies
- Gain insights into data volume (size and item count) under different Tags
- Gain insights into data volume (size and item count) under different Tags behaviors
- Gain insights into storage savings after deduplication and compression
- Gain insights into data ingestion trends
- Perform restores using Administration portal
- About restore
- Prerequisites for restore
- Restore Exchange Online mailboxes
- Restore SharePoint/OneDrive/Teams Sites and data
- Restore Teams chat messages and Teams channel conversations
- Restore O365 audit logs
- Restore Box data
- Restore Google Drive data
- Restore Gmail data
- About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
- Guidelines for Schema changes in Salesforce organization to prevent restore failures
- Restore Standard and Custom objects (Structured data restore)
- Custom Object restore - post processing steps
- Restore specific Records (Structured data) using Query filters
- Restore Salesforce CRM Content (Unstructured data restore)
- Restore Salesforce files/documents in Public/Shared libraries (Unstructured data restore)
- Limitations of Salesforce Data restore
- Salesforce Objects not supported for restore
- Key considerations for Salesforce Metadata restore
- Restore Salesforce Metadata
- Limitations of Salesforce Metadata backup and restore
- About Entra ID (Azure AD) objects and records restore
- Restore Slack data
- Restore data to File server
- Set default restore point
- Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
- Configure email addresses for notifications
- Downloading an item
- Restore dashboard
- Install services and utilities
- About services and utilities
- Pre-requisites to download and install services and utilities
- Downloading services and utilities
- Where to install the services and utilities
- Installing or upgrading services and utilities
- Configuring service accounts for services and utilities
- About the Apps Consent Grant Utility
- Discovery
- Configure Tagging polices
- Configure Tiering policy
- Auditing
- Manage Stors (Storages)
API permissions for Microsoft 365 workloads
If you use the Microsoft 365 App Registrations mode to configure Microsoft 365 connectors, such as Exchange, SharePoint, Teams Site, OneDrive, and Teams Chat, Cohesity Alta SaaS Protection requires specific permissions to back up and restore content at the source location. A single app is created for the Microsoft 365 tenant for all the Microsoft 365 workloads. You will need to grant consent for this app, ensuring that it has the following permissions:
Table:
Microsoft 365 workloads | Claim names | Permissions | Description by Microsoft | User by Cohesity Alta SaaS Protection... |
|---|---|---|---|---|
Exchange Web Services API access for Exchange. | MailboxSettings.Read | Read all user mailbox settings. | Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail. | To read mailbox type when using the Graph Management API mode. |
Group.ReadWrite.All | Read and write all groups. | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. | To add impersonation accounts as members to Microsoft 365 Groups/Teams to back up and restore their mailboxes in the Graph Management API mode. | |
Directory.Read.All | Read directory data. | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | To fetch a list of users within a tenant and obtain a list of mailboxes using the Graph Management API mode. | |
Reports.Read.All | Read all usage reports. | Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. | To get the Exchange growth report from Exchange Online. | |
RoleManagement.ReadWrite.Directory | Read and write role management data for Microsoft Entra ID. | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | To add impersonation accounts as administrators to role-assigned Microsoft 365 groups to backup and restore their mailboxes using Graph Management API mode. | |
Application permissions for Exchange | full_access_as_app | Use Exchange Web Services with full access to all mailboxes. | Allows the app to have full access by Exchange Web Services to all mailboxes without a signed-in user. | To backup/ and restore data from all types of mailboxes. No other granular permissions are provided by Microsoft for Exchange Web Services. |
Exchange.ManageAsApp | Manage Exchange as an application. | Allows the app to manage the organization's Exchange environment without any user interaction. It includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app. | To allow Exchange Online PowerShell access for the following operations when the PowerShell Management API mode is used:
| |
Microsoft Graphs API permissions for SharePoint/Teams Site/OneDrive. | Sites.ReadWrite.All | Read and write items in all site collections. | Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. | To fetch list items from lists in SharePoint sites/Teams sites and One Drives during incremental backups. |
Directory.Read.All | Read directory data. | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | To fetch channel information for backup and restore of Teams Wikis. | |
Reports.Read.All | Read all usage reports. | Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. | To get a SharePoint growth report from SharePoint Online. | |
User.Read.All | Read all user's full profiles. | Allows the app to read user profiles without a signed in user. | To fetch owners information for Team Sites. Note: This is required only with Modern OAuth authentication mode. | |
CSOM and PowerShell access for SharePoint/TeamsSite/OneDrive | TermStore.ReadWrite.All | Read and write managed metadata. | Allows the app to write enterprise-managed metadata and to read basic site info without a signed-in user. | To backup and restore managed metadata for SharePoint list items. |
Sites.Manage.All | Read and write items and lists in all site collections. | Allows the app to read, create, update, and delete document libraries and lists in all site collections without a signed in user. | To create SharePoint lists during restore. | |
Sites.ReadWrite.All | Read and write items in all site collections. | Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. | To backup, restore, and stub list items SharePoint sites/Teams sites and One Drives. | |
Sites.FullControl.All | Have full control of all site collections. | Allows the app to have full control of all site collections without a signed-in user. | To backup and restore role assignments of objects in SharePoint sites/Teams sites and One Drives Capture ACLs for various SharePoint objects. | |
Microsoft Graphs API permissions for Teams Chat. | ChannelMessage.Send (Delegated Permissions) | Send channel messages. | Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user. | To restore channel messages back to the destination channel. (User impersonated as channel member.) |
ChatMessage.Send (Delegated Permissions) | Send user chat messages. | Allows an app to send one-to-one and group chat messages in Microsoft Teams, on behalf of the signed-in user. | To restore chat messages back to the destination chat. (User impersonated as a chat member.) | |
ChatMember.ReadWrite.All | Add and remove members from all chats. | Add and remove members from all chats, without a signed-in user. | To retrieve the members of a chat, and during the restore process, add a member to the chat. This added member is used on behalf of that user for further chat message restoration. | |
Directory.Read.All | Read directory data. | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | To get a list of users whose chats need to be backed up in a tenant to be backed up. | |
TeamMember.ReadWrite.All | Add and remove members. | Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner. | To add a member to Team, required during restore of message for public channels. | |
Chat.Read.All | Read all chat messages. | Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams. | To read chat messages during backup using Microsoft Teams Export API. Also used to get information like chat name. | |
ChannelMember.ReadWrite.All | Add and remove members from all channels. | Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner. | To add member to channel during restore of message for private channels. | |
ChannelMessage.Read.All | Read channel messages. | Allows the app to read all channel messages in Microsoft Teams. | To read channel messages during backup using Microsoft Teams Export API. | |
Application permission for Teams Chat | full_access_as_app | Use Exchange Web Services with full access to all mailboxes. | Allows the app to have full access by Exchange Web Services to all mailboxes without a signed-in user. | To back up group chats or Teams posts, fetch data from User or Teams mailboxes by reading Teams Message data. The process is not applicable when using the Export API for backup. |
Note:
If you are adding Exchange connectors using the management API as PowerShell with the Application registration as authentication, you must assign the following roles to the applications.
You must use the Connector service to create any connector using the management API as PowerShell, as the PowerShell management API authentication is not yet supported on the Administration portal. In case you have no access to the Connector service, contact the Cohesity Support team.