Search <book_title>...

Cohesity Alta SaaS Protection 2.x.x Administrator's Guide

Last Published: 2025-04-24

Product(s): Veritas Alta SaaS Protection (1.0)

Introduction to Cohesity Alta SaaS Protection
1. About Cohesity Alta SaaS Protection
2. Features of Cohesity Alta SaaS Protection
3. Architecture of Cohesity Alta SaaS Protection
4. Operational workflow
5. Extra Data Backup (EDB)
API permissions
1. API permissions for Microsoft 365 workloads
2. API permissions for Gmail and Google Drive
3. System and API permissions for Salesforce
4. API permissions for Entra ID
5. App permissions of Web App
Administrator portal (Web UI)
1. About the Administration portal
2. Configure the Administration portal
3. View upgrade history
Manage users and roles
1. Role-based access control
2. Permissions tab
What is a connector?
1. What is a connector?
2. Supported SaaS workloads and backup capabilities
3. Workflow to protect data using Cohesity Alta SaaS Protection
4. Know your subscription details
5. About transient errors
6. Overview of adding connectors
7. Configure General settings
8. Configure Capture scope
9. Configure User filter
10. Configure Group filter
11. Configure Folder filter
12. Configure credentials
  1. Assign Microsoft 365 apps registration
  2. Microsoft 365 apps registration status
  3. Manually approve Microsoft 365 apps registration
  4. Approve Microsoft 365 apps using the App Consent Grant utility
  5. Microsoft 365 apps recovery
13. Configure Custom backup policy and guidelines
14. Configure Delete policy for SharePoint Online and guidelines
15. Configure Stubbing policy
16. Guidelines to configure Stubbing policy for SharePoint Online
17. Schedule a backup
18. Configure email addresses to get notifications
19. Review configuration and edit/save/initiate backup
20. Connectors page
21. Connector status
22. Edit connector configuration
23. Delete connectors
Pre-requisites for Microsoft 365 connectors
1. Pre-requisites for Microsoft 365 connectors
Protect Microsoft 365 Multi-Geo tenant
1. Considerations for adding SharePoint/Teams Sites/OneDrive connectors for Microsoft 365 Multi-Geo tenant
Protect Exchange Online data
1. Add Exchange Online connectors
2. Configure capture scope for Exchange connectors
Protect SharePoint sites and data
1. Add SharePoint connectors
2. Supported and unsupported SharePoint Settings and Types for backup and restore
3. Supported Sites and List templates for backup and restore
4. Supported SharePoint permission objects for backup and restore
5. Configuring capture scope for SharePoint connectors
6. End-user SharePoint data access in Cohesity Alta SaaS Protection
7. Run the Delete and Stubbing policies to the SharePoint Online environment
8. Limitations of SharePoint connector
Protect Teams sites
1. Add Teams site collections connectors
2. Configure capture scope for Team site collections connectors
3. Limitations of Teams site collections connector
Protect OneDrive data
1. Add OneDrive connectors
2. Configure capture scope for OneDrive connectors
Protect Teams chats
1. Add Teams chat connectors
2. Configure capture scope for Teams chat connectors
3. Limitations of Teams chat connector
Protect GoogleDrive data
1. Prerequisites to add Google Drive connectors
2. Add Google Drive connectors
3. Configure capture scope for Google Drive connectors
4. Limitations of Google Drive connector
Protect Gmail data
1. Prerequisites to add Gmail connectors
2. Add Gmail connectors
3. Configure capture scope for Gmail connectors
Protect Audit logs
1. Add Audit log connectors
2. Audit log connector limitations
Protect Salesforce data and metada
1. About Salesforce protection
2. Key considerations and prerequisites for adding Salesforce connectors
3. Add Salesforce connectors
4. Limitations of Salesforce connectors
5. Salesforce Objects not supported for backup
Protect Entra ID objects
1. Add Entra ID (Azure AD) connectors
2. Limitations for Entra ID connector
Protect Box data
1. Prerequisites for Box connectors configuration
2. Add Box connectors
3. Configure capture scope for Box connector
4. Limitations of Box connector
Protect Slack data
1. Add Slack connectors
Protect Email/Message data
1. Prerequisite for Email/message connector
2. Add Email/Messages file
Configure Retention policies
1. About WORM policies
2. Ingestion WORM policies page
3. Add/edit Ingestion WORM retention policies and guidelines
4. Add/edit At-Rest WORM retention policies
5. Add/edit Deletion policies
6. View deletion history
7. How to edit the policy evaluation interval?
8. How to add a Location filter?
9. How to add a filter?
Perform backups
1. Perform on-demand/ad-hoc backup
2. Backup dashboard
3. Video tutorial for connector troubleshooting
4. View backup events
  1. About Event suppression
  2. Create event suppression rules
5. Viewing backup tasks details
View and share backed-up data
1. Browse backed-up data
2. Share data
3. Remove data sharing
Analytics
1. About analytics
2. Gain insights into storage utilization
3. Gain insights into storage utilization for Entra ID and Salesforce connectors
4. Gain insights into blocked activities, most active users, and more
5. Gain insights into data volume (size and item count) on legal hold
6. Gain insights into data volume (size and item count) saved in different Enhanced cases
7. Gain insights into data volume (size and count) under different policies
8. Gain insights into data volume (size and item count) under different Tags
9. Gain insights into data volume (size and item count) under different Tags behaviors
10. Gain insights into storage savings after deduplication and compression
11. Gain insights into data ingestion trends
Perform restores using Administration portal
1. About restore
2. Prerequisites for restore
3. Restore Exchange Online mailboxes
4. Restore SharePoint/OneDrive/Teams Sites and data
  1. Restore of OneDrive, Microsoft 365 Group, and Microsoft Teams sites
  2. Limitations of SharePoint sites and data restore
5. Restore Teams chat messages and Teams channel conversations
  1. Limitations of Teams chat data restore
6. Restore O365 audit logs
7. Restore Box data
  1. Limitations of Box data restore
8. Restore Google Drive data
  1. About the overwrite restore behavior for Box/Google Drive data
9. Restore Gmail data
10. About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
11. About Entra ID (Azure AD) objects and records restore
12. Restore Slack data
13. Restore data to File server
14. Set default restore point
15. Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
16. Configure email addresses for notifications
17. Downloading an item
Restore dashboard
1. About Restore dashboard
2. Restore job statuses
3. How to cancel a restore job?
4. View the restore events
Install services and utilities
1. About services and utilities
2. Pre-requisites to download and install services and utilities
3. Downloading services and utilities
4. Where to install the services and utilities
5. Installing or upgrading services and utilities
6. Configuring service accounts for services and utilities
7. About the Apps Consent Grant Utility
Discovery
1. About eDiscovery/searches
2. Add search templates
3. Add Discovery cases
4. Perform ad hoc search and add data to Discovery cases
5. View data in Discovery cases
6. Edit Discovery cases
7. DeleteDiscovery cases
8. Assign Discovery cases to users
Configure Tagging polices
1. About the Tagging policy
2. Add Tags
3. Add/edit Tagging policies
4. Adding regular expressions
  1. RegEx and query examples for PII detection
Configure Tiering policy
1. About the Tiering policy
2. Add/edit Tiering policies
Auditing
1. Auditing
Manage Stors (Storages)
1. Viewing Stors (Storages)
2. Requesting a new Stor
3. General tab
4. Version control settings
5. Metadata tab
6. Statistical policies tab
7. Location-Mapping tab
8. Backup tab
9. Custodian Groups tab
10. Advanced tab
11. Analytics tab

Configure Delete policy for SharePoint Online and guidelines

The SharePoint Online connector can be configured with a Delete policy to manage storage by removing unnecessary files from the source SharePoint Online environment while retaining backups in Cohesity Alta SaaS Protection.

Before configuring the Connector Delete policy, you must read the following guidelines to understand its implications. Cohesity is not responsible for any loss of functionality in SharePoint caused by of actions of this policy.

The delete policy can only be customized based on the following criteria:

Size
Last modified date
Type

You can define any or all these criteria according to your specific requirements.

Delete Policy setup guidelines

Before configuring the Delete policy, you must read the following guidelines to understand its implications:

Start by testing the policy in a small or less-used environment. This will help Administrators and End Users understand how the policy works before it is deployed widely.
Check the section 'Considerations Before Enabling the Delete Policy' to understand the implications of deletion of files at source. This will help you decide the correct policy settings and exclude the Sites and Locations where deletion should not be performed.
Decide on one of the following:
- Only to archive certain items into Cohesity Alta SaaS Protection and delete them from SharePoint.
- Back up all the data in SharePoint Sites/OD while also deleting certain files.
- If only deleting certain files (that is you have decided for 'Only to archive certain items into Cohesity Alta SaaS Protection and delete them from SharePoint'), make it so that you have a Custom Backup Policy and Delete Policies should match each other for the connector.
  - Consider prioritizing larger files: For faster space savings, target larger files first (for example, files over 5 MB modified more than a year ago, or whatever is your date criteria).
  - Adjust criteria over time: Later, adjust both Custom Backup and Delete policies to suit your ongoing plan (for example, files over 1 MB modified more than a year ago).
- If deleting files based on policy and backing up all files (that is the other option 'Back up all the data in SharePoint Sites/OD while also deleting certain files'.), follow the guidelines in step 4; however, when setting the ongoing criteria, clear out the settings in the Custom Backup Policy so that all files will be part of the backup, but only files that meet the delete policy are eligible for deletion.

Considerations Before Enabling the Delete Policy

Since this process deletes data at source, it is important to understand the implications of the Cohesity Alta SaaS Protection process before enabling the policy. Cohesity will be unable to help or support in case of unsupported scenarios and hence it will not be Cohesity's responsibility to recover from the situation.

General considerations:

Cohesity Alta SaaS Protection deletes files from the SharePoint Online after creating a primary backup copy in its storage. No additional copies are maintained by default, so it's crucial to avoid accidental deletion of the primary backup, for example, due to a misconfigured Cohesity Alta SaaS Protection deletion policy (used to manage retention of data within Cohesity Alta SaaS Protection storage, not to be confused with connector delete policy).
You can consider purchasing the Extra Data Backup (EDB) option to maintain a secondary backup copy.
Sometimes automated processes within SharePoint online OR external applications integrated with SharePoint Online rely on a file to be present for their functioning. Such processes OR applications can be disrupted due to this deletion of the file. Such locations should be excluded from the delete policy.
If the policy deletes files based on the last modified date, frequently accessed but unmodified content may also be deleted.
Carefully consider whether such content should be deleted, as it can lead to frequent restore requests.
Evaluate what should be retained at the source before enabling this policy to configure the deletion exclusions properly.
If files are accidentally deleted, administrators may need to perform mass restores through the Cohesity Alta SaaS Protection Administration portal, which can be time-consuming and impacts the user experience.

Scope of application in SharePoint:

Cohesity Alta SaaS Protection only deletes files and not sites, lists, and folders.
The policy applies only to files within the libraries, which are based on document libraries (for example, whose list base type is a document library).
The following items cannot be deleted using the connector delete policy:
- ASPX files
- Items in hidden lists or catalog lists.
- Files which have been stubbed by Cohesity Alta SaaS Protection and have the '.stub.url' extension.
  Important - It is important to understand the implications of the above, when applying this policy. Cohesity is not responsible for any loss of functionality in SharePoint because of actions of this policy.
- If the meet the criteria specified in the deletion policy, it may stop working if files associated with them are deleted.
- IRM-Enabled Lists: Files that meet deletion criteria will be deleted.
  - They cannot be opened if downloaded from Cohesity Alta SaaS Protection.
  - Restores of such files only work if the IRMS settings of the source list stay unmodified.
- Retention policies and legal holds: Files which have Retention Labels or reside in a site which have a Retention Policy or Legal Holds will be deleted from their primary locations.
  - They will be retained in the Preservation Hold library and hence may not result in space savings.
  - Deletion of such files may not be desired as this may conflict with any compliance policies at source.
- Sensitive encrypted labels: Files encrypted with sensitive labels will be deleted. Currently restores of these files have limitations.
  • For the files with Sensitivity labels configured for encryption, only restores from scratch for a single version can be performed.
  • Restoring multiple versions and overwrite restores are not supported, as SharePoint does not allow the creation of a new version on top of such files.
- Deletion can disrupt functionality for Loop integration and InfoPath integration.
- Files which are in Site Assets, Site Pages, SharePoint designated System Lists may also be deleted.
- This is not an exhaustive list, and Cohesity is not liable for any undocumented functionality loss.

Connector Delete Policy Evaluation, Configuration, and Interaction:

Configure exclusions based on last modified date or size (last accessed time is unsupported).
The policy is applied from the second full backup, after all the data is successfully backed up by the first full backup. This is not applicable to incremental backups.
The connector delete policy applies only to full backups and does not apply to incremental backups occurring between two full backups.
Cohesity Alta SaaS Protection will not remove the current version of a file in SharePoint unless it is the only version of the file still in SharePoint. It leads to the following behavior when both versions of a file in SharePoint with two versions match a delete policy:
- Backup 1: The older version is deleted. The current version is left.
- Backup 2: The file is deleted.
If both the delete and stubbing policies apply to the same file, the delete policy takes precedence, permanently deleting the file from SharePoint.

Interaction with Cohesity Alta SaaS Protection deletion policies (used for retention of data within Cohesity Alta SaaS Protection)

Cohesity Alta SaaS Protection marks files as Removed from source if they're no longer found in the same location during a subsequent backup after the initial one.
Note:
Files deleted at the source by a connector delete policy will also be marked as Removed from source in Cohesity Alta SaaS Protection in the following backup. Cohesity Alta SaaS Protection does not distinguish between deletions made by the connector delete policy or independent deletions at source.
Note:
Cohesity Alta SaaS Protection deletion policies (used for retention of data within Cohesity Alta SaaS Protection) can be configured to delete files in Cohesity Alta SaaS Protection marked as Removed from source. As noted above, Cohesity Alta SaaS Protection cannot differentiate between what was deleted at source by Cohesity Alta SaaS Protection (by a connector delete policy) and what was deleted at source by end user action, based on the 'Removed from source' property. This makes it challenging to set up such Cohesity Alta SaaS Protection deletion policies, if there is a need to differentiate the origin of deletions.

Copy/Move of locations containing Files deleted by Cohesity Alta SaaS Protection:

If a location which previously had files deleted by Cohesity Alta SaaS Protection through a connector delete policy is copied or moved in SharePoint, the currently present data at the source at the copied/moved location be backed to the new location.
Note:
Any data that was previously deleted by Cohesity Alta SaaS Protection will remain at the old location.

Backup of Previously Deleted Restored Files:

After file is restored, Cohesity Alta SaaS Protectionn treats it as a new file during the next backup, resulting in two records. The original file marked as Removed from source (deleted by the connector policy) and the newly ingested file.

End User Access:

End users can access Cohesity Alta SaaS Protection data through the End-User portal, but their permission level must have the Open Items List Permission in SharePoint. If users' permission level only have View Items or View Application Pages permissions (such as in Restricted View, View Only, or Download Only permission levels), they won't have access to deleted files in the portal.
For details on how Cohesity Alta SaaS Protection synchronizes permissions, refer to See End-user SharePoint data access in Cohesity Alta SaaS Protection.
Any enhancements/fixes made by Cohesity Alta SaaS Protection to capture new/existing permissions will not be reflected on files which have already been captured and deleted at source from SharePoint.
End users can download or restore data, but can only restore files to SharePoint sites where they are primary administrators.

Files Synchronized with laptops, PCs, and Sharing links:

These will stop working.

To configure Delete policy

Click Enable this feature on the Policy configuration tab.
Do the following:
- Select the Items <Last modified> date older than <--> days check box and enter the number of days to specify the modified items that must be backed up.
  This option is applied regardless of the items' size and type.
- Select the Items size larger than __<--> check box to back up the items that are larger than the specified size.
  This option is applied regardless of the items' last modified date and type.
- Select the <Include/Exclude> items of type <Enter a file extension> check box and enter the extensions that should be included or excluded.
  This option is applied regardless of the items' Last modified status and size.
  This option is not applicable to the Google Drive connector.
- Use the Locations to exclude option to exclude specific folders.
  Any folder that matches the provided name is excluded from the backup with its subfolders. The matching process is case-insensitive, and wildcards can be used.
  The exclusion criteria that are set in the Folder filter section for this connector take precedence over the criteria that is set here.
  - Click +Add location.
  - On the Location name page, enter the name of the folder that is to be excluded.
  - Click Add.
  The folders to be excluded are listed at the bottom of this section.
The Delete policy is configured.
If you want to configure Stubbing policy, See Configure Stubbing policy.