Search <book_title>...

Cohesity Alta SaaS Protection Administrator's Guide

Last Published: 2025-05-06

Product(s): Veritas Alta SaaS Protection (3.2.1)

Introduction to Cohesity Alta SaaS Protection
1. About Cohesity Alta SaaS Protection
2. Features of Cohesity Alta SaaS Protection
3. Architecture of Cohesity Alta SaaS Protection
4. Operational workflow
5. Extra Data Backup (EDB)
API permissions
1. API permissions for Microsoft 365 workloads
2. API permissions for Gmail and Google Drive
3. System and API permissions for Salesforce
4. API permissions for Entra ID
5. App permissions of Web App
Administrator portal (Web UI)
1. About the Administration portal
2. Configure the Administration portal
3. View upgrade history
Cohesity Alta SaaS Protection Copilot (AI chatbot)
1. Cohesity Alta SaaS Protection Copilot (AI chatbot)
Manage users and roles
1. Role-based access control
2. Permissions tab
What is a connector?
1. What is a connector?
2. Supported SaaS workloads and backup capabilities
3. Workflow to protect data using Cohesity Alta SaaS Protection
4. Know your subscription details
5. About transient errors
6. Overview of adding connectors
7. Configure General settings
8. Configure Capture scope
9. Configure User filter
10. Configure Group filter
11. Configure Folder filter
12. Configure credentials
  1. Assign Microsoft 365 apps registration
  2. Microsoft 365 apps registration status
  3. Manually approve Microsoft 365 apps registration
  4. Approve Microsoft 365 apps using the App Consent Grant utility
  5. Microsoft 365 apps recovery
13. Configure Custom backup policy and guidelines
14. Configure Delete policy for SharePoint Online and guidelines
15. Configure Stubbing policy
16. Guidelines to configure Stubbing policy for SharePoint Online
17. Schedule a backup
18. Configure email addresses to get notifications
19. Review configuration and edit/save/initiate backup
20. Connectors page
21. Connector status
22. Edit connector configuration
23. Delete connectors
Pre-requisites to setup protection for M365
1. Pre-requisites to setup protection for M365
Protect Microsoft 365 Multi-Geo tenant
1. Considerations for adding SharePoint/Teams Sites/OneDrive connectors for Microsoft 365 Multi-Geo tenant
Protect Exchange Online data
1. Backup and restore support for Exchange Online
2. Setting up Exchange Online data protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for Exchange connectors
Protect SharePoint sites and data
1. Backup and restore support for SharePoint Online
2. Supported and unsupported SharePoint Settings and Types for backup and restore
3. Supported Sites and List templates for backup and restore
4. Supported SharePoint permission objects for backup and restore
5. Setting up SharePoint Online protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for SharePoint connectors
6. Configure additional backup options for SharePoint/Teams site/ OneDrive connectors
7. End-user SharePoint data access in Cohesity Alta SaaS Protection
8. Run the Delete and Stubbing policies to the SharePoint Online environment
9. Backup limitations for SharePoint Online
Protect Teams sites
1. Backup and restore support for Teams Sites
2. Setting up Teams Site protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for Team site collections connectors
3. Backup limitations for Teams site collections
Protect OneDrive data
1. Backup and restore support for OneDrive
2. Setting up OneDrive protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for OneDrive connectors
Protect Teams chats
1. Backup and restore support for Teams chat
2. Setting up Teams chat protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for Teams chat connectors
3. Backup limitations for Teams chat
Protect GoogleDrive data
1. Backup and restore support for GoogleDrive
2. Prerequisites to add Google Drive connectors
3. Setting up Google Drive protection with Cohesity Alta SaaS Protection
  1. Configure the Capture scope for Google Drive connectors to backup users data in your Google Drive environment
4. Backup limitations for Google Drive
5. FAQs
Protect Gmail data
1. Backup and restore support for Gmail
2. Prerequisites to add Gmail connectors
3. Setting up Gmail protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for Gmail connectors
Protect Audit logs
1. Add Audit log connectors
2. Audit log connector limitations
Protect Salesforce data and metada
1. About Salesforce protection
2. Key considerations and prerequisites for adding Salesforce connectors
3. Add Salesforce connectors
4. Limitations of Salesforce connectors
5. Salesforce Objects not supported for backup
Protect Entra ID objects
1. Backup and restore support for Entra ID
2. Setting up Entra ID protection with Cohesity Alta SaaS Protection
3. Add Entra ID (Azure AD) connectors
4. Backup and restore limitations for Entra ID
Protect Box data
1. Backup and restore support for Box
2. Prerequisites for Box connectors configuration
3. Setting up Box protection with Cohesity Alta SaaS Protection
4. Configure capture scope for Box connector
5. Backup limitations for Box
Protect Slack data
1. Add Slack connectors
Protect Email/Message data
1. Prerequisite for Email/message connector
2. Add Email/Messages file
Configure Retention policies
1. About WORM policies
2. Ingestion WORM policies page
3. Add/edit Ingestion WORM retention policies and guidelines
4. Add/edit At-Rest WORM retention policies
5. Add/edit Deletion policies
6. View deletion history
7. How to edit the policy evaluation interval?
8. How to add a Location filter?
9. How to add a filter?
Perform backups
1. Perform on-demand/ad-hoc backup
2. Backup dashboard
3. Video tutorial for connector troubleshooting
4. View backup events
  1. About Event suppression
  2. Create event suppression rules
5. Viewing backup tasks details
View and share backed-up data
1. Browse backed-up data
2. Share data
3. Remove data sharing
Analytics
1. About analytics
2. Analytics page and refresh behavior
3. Aggregation buckets
4. Gain insights into storage utilization
5. Gain insights into storage utilization for Entra ID and Salesforce connectors
6. Gain insights into blocked activities, most active users, and more
7. Gain insights into data volume (size and item count) on legal hold
8. Gain insights into data volume (size and item count) saved in different Enhanced cases
9. Gain insights into data volume (size and count) under different policies
10. Gain insights into data volume (size and item count) under different Tags
11. Gain insights into data volume (size and item count) under different Tags behaviors
12. Gain insights into storage savings after deduplication and compression
13. Gain insights into data ingestion trends
Perform restores using Administration portal
1. About restore
2. Prerequisites for restore
3. Restore Exchange Online mailboxes
4. Restore SharePoint/OneDrive/Teams Sites and data
  1. Restore of OneDrive, Microsoft 365 Group, and Microsoft Teams sites
  2. Restore limitations for SharePoint Online
5. Restore Teams chat messages and Teams channel conversations
  1. Restore limitations for Teams chat
6. Restore O365 audit logs
7. Restore Box data
  1. Restore limitations for Box
8. Restore Google Drive data
  1. Overwrite restore behavior for Box/Google Drive data
9. Restore Gmail data
10. About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
11. About Entra ID (Azure AD) objects and records restore
12. Restore Slack data
13. Restore data to File server
14. Set default restore point
15. Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
16. Configure email addresses for notifications
17. Downloading an item
Restore dashboard
1. About Restore dashboard
2. Restore job statuses
3. How to cancel a restore job?
4. View the restore events
Install services and utilities
1. About services and utilities
2. Pre-requisites to download and install services and utilities
3. Downloading services and utilities
4. Where to install the services and utilities
5. Installing or upgrading services and utilities
6. Configuring service accounts for services and utilities
7. About the Apps Consent Grant Utility
Discovery
1. About eDiscovery/searches
2. Add search templates
3. Add Discovery cases
4. Perform ad hoc search and add data to Discovery cases
5. View data in Discovery cases
6. Edit Discovery cases
7. DeleteDiscovery cases
8. Assign Discovery cases to users
Configure Tagging polices
1. About the Tagging policy
2. Add Tags
3. Add/edit Tagging policies
4. Adding regular expressions
  1. RegEx and query examples for PII detection
Configure Tiering policy
1. About the Tiering policy
2. Add/edit Tiering policies
Auditing
1. Auditing
Manage Stors (Storages)
1. Viewing Stors (Storages)
2. Requesting a new Stor
3. General tab
4. Version control settings
5. Metadata tab
6. Statistical policies tab
7. Location-Mapping tab
8. Backup tab
9. Custodian Groups tab
10. Advanced tab
11. Analytics tab

Pre-requisites to setup protection for M365

The following Cohesity Alta SaaS Protection connectors are used to protect Microsoft 365 workloads:

Exchange Online connector for Exchange Online mailboxes, folders, messages, and attachments.
SharePoint Online connector for SharePoint Online sites, folders, files, permissions, and metadata.
OneDrive for Business connector for OneDrive for Business sites, folders, files, permissions, and metadata
Teams sites collection connector for Teams site, folders, files, permissions, and metadata
Teams chat connector for Teams messages, meeting recordings, and attachments

For more details on the backup capabilities and limitation on these connectors, See Supported SaaS workloads and backup capabilities.

Pre-requisites

For Microsoft 365 workload protection, its is must to synchronize your Entra ID with Cohesity Alta SaaS Protection.

Entra ID synchronization is required to provide centralized identity management, enabling features like Single Sign-On (SSO), access control, and automated user provisioning. It ensures consistent user authentication across applications, enhances security with policies like multifactor authentication (multifactor authentication), and simplifies user management. Synchronization also supports compliance by maintaining up-to-date user directories and enforcing role-based access. Overall, it ensures a seamless and secure experience for users while maintaining control and compliance in cloud environments.

The Azure Global administrators receive an email notification from Cohesity, asking them to approve the Entra ID synchronization request. The email includes a link to approve the Entra ID synchronization app registration in the following format:

https://login.microsoftonline.com/contoso.onmicrosoft.com/adminconsent?client_id=25fb04f2-f2ac-405b-ac01-c39ad4ee6a26

Any of Azure Global administrators should do the following to synchronize Entra ID with Cohesity Alta SaaS Protection:

Replace contoso.onmicrosoft.com in the above link with your primary domain.
Note:
Your primary domain is listed on the Microsoft Entra Overview page of the Azure portal.
Approve the app with the 25fb04f2-f2ac-405b-ac01-c39ad4ee6a26 ID.

The Entra ID synchronization app requests the following permissions:

Directory.read.all: This permission is required to read directory data.
User.read: This permission is required to sign in and read the user profile.

Depending on the size of your data, synchronization may take several hours.

The synchronization process synchronizes the users and groups in your Entra ID to Cohesity Alta SaaS Protection. After synchronization is completed, Cohesity Alta SaaS Protection gets information of the users and groups in your Entra ID.

The following information is also synchronized along with the users and groups:

User account status (enabled or disabled)
Group memberships
Extended Entra ID attributes such as user's department, job title, preferred data location, and so on. (If the extended Active Directory attribute is enabled in your Azure.)

Pre-requisites for Entra ID synchronization

The following are the prerequisites for Entra ID synchronization:

You must have Entra ID deployed for your organization.
You must enable Entra ID synchronization in Azure to synchronize your on-premises Active Director with your Entra ID. The Microsoft Entra ID Connect tool is used to enable the Active Directory synchronization.
You also need to enable the extended Azure Active Directory attributes in Azure to get all features related to SharePoint and OneDrive connectors of Cohesity Alta SaaS Protection.

Features that required Entra ID synchronization

Entra ID synchronization is a must process for the following features of Cohesity Alta SaaS Protection:

End-User portal and End User file access through stub:
Accessing the SharePoint stubs configured with multiple Active Directories can cause issues.
See End-user SharePoint data access in Cohesity Alta SaaS Protection.
Link-based storage tiering
Location-mapping policies
The following features required the extended Entra ID attribute along with the Active Directory synchronization:
- Exchange connectors that use the extended Entra ID attributes to filter the in-scope mailboxes.
- SharePoint connectors that use the extended Entra ID attributes to filter the in-scope OneDrive for business site collections.

Limitations if Entra ID synchronization is not enabled

The following are the limitations if you have not enabled the Entra ID synchronization in Azure:

The Custodian-scoped search gives a result of explicit user permissions only; the access rights of group memberships are not displayed in the result. Search for a group gives no result as Cohesity Alta SaaS Protection has no knowledge of group memberships.
Policies that use the Custodian (inclusion or exclusion) clauses give a result of explicit user permissions only.
Policies that use Custodian attribute (inclusion or exclusion) clauses give no result.