How to Enable Directory Synchronization

기사: 100050221
마지막 발행: 2024-09-12
등급: 8 0
제품: Alta SaaS Protection

Description

This article will discuss what Directory Synchronization is and the process to enable/configure it.  

Your Veritas Alta SaaS Protection (ASP) tenant may synchronize user information from your organization’s Azure Active Directory.  Access is read-only, optional, but necessary for certain features in ASP to work fully.

ASP can synchronize with multiple domains/directory providers. 
 
Directory Synchronization enables ASP with an awareness of the users and groups that exist in your domain, along with an understanding of the following details:
 
  1. Account status (enabled/disabled),
  2. Group memberships (to any level), and
  3. Extended directory attributes (i.e., Department, Job Title, PreferredDataLocation, etc.).
 
The following ASP features require Directory Synchronization: 
 
  1. End-user portal access
  2. Link-based storage tiering (File backup only)
  3. Location mapping policies (within the ASP Admin portal)
  4. Exchange connectors that use extended AD attributes to filter in-scope mailboxes
  5. SharePoint connectors that use extended AD attributes to filter in-scope OneDrive for Business site collections
 
 
When Directory Synchronization is not enabled, the features listed above will not be available, and the following limitations apply: 
 
  1. Custodian-scoped searches in the Admin Portal’s Discovery app will yield the result of explicit user permissions only. In other words, access rights via group memberships will not be in the result. Likewise, targeting a Group object will not yield results since without directory synchronization ASP has no knowledge of group memberships.
  2. Policies in the Admin Portal that use Custodian inclusion/exclusion clauses will yield the result of explicit user permissions only (no access via group memberships).
  3. Policies in the Admin Portal that use Custodian Attribute inclusion/exclusion clauses will not yield a result.
If you opt-out of directory synchronization, ASP  will provision an Azure AD instance within your ASP  tenant configuration to act as the dedicated identity provider for your deployment.
 

Finding the Primary Domain Name

  • Log in to the Microsoft Entra Admin Center with your Microsoft credentials.
  • Navigate to Identity->Overview.
  • In the Overview section, take note of the Primary Domain. This will be needed at the end of the process. 


 

Configuring the Azure Active Directory Synchronization App

  1. From the Entra admin center expand the Application node and select App registrations, followed by New registration.

 
 
  1. Click the Register button.

 
 
  • After clicking Register and the process completes, it will automatically open the newly created application.  
    • Note: Record the Application (client) ID for the ASP Directory Provider as this will be needed at the end of the process. 
  • Click Certificates & secrets
  • Choose the +New client secret button
  • Enter the Description as:  ASP Directory Provider
  • Choose 24 months
    • Note: a new client secret will be requested by Veritas at the 24 month mark
  1. Click Add

 

  1. After clicking Add, it will immediately show the secret key Value.  It’s very important to copy and save the Value before exiting this page, otherwise the key cannot be retrieved and a new one will need to be created. 


  • While still on the same screen, we have to add the proper permissions in order to read the directory listing of users. 
  • Click the API permissions button.
  • Click the Add a permission button.

 
  • Under Microsoft APIs, choose the large Microsoft Graph button. 


 
  1. Select Application permissions.

 
  1. Scroll down the list, expand Directory and choose Directory.Read.All.
  2. Click Add permissions.

 

  1. Click Grant admin consent for and choose Yes to the pop-up to save the changes. The end result should look like the image below. 


 
  • On the left go to Identity->Applications->Enterprise Applications.


 
 
  • In the search box, type ASP to find the newly created app.

 
 
  1. Click the application so that it opens and choose Properties
  2. Change the Assignment required? option to Yes.
  3. Click Save.

 

 
 
That completes the process.  Work with your ASP technical contact to securely transfer the following information to them. Do not send it via email.  
 
  • Application ID
  • Client Secret
  • Primary Domain Name
 
 
 
 
 

이 내용이 도움이 되었습니까?