How To Create an Exchange Connector in the Cohesity Alta SaaS Protection Administration Portal

Description

This article will discuss how to create an Exchange connector in the Cohesity Alta SaaS Protection (CASP) Admin Portal.  

Pre-requisite: The CASP Connector Service must be installed and configured on a VM in Azure prior to performing these steps. 

For more information on Installing and Configuring the Connector Service, refer to the following article: How to Install and Configure the Cohesity Alta SaaS Protection Connector Service

1. Log into the Admin portal using an account that has the correct permissions
2. Once logged in go to Backup -> Connectors -> New Backup Connector.
   
   
    
3. The dialog box will prompt to choose the Connector type based on the workload that is to be ingested. Click next to accept the default option. 
   
   
    
4. Enter the details in the General section:
    
   • Connector Name: This should reflect the type of data that will be ingested. This name is found throughout many areas within the admin portal. For this example, use 'O365 Mailboxes'. 
   • ​​​​​​Stor: It is very important to choose the correct Stor.  Each Stor will be named according to the type of data that will be stored within the tenant.  
   • Machine: Choose the server where this connector will be running on.  For Cohesity hosted customers, this will default to the correct machine.
   • Enable email notification options: This option will allow a customer to enter an email address(es) where a summary email can be sent when a connector has completed the crawl.  
     
     
     
      
5. Configure the scope of the Exchange Connector. 
   • Exchange Settings
     • User Mailboxes: The default option which will ingest all data for O365 licensed mailboxes including Shared Mailboxes. 
     • Groups/Teams or Public mailboxes: This will backup either groups/team or public mailboxes.  To backup each type will require a separate connector for each.  
     • All mailboxes: Will ingest data for all the mailboxes in the O365 tenant.  If there is a need to only ingest data for certain mailboxes, select 'Specific mailboxes' which will allow you to specify the SMTP addresses for those mailboxes. 
   • Mailbox Scope
     • All mailboxes: The backup will capture all mailboxes.
     • Rolling mailbox scope:  Will backup only a selected number of mailboxes.  Once a mailbox has been assigned to a rolling connector, it will forever be bound to that connector. (NOTE: Do not select this option unless directed to by Cohesity Support.)
     • Alphabetical mailbox scope: The connector will process mailboxes based on the first letter of the SMTP address.  If selected, put the starting and ending letter for the connector.
   • Limit backup to specific domains: This option allows for capturing mailboxes that have email addresses from specific domains.  It also works in conjunction with any other scoping or EntraID attribute restrictions.
   • User Filter: User filter allows filtering of user mailboxes based on an extended Entra ID attribute of an exact match, a wildcard match or even a regular expression.
   • Group Filter: Group filter allows filtering of mailboxes based on an Entra ID group of an exact match.  Notes when using the Group Filter:
     • If there are multiple include filters, any users which appear in any of the groups will be included.
     • Exclude filters take precedence.  This means that if a user is in any of the groups which are excluded that user will not be captured, even if the user also belongs to groups that are being included.
     • If “Expand Nested Groups” is checked, the users returned for the group filter will include direct members of the group, as well as indirect members i.e. a user who is a member of a group where that group is a member of the identified group.  There is no limit to how deep the nesting can be.  If the “Expand Nested Groups” is not checked, only users who are direct members of the group will be returned.
     • This option only applies when the "All Mailboxes" mode is selected
   • Folder Filters: Folder filters allows filtering by inclusion or exclusion of folders. Filtering of folders is based on matching the folder tree via an exact match, a wildcard or even a regular expression.  Keep in mind that including or excluding folders below, will take precedence over the backup policy exclude location setting in the policy configuration step.
   • Options: 
     • Recoverable items: The 'Recoverable Items' will be in scope for both the active and, if applicable, archive mailboxes.  This setting cannot be enabled if 'Process System Folders' is true since the system folders include recoverable items.
     • Archive mailboxes: An 'Archive Mailbox' entry will be added containing the content of the archive mailbox.  This setting is not available for public folders.
     • Use incremental backup:  Copies data that has been changed or created since the previous backup without full scan.
       • Force full backup every X days.
   • Select 'Next' once all options are configured. 
     
     
      
6. Configure the Credentaisl for the Exchange connector by entering the EWS authorization credentials.  
   • Microsoft 365 app registrations
     • If apps are already created during the CASP provisioning process, all that has to be done is assign an available app registration to the EWS Connector.
     • Select 'Assign Microsoft 365 Apps'.
       
       
        
     • Ensure the correct tenant domain is entered, enter the number of apps to provision, then select 'Assign'.  By default, only one app should assigned to an EWS Connector, unless directed otherwise by Cohesity Support.
       
       
        
     • Ensure the app is set as 'Active'.  If not, have your Azure Global Admin grant admin consent to the app.  
       
       
       
        
   • Manual
     • The following article walks through the process on how to manually create this  authorization: How to prepare a Microsoft 365 tenant for Cohesity Alta SaaS Protection using Modern Authentication
     • Enter in the TenantID, ClientID (AppID), and Client Secret in for the EWS and Microsoft Graph authorization sections.
     • Once completed, select 'Next'.
       
       
        
7. The next section allows for scheduling the connector crawls.  Simply click the 'Add backup schedule' button and apply the settings as needed then click next.  Note: This is optional.  If no schedule is added, the connector will not run unless done manually. 
   
   
    
8. If you would like email notifications to be sent after a backup completes, enable the feature, and enter in the SMTP addresses you'd like to include.  This setting is optional 
   
   
    
9. In the Review seciton, ensure that everything looks good.  Select 'Save' to complete the process.