Search <book_title>...

Cohesity Alta SaaS Protection Administrator's Guide

Last Published: 2025-05-06

Product(s): Veritas Alta SaaS Protection (3.2.1)

Introduction to Cohesity Alta SaaS Protection
1. About Cohesity Alta SaaS Protection
2. Features of Cohesity Alta SaaS Protection
3. Architecture of Cohesity Alta SaaS Protection
4. Operational workflow
5. Extra Data Backup (EDB)
API permissions
1. API permissions for Microsoft 365 workloads
2. API permissions for Gmail and Google Drive
3. System and API permissions for Salesforce
4. API permissions for Entra ID
5. App permissions of Web App
Administrator portal (Web UI)
1. About the Administration portal
2. Configure the Administration portal
3. View upgrade history
Cohesity Alta SaaS Protection Copilot (AI chatbot)
1. Cohesity Alta SaaS Protection Copilot (AI chatbot)
Manage users and roles
1. Role-based access control
2. Permissions tab
What is a connector?
1. What is a connector?
2. Supported SaaS workloads and backup capabilities
3. Workflow to protect data using Cohesity Alta SaaS Protection
4. Know your subscription details
5. About transient errors
6. Overview of adding connectors
7. Configure General settings
8. Configure Capture scope
9. Configure User filter
10. Configure Group filter
11. Configure Folder filter
12. Configure credentials
  1. Assign Microsoft 365 apps registration
  2. Microsoft 365 apps registration status
  3. Manually approve Microsoft 365 apps registration
  4. Approve Microsoft 365 apps using the App Consent Grant utility
  5. Microsoft 365 apps recovery
13. Configure Custom backup policy and guidelines
14. Configure Delete policy for SharePoint Online and guidelines
15. Configure Stubbing policy
16. Guidelines to configure Stubbing policy for SharePoint Online
17. Schedule a backup
18. Configure email addresses to get notifications
19. Review configuration and edit/save/initiate backup
20. Connectors page
21. Connector status
22. Edit connector configuration
23. Delete connectors
Pre-requisites to setup protection for M365
1. Pre-requisites to setup protection for M365
Protect Microsoft 365 Multi-Geo tenant
1. Considerations for adding SharePoint/Teams Sites/OneDrive connectors for Microsoft 365 Multi-Geo tenant
Protect Exchange Online data
1. Backup and restore support for Exchange Online
2. Setting up Exchange Online data protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for Exchange connectors
Protect SharePoint sites and data
1. Backup and restore support for SharePoint Online
2. Supported and unsupported SharePoint Settings and Types for backup and restore
3. Supported Sites and List templates for backup and restore
4. Supported SharePoint permission objects for backup and restore
5. Setting up SharePoint Online protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for SharePoint connectors
6. Configure additional backup options for SharePoint/Teams site/ OneDrive connectors
7. End-user SharePoint data access in Cohesity Alta SaaS Protection
8. Run the Delete and Stubbing policies to the SharePoint Online environment
9. Backup limitations for SharePoint Online
Protect Teams sites
1. Backup and restore support for Teams Sites
2. Setting up Teams Site protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for Team site collections connectors
3. Backup limitations for Teams site collections
Protect OneDrive data
1. Backup and restore support for OneDrive
2. Setting up OneDrive protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for OneDrive connectors
Protect Teams chats
1. Backup and restore support for Teams chat
2. Setting up Teams chat protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for Teams chat connectors
3. Backup limitations for Teams chat
Protect GoogleDrive data
1. Backup and restore support for GoogleDrive
2. Prerequisites to add Google Drive connectors
3. Setting up Google Drive protection with Cohesity Alta SaaS Protection
  1. Configure the Capture scope for Google Drive connectors to backup users data in your Google Drive environment
4. Backup limitations for Google Drive
5. FAQs
Protect Gmail data
1. Backup and restore support for Gmail
2. Prerequisites to add Gmail connectors
3. Setting up Gmail protection with Cohesity Alta SaaS Protection
  1. Configure capture scope for Gmail connectors
Protect Audit logs
1. Add Audit log connectors
2. Audit log connector limitations
Protect Salesforce data and metada
1. About Salesforce protection
2. Key considerations and prerequisites for adding Salesforce connectors
3. Add Salesforce connectors
4. Limitations of Salesforce connectors
5. Salesforce Objects not supported for backup
Protect Entra ID objects
1. Backup and restore support for Entra ID
2. Setting up Entra ID protection with Cohesity Alta SaaS Protection
3. Add Entra ID (Azure AD) connectors
4. Backup and restore limitations for Entra ID
Protect Box data
1. Backup and restore support for Box
2. Prerequisites for Box connectors configuration
3. Setting up Box protection with Cohesity Alta SaaS Protection
4. Configure capture scope for Box connector
5. Backup limitations for Box
Protect Slack data
1. Add Slack connectors
Protect Email/Message data
1. Prerequisite for Email/message connector
2. Add Email/Messages file
Configure Retention policies
1. About WORM policies
2. Ingestion WORM policies page
3. Add/edit Ingestion WORM retention policies and guidelines
4. Add/edit At-Rest WORM retention policies
5. Add/edit Deletion policies
6. View deletion history
7. How to edit the policy evaluation interval?
8. How to add a Location filter?
9. How to add a filter?
Perform backups
1. Perform on-demand/ad-hoc backup
2. Backup dashboard
3. Video tutorial for connector troubleshooting
4. View backup events
  1. About Event suppression
  2. Create event suppression rules
5. Viewing backup tasks details
View and share backed-up data
1. Browse backed-up data
2. Share data
3. Remove data sharing
Analytics
1. About analytics
2. Analytics page and refresh behavior
3. Aggregation buckets
4. Gain insights into storage utilization
5. Gain insights into storage utilization for Entra ID and Salesforce connectors
6. Gain insights into blocked activities, most active users, and more
7. Gain insights into data volume (size and item count) on legal hold
8. Gain insights into data volume (size and item count) saved in different Enhanced cases
9. Gain insights into data volume (size and count) under different policies
10. Gain insights into data volume (size and item count) under different Tags
11. Gain insights into data volume (size and item count) under different Tags behaviors
12. Gain insights into storage savings after deduplication and compression
13. Gain insights into data ingestion trends
Perform restores using Administration portal
1. About restore
2. Prerequisites for restore
3. Restore Exchange Online mailboxes
4. Restore SharePoint/OneDrive/Teams Sites and data
  1. Restore of OneDrive, Microsoft 365 Group, and Microsoft Teams sites
  2. Restore limitations for SharePoint Online
5. Restore Teams chat messages and Teams channel conversations
  1. Restore limitations for Teams chat
6. Restore O365 audit logs
7. Restore Box data
  1. Restore limitations for Box
8. Restore Google Drive data
  1. Overwrite restore behavior for Box/Google Drive data
9. Restore Gmail data
10. About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
11. About Entra ID (Azure AD) objects and records restore
12. Restore Slack data
13. Restore data to File server
14. Set default restore point
15. Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
16. Configure email addresses for notifications
17. Downloading an item
Restore dashboard
1. About Restore dashboard
2. Restore job statuses
3. How to cancel a restore job?
4. View the restore events
Install services and utilities
1. About services and utilities
2. Pre-requisites to download and install services and utilities
3. Downloading services and utilities
4. Where to install the services and utilities
5. Installing or upgrading services and utilities
6. Configuring service accounts for services and utilities
7. About the Apps Consent Grant Utility
Discovery
1. About eDiscovery/searches
2. Add search templates
3. Add Discovery cases
4. Perform ad hoc search and add data to Discovery cases
5. View data in Discovery cases
6. Edit Discovery cases
7. DeleteDiscovery cases
8. Assign Discovery cases to users
Configure Tagging polices
1. About the Tagging policy
2. Add Tags
3. Add/edit Tagging policies
4. Adding regular expressions
  1. RegEx and query examples for PII detection
Configure Tiering policy
1. About the Tiering policy
2. Add/edit Tiering policies
Auditing
1. Auditing
Manage Stors (Storages)
1. Viewing Stors (Storages)
2. Requesting a new Stor
3. General tab
4. Version control settings
5. Metadata tab
6. Statistical policies tab
7. Location-Mapping tab
8. Backup tab
9. Custodian Groups tab
10. Advanced tab
11. Analytics tab

API permissions for Microsoft 365 workloads

If you use the Microsoft 365 App Registrations mode to configure Microsoft 365 connectors, such as Exchange, SharePoint, Teams Site, OneDrive, and Teams Chat, Cohesity Alta SaaS Protection requires specific permissions to back up and restore content at the source location. A single app is created for the Microsoft 365 tenant for all the Microsoft 365 workloads. You will need to grant consent for this app, ensuring that it has the following permissions:

Table:

Microsoft 365 workloads	Claim names	Permissions	Description by Microsoft	User by Cohesity Alta SaaS Protection...
Exchange Web Services API access for Exchange.	MailboxSettings.Read	Read all user mailbox settings.	Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail.	To read mailbox type when using the Graph Management API mode.
	Group.ReadWrite.All	Read and write all groups.	Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user.	To add impersonation accounts as members to Microsoft 365 Groups/Teams to back up and restore their mailboxes in the Graph Management API mode.
	Directory.Read.All	Read directory data.	Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.	To fetch a list of users within a tenant and obtain a list of mailboxes using the Graph Management API mode.
	Reports.Read.All	Read all usage reports.	Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.	To get the Exchange growth report from Exchange Online.
	RoleManagement.ReadWrite.Directory	Read and write role management data for Microsoft Entra ID.	Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.	To add impersonation accounts as administrators to role-assigned Microsoft 365 groups to backup and restore their mailboxes using Graph Management API mode.
Application permissions for Exchange	full_access_as_app	Use Exchange Web Services with full access to all mailboxes.	Allows the app to have full access by Exchange Web Services to all mailboxes without a signed-in user.	To backup/ and restore data from all types of mailboxes. No other granular permissions are provided by Microsoft for Exchange Web Services.
Application permissions for Exchange	Exchange.ManageAsApp	Manage Exchange as an application.	Allows the app to manage the organization's Exchange environment without any user interaction. It includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app.	To allow Exchange Online PowerShell access for the following operations when the PowerShell Management API mode is used: Gather a list of mailboxes and their details. Add impersonation accounts to Microsoft 365 Group/Teams mailboxes. Get permissions assigned to mailboxes to capture ACLs.
Microsoft Graphs API permissions for SharePoint/Teams Site/OneDrive.	Sites.ReadWrite.All	Read and write items in all site collections.	Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user.	To fetch list items from lists in SharePoint sites/Teams sites and One Drives during incremental backups.
	Directory.Read.All	Read directory data.	Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.	To fetch channel information for backup and restore of Teams Wikis.
	Reports.Read.All	Read all usage reports.	Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.	To get a SharePoint growth report from SharePoint Online.
	User.Read.All	Read all user's full profiles.	Allows the app to read user profiles without a signed in user.	To fetch owners information for Team Sites. Note: This is required only with Modern OAuth authentication mode.
CSOM and PowerShell access for SharePoint/TeamsSite/OneDrive	TermStore.ReadWrite.All	Read and write managed metadata.	Allows the app to write enterprise-managed metadata and to read basic site info without a signed-in user.	To backup and restore managed metadata for SharePoint list items.
	Sites.Manage.All	Read and write items and lists in all site collections.	Allows the app to read, create, update, and delete document libraries and lists in all site collections without a signed in user.	To create SharePoint lists during restore.
	Sites.ReadWrite.All	Read and write items in all site collections.	Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user.	To backup, restore, and stub list items SharePoint sites/Teams sites and One Drives.
	Sites.FullControl.All	Have full control of all site collections.	Allows the app to have full control of all site collections without a signed-in user.	To backup and restore role assignments of objects in SharePoint sites/Teams sites and One Drives Capture ACLs for various SharePoint objects.
Microsoft Graphs API permissions for Teams Chat.	ChannelMessage.Send (Delegated Permissions)	Send channel messages.	Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user.	To restore channel messages back to the destination channel. (User impersonated as channel member.)
	ChatMessage.Send (Delegated Permissions)	Send user chat messages.	Allows an app to send one-to-one and group chat messages in Microsoft Teams, on behalf of the signed-in user.	To restore chat messages back to the destination chat. (User impersonated as a chat member.)
	ChatMember.ReadWrite.All	Add and remove members from all chats.	Add and remove members from all chats, without a signed-in user.	To retrieve the members of a chat, and during the restore process, add a member to the chat. This added member is used on behalf of that user for further chat message restoration.
	Directory.Read.All	Read directory data.	Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.	To get a list of users whose chats need to be backed up in a tenant to be backed up.
	TeamMember.ReadWrite.All	Add and remove members.	Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner.	To add a member to Team, required during restore of message for public channels.
	Chat.Read.All	Read all chat messages.	Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams.	To read chat messages during backup using Microsoft Teams Export API. Also used to get information like chat name.
	ChannelMember.ReadWrite.All	Add and remove members from all channels.	Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner.	To add member to channel during restore of message for private channels.
	ChannelMessage.Read.All	Read channel messages.	Allows the app to read all channel messages in Microsoft Teams.	To read channel messages during backup using Microsoft Teams Export API.
Application permission for Teams Chat	full_access_as_app	Use Exchange Web Services with full access to all mailboxes.	Allows the app to have full access by Exchange Web Services to all mailboxes without a signed-in user.	To back up group chats or Teams posts, fetch data from User or Teams mailboxes by reading Teams Message data. The process is not applicable when using the Export API for backup.

Note:

If you are adding Exchange connectors using the management API as PowerShell with the Application registration as authentication, you must assign the following roles to the applications.

You must use the Connector service to create any connector using the management API as PowerShell, as the PowerShell management API authentication is not yet supported on the Administration portal. In case you have no access to the Connector service, contact the Cohesity Support team.