User Roles and Application Permissions
  • 14 Apr 2023
  • Dark
    Light

User Roles and Application Permissions

  • Dark
    Light

Article Summary

Introduction

To register your Microsoft 365 domain and protect the Microsoft 365 data using Cohesity, please ensure the following prerequisites are met:

  1. A Microsoft 365 user account with the requisite roles
  2. Custom application with the requisite permissions

Cohesity requires a Microsoft domain user account to discover and protect Office 365 Exchange Online-related data. The user account does not need to be licensed with a valid Microsoft 365 license.

Cohesity uses the Microsoft Graph, Office 365 Exchange Online, SharePoint, and EWS APIs for secure authentication, object discovery, backup, and recovery in Microsoft 365. Cohesity uses a custom app created and registered on the Azure portal to use said APIs.

Disclaimer: the configuration of specific user roles and application permissions may differ per Microsoft 365 environment. If you're having difficulties setting up the user roles and application permissions that Cohesity requires, please contact Microsoft for assistance.

User Roles

User RolesWhy It's Required?
ApplicationImpersonationEnables the applications to impersonate users in an organization to perform tasks on behalf of the user.
View-Only ConfigurationEnables administrators to view all the non-recipient Exchange configuration settings in an organization.
View-Only RecipientsEnables administrators to view the configuration of recipients, such as mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups.
MailboxSearchEnables administrators to search the content of one or more mailboxes in an organization.
MailRecipientsEnables administrators to manage existing mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization.

You can combine the View-Only Configuration with roles associated with the View-Only Recipients role to create a role group that can view every object in an organization.

Application Permissions

App PermissionsPermission TypeMailboxOneDriveSharePoint
AllSites.FullControlDelegatedYESYESYES
AllSites.ManageDelegatedYESYESYES
AllSites.ReadDelegatedYESYESN/A
Channel.CreateApplicationN/AN/AN/A
Channel.ReadBasic.AllApplicationN/AN/AN/A
ChannelMember.ReadWrite.AllApplicationN/AN/AN/A
Directory.ReadWrite.AllApplicationYESYESN/A
Files.ReadWrite.AllApplicationN/AYESN/A
Group.ReadWrite.AllApplicationN/AYESN/A
Group.Read.AllApplicationN/A
N/A
N/A
Group.CreateApplicationN/AN/AN/A
MailboxSettings.ReadApplicationYESN/AN/A
MyFiles.ReadDelegatedYESYESYES
MyFiles.WriteDelegatedYESYESYES
Reports.Read.AllApplicationYESYESN/A
SharePointTenantSettings.ReadWrite.All
Delegated
N/AN/A
N/A
Sites.FullControl.AllApplicationYESYESYES
Sites.Manage.AllApplicationYESYESYES
Sites.Read.AllApplicationN/A
N/A
N/A
Sites.ReadWrite.AllApplicationYESYESYES
Sites.Search.AllDelegatedYESYESN/A
TermStore.ReadWrite.AllApplicationYESYESYES
TermStore.ReadWrite.AllDelegatedYESYESYES
User.Read.AllApplicationYESYESN/A
User.ReadWrite.AllApplicationYESYESYES
User.ReadWrite.AllDelegatedYESYESYES

OAuth 2.0 Authentication for EWS API

Cohesity supports OAuth 2.0 authentication for more secure communication with O365. To enable OAuth 2.0 authentication for Microsoft Exchange Online or the Microsoft Graph API permission User.Read.All, you need to add Office 365 Exchange Online the full_access_as_app permission to the custom app.

Add-in Permissions in SharePoint

Scope URI
Required Rights
http://sharepoint/content/tenant
FullControl
http://sharepoint/content/sitecollection
FullControl
http://sharepoint/content/sitecollection/web
FullControl
http://sharepoint/content/sitecollection/web/list
FullControl
http://sharepoint/taxonomy
FullControl

Example API/Permissions End Result Within Azure Portal



Was this article helpful?