Contents x
      User Roles and Application Permissions
      • 18 Jul 2024
      • Dark
        Light
      Contents

      User Roles and Application Permissions

      • Updated on 18 Jul 2024
      • Dark
        Light
      Article summary

      Introduction

      To register your Microsoft 365 domain and protect the Microsoft 365 data using Cohesity, please ensure the following prerequisites are met:

      1. A Microsoft 365 user account with the requisite roles
      2. Custom application with the requisite permissions

      Cohesity requires a Microsoft domain user account to discover and protect Office 365 Exchange Online-related data. The user account does not need to be licensed with a valid Microsoft 365 license.

      Cohesity uses the Microsoft Graph, Office 365 Exchange Online, SharePoint, and EWS APIs for secure authentication, object discovery, backup, and recovery in Microsoft 365. Cohesity uses a custom app created and registered on the Azure portal to use said APIs.

      Disclaimer: the configuration of specific user roles and application permissions may differ per Microsoft 365 environment. If you're having difficulties setting up the user roles and application permissions that Cohesity requires, please contact Microsoft for assistance.

      User Roles

      User RolesWhy It's Required?
      View-Only ConfigurationEnables administrators to view all the non-recipient Exchange configuration settings in an organization.
      View-Only RecipientsEnables administrators to view the configuration of recipients, such as mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups.
      MailboxSearchEnables administrators to search the content of one or more mailboxes in an organization.
      MailRecipientsEnables administrators to manage existing mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization.

      You can combine the View-Only Configuration with roles associated with the View-Only Recipients role to create a role group that can view every object in an organization.

      Application Permissions

      App PermissionsPermission TypeMailboxOneDriveSharePointGroupTeams
      AllSites.FullControlDelegatedYESYESYESYES
      		YES
      AllSites.ManageDelegatedYESYESYESYES
      		YES
      AllSites.ReadDelegatedYESYESYES
      		YES
      		YES
      Channel.CreateApplicationN/AN/AN/A
      		N/A
      		YES
      Channel.ReadBasic.AllApplicationN/AN/AN/A
      		N/A
      		YES
      ChannelMember.ReadWrite.AllApplicationN/AN/AN/A
      		N/A
      		YES
      Directory.ReadWrite.AllApplicationYESYESYES
      		YES
      		YES
      Files.ReadWrite.AllApplicationN/AYESYES
      		YES
      		YES
      Group.ReadWrite.AllApplicationN/AYESYES
      		YES
      		YES
      Group.Read.AllApplicationN/A
      		YES
      		YES
      		YES
      		YES
      Group.CreateApplicationN/AN/AN/A
      		YES
      		YES
      MailboxSettings.ReadApplicationYESN/AN/AN/A
      		N/A
      MyFiles.ReadDelegatedYESYESYES
      		YES
      		YES
      MyFiles.WriteDelegatedYESYESYES
      		YES
      		YES
      Reports.Read.AllApplicationYESYESYES
      		YES
      		YES
      Sites.FullControl.AllApplicationN/A
      		N/A
      		YES
      		YES
      		YES
      Sites.Manage.AllApplicationYESYESYES
      		YES
      		YES
      Sites.Read.AllApplicationN/A
      		N/A
      		N/A
      		YES
      		YES
      Sites.ReadWrite.AllApplicationYESYESYES
      		YES
      		YES
      Sites.Search.AllDelegatedYESYESYES
      		YES
      		YES
      TermStore.ReadWrite.AllApplicationYESYESYES
      		YES
      		YES
      TermStore.ReadWrite.AllDelegatedYESYESYES
      		YES
      		YES
      User.Read.AllApplicationYESYESYES
      		YES
      		YES
      User.ReadWrite.AllApplicationN/A
      		N/A
      		YES
      		YES
      		YES
      User.ReadWrite.AllDelegatedYESYESYES
      		YES
      		YES

      OAuth 2.0 Authentication for EWS API

      Cohesity supports OAuth 2.0 authentication for more secure communication with O365. To enable OAuth 2.0 authentication for Microsoft Exchange Online or the Microsoft Graph API permission User.Read.All, you need to add Office 365 Exchange Online, full_access_as_app permission to the custom app.

      Add-in Permissions in SharePoint

      Scope URI
      		Required Rights
      http://sharepoint/content/tenant
      		FullControl
      http://sharepoint/content/sitecollection
      		FullControl
      http://sharepoint/content/sitecollection/web
      		FullControl
      http://sharepoint/content/sitecollection/web/list
      		FullControl
      http://sharepoint/taxonomy
      		Read,Write

      Tenant Permissions

      For recovering the SharePoint Online site to the Microsoft 365 tenant or an alternate Microsoft 365 tenant, please ensure that you configure the following Custom Scripts permissions on the tenant:

      1. Allow users to run custom scripts on personal sites
      2. Allow users to run custom scripts on self-service created sites


      Was this article helpful?
      What's Next
      Expedient Homepage

      To open a Support Ticket please visit the Support Management Console