Introduction
To register your Microsoft 365 domain and protect the Microsoft 365 data using Cohesity, please ensure the following prerequisites are met:
A Microsoft 365 user account with the requisite roles
Custom application with the requisite permissions
Cohesity requires a Microsoft domain user account to discover and protect Office 365 Exchange Online-related data. The user account does not need to be licensed with a valid Microsoft 365 license.
Cohesity uses the Microsoft Graph, Office 365 Exchange Online, SharePoint, and EWS APIs for secure authentication, object discovery, backup, and recovery in Microsoft 365. Cohesity uses a custom app created and registered on the Azure portal to use said APIs.
User Roles
User Roles | Why It's Required? |
|---|---|
View-Only Configuration | Enables administrators to view all the non-recipient Exchange configuration settings in an organization. |
View-Only Recipients | Enables administrators to view the configuration of recipients, such as mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups. |
MailboxSearch | Enables administrators to search the content of one or more mailboxes in an organization. |
MailRecipients | Enables administrators to manage existing mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization. |
You can combine the View-Only Configuration with roles associated with the View-Only Recipients role to create a role group that can view every object in an organization.
Application Permissions
App Permissions | Permission Type | Mailbox | OneDrive | SharePoint | Group | Teams |
|---|---|---|---|---|---|---|
AllSites.FullControl | Delegated | YES | YES | YES | YES | YES |
AllSites.Manage | Delegated | YES | YES | YES | YES | YES |
AllSites.Read | Delegated | YES | YES | YES | YES | YES |
Channel.Create | Application | N/A | N/A | N/A | N/A | YES |
Channel.ReadBasic.All | Application | N/A | N/A | N/A | N/A | YES |
ChannelMember.ReadWrite.All | Application | N/A | N/A | N/A | N/A | YES |
Directory.ReadWrite.All | Application | YES | YES | YES | YES | YES |
Files.ReadWrite.All | Application | N/A | YES | YES | YES | YES |
Group.ReadWrite.All | Application | N/A | YES | YES | YES | YES |
Group.Read.All | Application | N/A | YES | YES | YES | YES |
Group.Create | Application | N/A | N/A | N/A | YES | YES |
MailboxSettings.Read | Application | YES | N/A | N/A | N/A | N/A |
MyFiles.Read | Delegated | YES | YES | YES | YES | YES |
MyFiles.Write | Delegated | YES | YES | YES | YES | YES |
Reports.Read.All | Application | YES | YES | YES | YES | YES |
Sites.FullControl.All | Application | N/A | N/A | YES | YES | YES |
Sites.Manage.All | Application | YES | YES | YES | YES | YES |
Sites.Read.All | Application | N/A | N/A | N/A | YES | YES |
Sites.ReadWrite.All | Application | YES | YES | YES | YES | YES |
Sites.Search.All | Delegated | YES | YES | YES | YES | YES |
TermStore.ReadWrite.All | Application | YES | YES | YES | YES | YES |
TermStore.ReadWrite.All | Delegated | YES | YES | YES | YES | YES |
User.Read.All | Application | YES | YES | YES | YES | YES |
User.ReadWrite.All | Application | N/A | N/A | YES | YES | YES |
User.ReadWrite.All | Delegated | YES | YES | YES | YES | YES |
OAuth 2.0 Authentication for EWS API
Cohesity supports OAuth 2.0 authentication for more secure communication with O365. To enable OAuth 2.0 authentication for Microsoft Exchange Online or the Microsoft Graph API permission User.Read.All, you need to add Office 365 Exchange Online, full_access_as_app permission to the custom app.
Add-in Permissions in SharePoint
Scope URI | Required Rights |
|---|---|
http://sharepoint/content/tenant | FullControl |
http://sharepoint/content/sitecollection | FullControl |
http://sharepoint/content/sitecollection/web | FullControl |
http://sharepoint/content/sitecollection/web/list | FullControl |
http://sharepoint/taxonomy | Read,Write |
Tenant Permissions
For recovering the SharePoint Online site to the Microsoft 365 tenant or an alternate Microsoft 365 tenant, please ensure that you configure the following Custom Scripts permissions on the tenant:
1. Allow users to run custom scripts on personal sites
2. Allow users to run custom scripts on self-service created sites