1. UNTERSTÜTZUNG
  2. Wissensbasis
  3. 100050145

How to prepare a Microsoft 365 tenant for Veritas Alta SaaS Protection using Modern Authentication

Artikel: 100050145
Zuletzt veröffentlicht: 2024-09-27
Bewertungen: 5 0
Produkt(e): Veritas Alta SaaS Protection

Description


This article will provide directions on configuring the necessary pre-requisites in order to configure Veritas Alta SaaS Protection to backup M365 workloads including: 

  • SharePoint Sites
  • SharePoint Groups/Teams Sites
  • OneDrive Sites
  • O365 Mailboxes
  • Teams Chats
  • O365 Audit Logs

 

    SharePoint Online and OneDrive for Business (including Teams and Groups)

    In order for the SharePoint connectors to authenticate using Modern Authentication, it is required to create SharePoint applications. Unless otherwise directed, create 5 of these applications and save the Client ID / Secret to a file for use later. 

    Creating a SharePoint Application

    To create a SharePoint application, perform the following steps:

    1. Open a browser and navigate to: https://<tenant>-admin.sharepoint.com/_layouts/15/appregnew.aspx
    2. Click the 'Generate' buttons for both Client Id and Client Secret.  Make sure to record and save these values as they will be entered into a table at the bottom of this document. 
    3. Enter the Title as:  Veritas Alta SaaS Protection SPO App
    4. Enter www.localhost.com as the App Domain and https://www.localhost.com/ as the Redirect URI.
    5. Click 'Create'.
     
     

    Granting App Permissions

     
          1. Open a browser and navigate to:  https://<tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx
          2. Enter in the client id created above, and click the 'Lookup' button to populate the other info.
          3. In the box for 'Apps Permission Request XML', enter the following below: 
     
    <AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
    </AppPermissionRequests>
     
          4. Click 'Create'.
     
     

     

    On the next page, click the ' Trust It' button.  Once clicked, this completes the process and will redirect you back to the SP Admin portal.  
     
     
     

     

    O365 Mailboxes

    In order for the Exchange connectors to authenticate, it is required to create an Azure AD application.  Below are instructions for how to create these. 
     
    Log into Azure AD and select the  'Azure Active Directory blade ', then click ' App registrations ', followed by ' New registration '.
     

       

       

      • Configure the application as follows:
      • Name: Veritas Alta SaaS Protection EWS OAuth App
      • Support account types: Accounts in this organizational directory only
      • Redirect URI:  Change to Public client/native. The value should be: urn:ietf:wg:oauth:2.0:oob
      • Click the 'Register' button.

       

      • After clicking Register and the process completes, it will automatically open the newly created application.
      • Now we need to add permissions.  Choose the API permissions button on the left, choose +Add a permission button and then on the right side, choose the 'APIs my organization uses' tab, in the search field, type 'Office', then select 'Office 365 Exchange Online'.

       

      • Click Application permissions, select the first option 'full_access_as_app', then click the blue Add permissions button.
      • Next choose the API permissions button on the left, choose +Add a permission button and then on the right side, choose the 'Microsoft Graph' then select 'MailboxSettings.Read'.

      • For backing up and restoring Teams Chats (via Teams Channels), the following permissions are also required. These are added under the 'Microsoft Graph' api section.   If Teams Chats are not in your scope for backup, skip these permissions:

      Application permissions 

      Directory.Read.All 

        

      Chat.Read.All 

        

      ChatMember.ReadWrite.All 

        

      ChannelMember.ReadWrite.All 

        

      TeamMember.ReadWrite.All 

      Delegated permissions 

      ChannelMessage.Send 

        

      ChatMessage.Send 

       

       

      • Now we must add the proper permissions in order to read the directory.
      • While still on the same page, click the +Add a permission button and choose Microsoft Graph on the right side.

       

       

       

      • Select the Application Permissions button.

       

      • Scroll down and expand Directory. Choose Directory.Read.All

       

       

      • Click the Grant Admin consent for... button to save the permissions. The end result for permissions are as follows:

       

      Note: if the additional permissions were added for Teams Chat, the end result for permissions are as follows:

       

       

      • The last step is to create a secret key.  
      • Click on Certificates & secrets
      • Click New client secret
      • Enter the Description as:  Veritas Alta SaaS Protection EWS OAuth App Key
      • Choose 24 Months for Expires
      • Click Add

       

       

      • Take note of the VALUE key and save it. We do not need the Secret ID string. 

       

      • Lastly, we need to also make note of the following: 
        • Application (client) ID
        • Directory (tenant) ID 
      • These two ID's and the secret key will be used to configure the EWS connector

       

       

         

        Office 365 Audit Logs (if applicable)

         
        In order for Veritas Alta SaaS Protection to capture O365 Audit log data, Auditing must first be enabled in the O365 tenant.  Veritas Alta SaaS Protection also requires an AAD application used for authentication.  Follow the steps outlined in the following article:   https://www.veritas.com/support/en_US/article.100051554
         
         

        IMPORTANT: Please also provide the following information that will assist the Provisioning team with properly scoping your Veritas Alta SaaS Protection tenant.

         
        NOTE: If multi-regional, please include an approximate count per region.
         
        All of this information can be found within the O365 Admin center:  https://admin.microsoft.com/
        On the home page left navigation pane, select Reports, then Usage.
        On the right-hand pane, there are usage charts for each workload (SP/OD/Groups).  Simply select the "View More" option under each to obtain the data.  
         

        Mail - The provisioning team will provide 2 powershell scripts to assist with obtaining this information. One for primary mailboxes and one for Archive mailboxes.  The scripts also have an option to run against specific AD Groups if there are plans to only backup specific groups of mailboxes. 

        a.  Total number of mailboxes including archive mailboxes if applicable.

        b.  Total size of email to be backed up including archive mailboxes (if applicable). Backing up archive mailboxes is optional. 

        c.  Total number of mail messages

         

        Sharepoint

        a.  Total number of SharePoint sites. If there are Teams Sites, please include this count as well.   

        b.  Total size of all SharePoint sites (note: this total will include Teams sites as well)  

        c.  Total number of Files in all the SharePoint Sites

         

        OneDrive

        a.  Total number of OneDrive Sites  

        b.  Total size of all OneDrive Sites 

        c.  Total number of Files in all the OneDrive Sites

         

         

         

        This concludes the pre-requisites.  Now please enter all the client id's / key's etc in the appropriate tables below and coordinate with your Veritas Alta SaaS Protection technical contact to securely transfer this information.  Do not send them over email. 

         

        SharePoint Admin URL

        https://<tenant>-admin.sharepoint.com

         

        Veritas Alta SaaS Protection SPO App

        Values

        1.

        Application (client) ID

         

         

        Client Secret

         

        2.

        Application (client) ID

         

         

        Client Secret

         

        3.

        Application (client) ID

         

         

        Client Secret

         

        4.

        Application (client) ID

         

         

        Client Secret

         

        5.

        Application (client) ID

         

         

        Client Secret

         
         
         
        Exchange Online Mailboxes & Groups/Teams Mailboxes
         

        Veritas Alta SaaS Protection EWS OAuth App

        Values

        Application (client) ID

         

        Directory (tenant) ID

         

        Client Secret

         

         

        For customers backing up Teams Chats, an impersonation account is required for the restore process.  This AD account must have a valid SMTP address with an E1 license.  Please provide the SMTP and password to the provisioning team via the secure file transfer. 

         

        Information for customers participating in a POC (Proof of Concept) 

        Testing Veritas Alta SaaS Protection might include Mailboxes, SharePoint Sites, OneDrive Sites, and Groups/Teams Sites.  When working with the Veritas Provisioning team, it is important to obtain a list of SMTP addresses for any mailboxes that will be tested against, as well as the exact URL's for any SP/OD/GT sites.  These URL's can be found in the SharePoint Admin Center > Active Sites blade within your O365 tenant. 

         
         

        War dieser Inhalt hilfreich?

        Article Languages