Search <book_title>...

Cohesity Alta SaaS Protection 2.x.x Administrator's Guide

Last Published: 2025-04-22

Product(s): Veritas Alta SaaS Protection (1.0)

Introduction to Cohesity Alta SaaS Protection
1. About Cohesity Alta SaaS Protection
2. Features of Cohesity Alta SaaS Protection
3. Architecture of Cohesity Alta SaaS Protection
4. Operational workflow
5. Extra Data Backup (EDB)
API permissions
1. API permissions for Microsoft 365 workloads
2. API permissions for Gmail and Google Drive
3. System and API permissions for Salesforce
4. API permissions for Entra ID
5. App permissions of Web App
Administrator portal (Web UI)
1. About the Administration portal
2. Configure the Administration portal
3. View upgrade history
Manage users and roles
1. Role-based access control
2. Permissions tab
What is a connector?
1. What is a connector?
2. Supported SaaS workloads and backup capabilities
3. Workflow to protect data using Cohesity Alta SaaS Protection
4. Know your subscription details
5. About transient errors
6. Overview of adding connectors
7. Configure General settings
8. Configure Capture scope
9. Configure User filter
10. Configure Group filter
11. Configure Folder filter
12. Configure credentials
  1. Assign Microsoft 365 apps registration
  2. Microsoft 365 apps registration status
  3. Manually approve Microsoft 365 apps registration
  4. Approve Microsoft 365 apps using the App Consent Grant utility
  5. Microsoft 365 apps recovery
13. Configure Custom backup policy and guidelines
14. Configure Delete policy for SharePoint Online and guidelines
15. Configure Stubbing policy
16. Guidelines to configure Stubbing policy for SharePoint Online
17. Schedule a backup
18. Configure email addresses to get notifications
19. Review configuration and edit/save/initiate backup
20. Connectors page
21. Connector status
22. Edit connector configuration
23. Delete connectors
Pre-requisites for Microsoft 365 connectors
1. Pre-requisites for Microsoft 365 connectors
Protect Microsoft 365 Multi-Geo tenant
1. Considerations for adding SharePoint/Teams Sites/OneDrive connectors for Microsoft 365 Multi-Geo tenant
Protect Exchange Online data
1. Add Exchange Online connectors
2. Configure capture scope for Exchange connectors
Protect SharePoint sites and data
1. Add SharePoint connectors
2. Supported and unsupported SharePoint Settings and Types for backup and restore
3. Supported Sites and List templates for backup and restore
4. Supported SharePoint permission objects for backup and restore
5. Configuring capture scope for SharePoint connectors
6. End-user SharePoint data access in Cohesity Alta SaaS Protection
7. Run the Delete and Stubbing policies to the SharePoint Online environment
8. Limitations of SharePoint connector
Protect Teams sites
1. Add Teams site collections connectors
2. Configure capture scope for Team site collections connectors
3. Limitations of Teams site collections connector
Protect OneDrive data
1. Add OneDrive connectors
2. Configure capture scope for OneDrive connectors
Protect Teams chats
1. Add Teams chat connectors
2. Configure capture scope for Teams chat connectors
3. Limitations of Teams chat connector
Protect GoogleDrive data
1. Prerequisites to add Google Drive connectors
2. Add Google Drive connectors
3. Configure capture scope for Google Drive connectors
4. Limitations of Google Drive connector
Protect Gmail data
1. Prerequisites to add Gmail connectors
2. Add Gmail connectors
3. Configure capture scope for Gmail connectors
Protect Audit logs
1. Add Audit log connectors
2. Audit log connector limitations
Protect Salesforce data and metada
1. About Salesforce protection
2. Key considerations and prerequisites for adding Salesforce connectors
3. Add Salesforce connectors
4. Limitations of Salesforce connectors
5. Salesforce Objects not supported for backup
Protect Entra ID objects
1. Add Entra ID (Azure AD) connectors
2. Limitations for Entra ID connector
Protect Box data
1. Prerequisites for Box connectors configuration
2. Add Box connectors
3. Configure capture scope for Box connector
4. Limitations of Box connector
Protect Slack data
1. Add Slack connectors
Protect Email/Message data
1. Prerequisite for Email/message connector
2. Add Email/Messages file
Configure Retention policies
1. About WORM policies
2. Ingestion WORM policies page
3. Add/edit Ingestion WORM retention policies and guidelines
4. Add/edit At-Rest WORM retention policies
5. Add/edit Deletion policies
6. View deletion history
7. How to edit the policy evaluation interval?
8. How to add a Location filter?
9. How to add a filter?
Perform backups
1. Perform on-demand/ad-hoc backup
2. Backup dashboard
3. Video tutorial for connector troubleshooting
4. View backup events
  1. About Event suppression
  2. Create event suppression rules
5. Viewing backup tasks details
View and share backed-up data
1. Browse backed-up data
2. Share data
3. Remove data sharing
Analytics
1. About analytics
2. Gain insights into storage utilization
3. Gain insights into storage utilization for Entra ID and Salesforce connectors
4. Gain insights into blocked activities, most active users, and more
5. Gain insights into data volume (size and item count) on legal hold
6. Gain insights into data volume (size and item count) saved in different Enhanced cases
7. Gain insights into data volume (size and count) under different policies
8. Gain insights into data volume (size and item count) under different Tags
9. Gain insights into data volume (size and item count) under different Tags behaviors
10. Gain insights into storage savings after deduplication and compression
11. Gain insights into data ingestion trends
Perform restores using Administration portal
1. About restore
2. Prerequisites for restore
3. Restore Exchange Online mailboxes
4. Restore SharePoint/OneDrive/Teams Sites and data
  1. Restore of OneDrive, Microsoft 365 Group, and Microsoft Teams sites
  2. Limitations of SharePoint sites and data restore
5. Restore Teams chat messages and Teams channel conversations
  1. Limitations of Teams chat data restore
6. Restore O365 audit logs
7. Restore Box data
  1. Limitations of Box data restore
8. Restore Google Drive data
  1. About the overwrite restore behavior for Box/Google Drive data
9. Restore Gmail data
10. About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
11. About Entra ID (Azure AD) objects and records restore
12. Restore Slack data
13. Restore data to File server
14. Set default restore point
15. Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
16. Configure email addresses for notifications
17. Downloading an item
Restore dashboard
1. About Restore dashboard
2. Restore job statuses
3. How to cancel a restore job?
4. View the restore events
Install services and utilities
1. About services and utilities
2. Pre-requisites to download and install services and utilities
3. Downloading services and utilities
4. Where to install the services and utilities
5. Installing or upgrading services and utilities
6. Configuring service accounts for services and utilities
7. About the Apps Consent Grant Utility
Discovery
1. About eDiscovery/searches
2. Add search templates
3. Add Discovery cases
4. Perform ad hoc search and add data to Discovery cases
5. View data in Discovery cases
6. Edit Discovery cases
7. DeleteDiscovery cases
8. Assign Discovery cases to users
Configure Tagging polices
1. About the Tagging policy
2. Add Tags
3. Add/edit Tagging policies
4. Adding regular expressions
  1. RegEx and query examples for PII detection
Configure Tiering policy
1. About the Tiering policy
2. Add/edit Tiering policies
Auditing
1. Auditing
Manage Stors (Storages)
1. Viewing Stors (Storages)
2. Requesting a new Stor
3. General tab
4. Version control settings
5. Metadata tab
6. Statistical policies tab
7. Location-Mapping tab
8. Backup tab
9. Custodian Groups tab
10. Advanced tab
11. Analytics tab

Guidelines to configure Stubbing policy for SharePoint Online

The SharePoint Online connector can be configured with a policy to perform stubbing. Stubbing helps to reduce storage in the SharePoint Online environment. When enabled, during the backup process, backed up items are changed to stubs (shortcuts) and original item versions are deleted. Stubs appear in SharePoint as URL files ending in the .stub.url extension. By clicking on the stub an end-user can either download the data from ASP locally or restore the stubbed items to back to its original location in the SharePoint site (this behavior is configurable by an Cohesity Alta SaaS Protection administrator).

The stubbing policy can be customized based on the following criteria:

Size
Last modified date
Type

You can define any or all of these criteria according to your specific data retention requirements.

Stubbing policy setup guidelines

It's advisable to first test the impact of your stubbing policy in a small or less frequently used environment before rolling it out widely. This will help administrators and end-users become familiar with how stubbed files behave. It's important to note that stubbed files do not directly replace the original file in terms of supporting the same functionality within SharePoint.
Review the Considerations Before Enabling Stubbing section to understand the implications of configuring stubbing and can select Sites and Locations eligible for stubbing, with the appropriate stubbing policy.
Determine whether you plan to use Cohesity Alta SaaS Protection only to stub certain SharePoint/OneDrive items based on policy, or to back up all data in SharePoint Sites/OneDrive while also stubbing certain items.
If you plan for only stubbing, ensure that your Custom Backup Policy and Stubbing Policy align with each other.
- To achieve savings sooner, target larger items first (for example, items > 5 MB, with last modified > 1 year, or whatever your date criteria may be).
- Later, adjust the criteria for both the Custom Backup Policy and Stubbing Policy to what you plan to use on an ongoing basis (for example, items > 1 MB with last modified > 1 year).
If stubbing items based on policy while also backing up all items, follow the guidelines in step 2. When setting the ongoing criteria, clear the settings in the Custom Backup Policy so that all items are included in the backup, but only items meeting the stubbing policy criteria are eligible for stubbing.

Considerations before enabling stubbing

As the stubbing process deletes data at the source and replaces it with URLs, it is important to understand the implications of the Cohesity Alta SaaS Protection process before enabling the stubbing policy. Cohesity cannot help or support the customer if they exercise or run into unsupported scenarios. It will be the customer's responsibility to recover from the situation.

General considerations:

Cohesity Alta SaaS Protection stubs an item after the data is moved to Cohesity Alta SaaS Protection storage, depending on the options configured in the connector and its backup policies. By default, Cohesity Alta SaaS Protection does not maintain any other copies of the item. Therefore, Cohesity Alta SaaS Protection stubs items only after creating a primary backup copy. Care should be taken to ensure that this primary copy is not deleted, for example, due to a misconfigured Cohesity Alta SaaS Protection deletion policy.
Additional options, such as Extra Data Backup, need to be purchased if you want Cohesity Alta SaaS Protection to maintain a separate secondary copy.
There may be automated processes within SharePoint Online or third-party software integrated with SharePoint Online that relies on the actual file being present for processing. Such locations should be excluded from stubbing.
There may also be automated processes within SharePoint Online or by the third-party software that copy, move, or create lists and folders where potentially stubbed files can reside. These locations should also be excluded from stubbing.
If stubbing is based on the 'last modified' date, note that the content, which is frequently accessed but not modified will still be stubbed. Careful consideration should be given to whether such content should be stubbed, as keeping it as stubs may not be desired and can lead to frequent requests to restore the original content.
For the above reasons, it is crucial to thoroughly evaluate what should not be stubbed before initiating the stubbing process. This careful planning ensures that the stubbing policies are configured correctly, preventing any inadvertent issues.
If sites or libraries are accidentally stubbed, administrators will have to resort to doing restores by the admin portal. Depending on the number of sites and lists, the need for mass un-stubbing restores may arise. This can take time and may result in a diminished end-user experience.
Considerations for the restores when stub policy is based on 'Last modified time'. When doing restores, if the stub recall options have:
- Restore: When content is recalled by clicking on the stub, Cohesity Alta SaaS Protection updates the modification time to prevent the item from being stubbed again immediately.
- Download Only: End users can download the file, but restores can only be performed from the Administration Portal. By default, when restoring from the Administration Portal, the original last modified time is restored, meaning that the restored content can be stubbed again. To prevent this:
  - Exclude the content from stubbing after it has been restored.
  - When restoring from the Admin Portal, select the option Reset 'last modified time' of restored items to time of restore.
Stubbing is not supported for Project Web Access sites. These sites must be manually excluded from the stubbing policy.

Stubbed item deletion, movement, and interaction with Cohesity Alta SaaS Protection deletion policies:

This section describes the behavior of a stub and its corresponding item in Cohesity Alta SaaS Protection under specific scenarios as follows:
- Stub deletion
  - If a stub is deleted, Cohesity Alta SaaS Protection marks the corresponding item as Removed from source in Cohesity Alta SaaS Protection storage during the next backup cycle.
  - When the stub is restored to its original location from the Recycle Bin, Cohesity Alta SaaS Protection keeps the item marked as Removed from source during the next backup cycle.
  Note:
  Removed from source indicates that Cohesity Alta SaaS Protection recognizes the item is no longer present in its original location. This is important as Cohesity Alta SaaS Protection deletion policies are often configured to delete items marked as Removed from source.
- Stub movement
  - Cohesity Alta SaaS Protection does not track the copying or movement of stubs from one location to another.
  - When a stub is moved from its original location to a different site or subsite, Cohesity Alta SaaS Protection marks the corresponding item as Removed from source in its storage during the next backup cycle. If the stub is subsequently moved back to its original location, Cohesity Alta SaaS Protection keeps the corresponding item marked as Removed from source because Cohesity Alta SaaS Protection does not automatically recognize that the stub has returned to its original location.
  - If stubs are moved, special considerations may be required for end users to access or restore the data to its original files. For more details, refer to the knowledge base article: Issues when accessing or restoring files from copied or moved stubs (.stub.url) in SharePoint Online.
- Modification in Version setting
  If the versioning setting of a Document Library in SharePoint is changed from 'Create Major/Minor Version' to 'No Versioning' or vice versa, during the next backup cycle, the corresponding item in Cohesity Alta SaaS Protection is marked as Removed from source.
- Cohesity Alta SaaS Protection deletion policy and items marked as removed from source
  If an item in Cohesity Alta SaaS Protection storage qualifies for a Cohesity Alta SaaS Protection deletion policy for deletion, it will be deleted from storage without verifying whether it is stubbed at the source. This means that deletion policies can remove items marked as Removed from source, even if they are still present at the source but marked as Removed from source due to certain scenarios described above.
  Recommendation: It is strongly recommended not to use Cohesity Alta SaaS Protection deletion policies that target content where stubbing is or was enabled at the source.

Connector management:

For a site being backed up by a connector with a stubbing policy, and that contains stubbed items which have been stubbed by same connector, the stubs should be restored before removing the site from the connector or deleting the connector.
For a site being backed up by a connector with a stubbing policy, if the same site is added to a new connector, no data will be backed up for the data that was stubbed the previous connector by the new connector.
Stubbing same site by multiple connector is not supported.

Item permissions:

When an item is stubbed, its permissions are not changed. Any changes to the permissions after the item is stubbed are captured by Cohesity Alta SaaS Protection.
When a stub is restored back to a file by Cohesity Alta SaaS Protection, the permissions the stub had prior to the restore are maintained by default.
Cohesity Alta SaaS Protection only allows access to files for end-users with the specific SharePoint Permission Levels which contain the Open List Items permission. If a user or group only has SharePoint Permission Levels which contain View Items or View Application Pages permissions, Cohesity Alta SaaS Protection will not permit access to those files. Default SharePoint permission levels that use the View Items permission include Restricted View, View Only, and Download Only. When files are stubbed, users with these permission levels will not be able to access the files from the stub.
For more details on how Cohesity Alta SaaS Protection syncs end-user permissions, refer to the section End-user SharePoint Data Access in Cohesity Alta SaaS Protection.
If Cohesity Alta SaaS Protection backs up and stubs SharePoint sites in two different AD tenants with shared users (for example, a user in Tenant A is also an external user in Tenant B), issues can arise for the shared user if they try to access an item in Cohesity Alta SaaS Protection, via its SharePoint stub in a site present in a tenant where that user is a external. Such a configuration should be avoided.

Item properties:

When an item is stubbed, its properties and permissions are preserved.
Any changes to properties made after the item is stubbed are not captured by Cohesity Alta SaaS Protection.
When a stub is restored back to a file by Cohesity Alta SaaS Protection, the list column properties are restored to the state they were in when Cohesity Alta SaaS Protection initially backed up the item.

Stubbing policy evaluation, configuration, and interaction:

When configuring exclusions based on type, you must also configure either the last modified date or size criteria.
The connector stubbing policy will consider an item for stubbing only if all its captured versions meet the criteria configured in the policy.
The stubbing policy is applied starting from the second full backup, after all data has been successfully backed up during the first full backup.
The connector stubbing policy applies only to full backups and does not apply to incremental backups occurring between two full backups.
If both the connector deletion and connector stubbing policies target the same item, the delete policy takes precedence and permanently deletes the item from the source SharePoint environment.

Scope of application of stubbing in SharePoint:

The stubbing policy applies exclusively to files within document libraries and not to any other library types.
The stubbing policy specifically applies to items derived from the Document SharePoint content type.

Exclusions from the stubbing policy:

ASPX files
Links with a .url extension
Document libraries in SharePoint that have the Require checkout setting enabled.
Some site templates, like Publishing Site, create document libraries with this setting enabled. As a result, items in these libraries cannot be stubbed.
Contact Cohesity Support to enable stubbing for these items.
Files in libraries and lists with the Information Rights Management (IRM) setting enabled.
Items that are checked out.
Thicket file.
Starting from the 2.26.1 release, the following items cannot be stubbed using the Stubbing policy:
- All items in sites, which are on legal hold or have a retention policy.
  You need to contact Cohesity Support to enable stubbing for these items.
- Only when Legal Holds done through Microsoft Purview by link Create eDiscovery holds in an eDiscovery case Microsoft Learn, Cohesity Alta SaaS Protection can detect, and skip stubbing for such items. Any other way is unsupported.
Contact Cohesity support team to stub other items in such sites.
Starting from the 2.28.1 release, the following items cannot be stubbed:
- Items with a sensitivity label configured for encryption cannot be stubbed.
- Items in read-only sites.
- Items marked with a retention label and still within the retention period.
Starting from the 2.31.1 release, the following items cannot be stubbed:
- Items in lists and libraries with the following version settings enabled in SharePoint Online:
  - Require content approval for submitted items.
  - Create major and minor (draft) versions (for example, 1.0, 1.1, 1.2, 2.0)
  - Some site templates, like Publishing Site, create document libraries with these settings, preventing stubbing in such libraries for the site.
- Cohesity Alta SaaS Protection does not support the stubbing of Loop components in emails and Teams chats.
  For more information on Loop components, refer to the Microsoft knowledge base article: Overview of Loop Components in Microsoft 365.
Starting from the 2.35.1 release, the items/files with View only permission will not be stubbed.
OneNote notebooks.

Sharing links:

Sharing links (by Teams, OneDrive, or SharePoint) for items created before and after stubbing may not work.

Accessing stubs via the SharePoint App on Mobile devices:

Accessing stubs through the Microsoft SharePoint App on iOS and Android is not supported. Users can open the SharePoint site in Safari or Chrome, navigate to the library containing the stub, and click on it to access the data in Cohesity Alta SaaS Protection.

Files synchronized with Laptops and PCs:

When files synchronized with laptops or PCs using the OneDrive client are stubbed, Cohesity Alta SaaS Protection replaces the items with internet shortcuts, adding the .stub.url extension to the item name.
When an end user tries to access the stubbed file from File Explorer, they are navigated to a browser. Based on the settings configured in Cohesity Alta SaaS Protection for managing end-user experiences with stubs, appropriate actions will be taken. Refer to the Managing End-User Experience with Stubbed Items section for more details.
When stubbing a file the OneDrive Sync client may add or/and change the stub file. Cohesity does not support the scenario, if the change disrupts the functioning of the stub.

Inconsistent stubbed files:

Errors can occur at any stage of the stubbing process. The stubbing process attempts to recover from errors by either keeping the original file intact as much as possible or fully stubbing the item.
For more information on how to handle these errors, refer to the tech note: Cohesity Alta SaaS Protection: Microsoft SharePoint Online Item Stubbing Errors.

Browser support:

The following browsers are supported for accessing data in Cohesity Alta SaaS Protection by a stub:
Browser
Restore and Download stub
Download only
Chrome
Supported
Supported
Edge
Supported
Supported
Safari
Not supported
Supported

Browser	Restore and Download stub	Download only
Chrome	Supported	Supported
Edge	Supported	Supported
Safari	Not supported	Supported

Stub modifications:

If there are any external modifications to the stub by any processes other than ASP, this may lead to unsupported scenarios - for example, external processes like a different backup vendor, SharePoint workflows.

See Run the Delete and Stubbing policies to the SharePoint Online environment.

Managing end-user experience with stubbed items

For more information on the end-user workflow when an end-user clicks on a stub, refer to the topic Restore OneDrive/SharePoint stubbed items in the Cohesity Alta SaaS Protection End User Guide.
As an administrator, you can control the options available to the end-user. You can direct them to the End-User portal to restore the specific item or initiate the download when a stub is clicked. You can use the following permissions to manage the experience of the end user in restoring or downloading the stubbed items:
- End-User SharePoint stubbing restore: With this permission, when an end-user clicks on the stubbed item, they are redirected to a webpage. On this webpage, an option is available to restore the item to its original location at the time of backup.
- End-User retrieval and download: With this permission, when an end-user clicks on the stubbed item, they are redirected to a webpage. On this webpage, an option is available to download the last backed-up version of the SharePoint file to the local computer.
  If only this permission is assigned, the download starts when the user clicks the stub.
  Both of these permissions are inherently included in the Default role.
You can monitor the restore progress on the Restore dashboard.

Notes on the restoration of stubbed items initiated by end-users

A SharePoint user with the View permission can restore the file. The user retains the same permissions for the file after restoration as they had on the stub.
If a stub is moved from its original location, the restore fails. An Administrator needs to restore it from the Administration portal.
The last modified date is updated to the current time after restoration or download. This should prevent the item from being picked up by the configured Stub policy if configured based on the last modified time.
Only the last backed-up version of the SharePoint item before the stubbing occurred is restored.
You can monitor the restore progress on the Restore dashboard, but you cannot rerun the restore.
If your tenant is Scope enabled, then clicking on a stub always download the last backed-up version of the SharePoint file to the local computer.