Arctera Data Insight

Last Published:
Product(s): Veritas Alta Data Insight (1.0)
  1. About Arctera Data Insight
    1.  
      About Arctera Data Insight
  2. Dashboard
    1.  
      About Arctera Data Insight Dashboard
    2.  
      Storage Utilization Trends
  3. Workspace
    1.  
      About Arctera Data Insight Workspace
    2.  
      Data
    3.  
      Users
    4.  
      Groups
  4. Installing Collector Node
    1.  
      About Collector node
    2.  
      Downloading and Installing Arctera Data Insight Collector
  5. Servers
    1.  
      About servers
    2.  
      Servers
  6. Data Sources
    1.  
      Data Sources
    2. Filers
      1.  
        Adding filers
      2.  
        Viewing configured filers
      3.  
        Editing filer configuration
      4.  
        Managing filers
      5.  
        Monitored Shares
      6.  
        About disabled shares
    3. SharePoint Online
      1.  
        About SharePoint Online account monitoring
      2.  
        Registering Data Insight with Microsoft to enable SharePoint Online account monitoring
      3.  
        Configuring application without user impersonation for Office 365
      4.  
        Creating an application in the SharePoint Admin Center
      5.  
        Add SharePoint Online accounts
      6.  
        Managing Site Collections
      7.  
        Monitored Site Collections
    4. OneDrive
      1.  
        Configuring OneDrive account
      2.  
        Registering Data Insight with Microsoft to enable OneDrive account monitoring
      3.  
        Configuring application without user impersonation for Office 365
      4.  
        Add/Edit OneDrive account
      5.  
        Monitored Cloud Accounts
  7. Directory Services
    1.  
      About Active Directory Services
    2.  
      Registering Data Insight with Microsoft to scan Azure AD
    3.  
      Add/Edit Azure active directory service
  8. Health and Monitoring
    1.  
      Scan Status
  9. Classification
    1.  
      Requests
    2.  
      Configuration
    3.  
      Setting up Classification
  10. File Groups
    1.  
      About File group
    2.  
      Configuring File group
  11. Reports
    1.  
      About Reports
  12. Workflows
    1.  
      Workflows
    2.  
      Task
  13. Data Remediation
    1.  
      Delete Files Configuration
  14. Users and Access
    1.  
      Users and Roles
    2.  
      Credentials

Registering Data Insight with Microsoft to scan Azure AD

To authorize Data Insight to scan Azure AD, you must create an application for every Data Insight installation and register it with Microsoft Azure Active Directory. This step involves associating a set of credentials with the application and providing the application with the required permissions, which enables communication between Data Insight and Microsoft. This step also creates an authorization token that is stored as a named credential in the Data Insight configuration.

Prerequisite

A Office 365 user with the Microsoft Minimum privilege user role or with a role which has lesser admin privileges than the Minimum privilege user can create and register an application with Microsoft. However, the user must be granted the following four roles at the minimum:

  1. Application Administrator : To create a Microsoft application

  2. User Administrator: To get the access to OneDrive account of all the users in tenant

  3. SharePoint Administrator: To fetch the data in OneDrive and SharePoint Online

  4. Privileged Role Administrator: To give admin consent to Azure Application

  5. A custom role (View-Only Audit Logs) in the Exchange Admin Center

To assign the first three roles, refer to the Azure documentation.

To create and assign the View-Only Audit Logs role to a non-Global admin user

  1. Login to Microsoft Admin Portal with the Minimum privilege user role, navigate to Exchange Admin Center and click Classic Exchange Admin Center in the left pane.
  2. Click Permissions > Admin roles and click the + icon to create a new role.

    The Role Group pop-up opens.

  3. In the Role Group pop-up, enter a desired role name (ex. AuditReadRole).
  4. In the Roles section, click + and select the role "View-Only Audit Logs" and click OK.
  5. In the Members section, click + and select the member that you want to assign the minimum privilege role.
  6. After selecting the member, click OK and then click Save.

To create and register an application with Microsoft

  1. Login as a global admin user or minimum privilege user to https://portal.azure.com/#home and search App Registrations.
  2. On the Register an application page, enter a desired name for the app.
  3. In Supported account types select Accounts in this organizational directory only (<organization-name> only - Single tenant)
  4. On the Register an application page, click Register to register the app. (Redirect URI can be provided later.)

    Your new application is created and the app Overview page is displayed.

  5. Copy-save the Application (Client ID) and Directory (Tenant) ID. You will be required to provide it later while adding an account in Data Insight.
  6. Copy-save the . You will be required to provide it later while adding an account in Data Insight.
  7. On the left sidebar of your app dashboard, click Certificates and Secrets.
  8. In the Client secrets section, click New client secrets to generate the access token required for calling the required APIs
  9. Set the expiry to Never and click Add.
  10. Copy the Client Secret Value is generated. You will be required to provide it later while adding an account in Data Insight.
  11. Then you need to grant permissions to the app to use the Microsoft Graph and Office 365 APIs.

    On the left sidebar of your app, click API permissions, and then click Add a permission.

  12. Then click Grant admin consent for.., and confirm.
  13. Now add the redirect URI.

    Go to the Overview page of the app and click Add redirect URI. The Authentication page opens

  14. Click Add a platform
  15. On the Configure platforms panel that opens, click Web
  16. Provide the Data Insight Management Server IP address, as a redirect URI in the following format: https://datainsight.us3.archive.veritas.com/api/DirectoryServices/azureADRedirect

    For more details, refer https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url.

    You can authenticate using FQDN in the redirect URL by setting node Level property.

    To set the node Level property,

    • Navigate to Settings > Servers and click the configured Management Server and then click Advance Settings tab.

    • In the Advance Settings tab, clickSet custom properties

    • In the Property Name box, add node.azure.ad.auth.via.fqdn

    • In the Property Value box, add true

    • Click Save and Close.

      Note:

      Property value should be set to true for authenticating via FQDN and false for authenticating via IP.

    If you want to modified any existing property value,

    • change the redirect URI in the Azure App accordingly.

    • Delete the cookie from <DATA_DIR>\connectors\sponline\cookie\dataStore on the collector node.

    • Re-authorize the application.

  17. Click Configure to save it.
  18. On the same page, set theSupported account types to Accounts in any organizational directory (Any Azure AD directory - Multitenant).

Once the app is created, anybody in the organization can access the app. As per Microsoft recommendation, restrict the access to specific users.

For information on how to require the user assignment for an app via the Azure portal, refer to Configure an application to require user assignment Azure documentation

For information on how to assign users or groups to an app via the Azure portal, refer to Assign users to an app Azure documentation