Chat now with support
Chat with Support

Enterprise Reporter 3.5.1 - Installation and Deployment Guide

Product Overview Installation Considerations for Enterprise Reporter Installing and Configuring Enterprise Reporter Managing Your Enterprise Reporter Deployment Troubleshooting Issues with Enterprise Reporter Appendix: Database Content Wizard Appendix: Encryption Key Manager Appendix: Log Viewer

Detailed permissions for Enterprise Reporter discoveries

The following table outlines the permissions required for Enterprise Reporter discoveries.

Table 9. Detailed permissions required for Enterprise Reporter discoveries
Discovery Type
Permissions Required for Discovery Credential

Active Directory

An account with Active Directory read permissions is required to collect domain information, trusts, sites, domain controllers, and Active Directory computers, users, groups, and organizational units.

The account being a member of the Built-in Domain Users group is sufficient to assign read permissions.

To collect Fine Grained Password Policy and AD object level permissions, Domain Admin is required.

Azure Active Directory

An identity with read permission for the discovery target tenant. Read permissions are required for collection of tenant information, Azure Active Directory users, groups, group members, roles, and service principals.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter Azure application required for this discovery.

Azure Resource

An identity with read permissions for the discovery target tenant. Read permissions are required for collection of subscription, Resource groups, and resources.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter Azure Resource application required for this discovery.

Computer

An account with local administrator access on the scope computers to collect computer information, local groups and users, printers, services, policies, and event logs.

Exchange

To collect from Exchange targets, the credential account must have a mailbox on the target organization with access to read the permissions on the targets through EWS.

To collect from Exchange 2013, 2016, or Mixed Modes, the credentials must be a member of the Organization Management Group.

To collect from Exchange 2016 or Exchange 2019, the credentials must have an administrator role with an assigned “ApplicationImpersonation” role.

Exchange Online

An account with access to the discovery target tenant.

Read permission is required for collection of all Exchange Online information including mailboxes, mailbox delegates, public folders, mail-enabled users, mail contacts, distribution groups, group members, and permissions.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as previously stated.

File Storage Analysis

An account with local administrator access on the scoped computer is required to collect file, folder, share, and home drive analysis data.

For permissions required when collecting NAS devices, see Permissions for Enterprise Reporter discoveries on NAS devices .

Microsoft SQL

An account with local administrator access on the SQL Server is required.

Additionally, the account must have read access to the scoped database to collect database information.

At a minimum, if not using fixed roles, the following SQL permissions are required on the securable object being used for collection.
Grant View Any Definition
Grant View Server State
Grant View Connect Any Database
Grant View Select All Securables

Microsoft Teams

The user credentials used to collect Microsoft Teams information must have either the Teams Administrator or Global Administrator permissions.

The user must also be a member of each Microsoft Teams group to prevent access denied errors during disk discovery.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter Microsoft Teams application required for this discovery.

NTFS

If collecting through the administrator share, an account with local administrator access to the scoped computer is required.

If collecting through a network share, an account with read permissions to the scoped shares is required.

For permissions required when collecting NAS devices, see Permissions for Enterprise Reporter discoveries on NAS devices .

OneDrive

An account with access to the discovery target tenant. Administrator permissions are required for collection of all drives including drive information, configuration settings, files, folders, and permissions. A SharePoint administrator role is recommended.

Additionally, the discovery credentials must have site collection administrator rights to each drive that is being collected.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter OneDrive application required for this discovery.

Registry

An account with local administrator access to the scoped computer is required to collect registry information.

SharePoint Online

An account with access to the discovery target tenant. Administrator permissions are required for collection of all SharePoint Online site collections, including tenant settings and policies, site information, and permissions. A SharePoint administrator role is recommended.

Additionally, the discovery credentials must have site collection administrator rights to each site collection that is being collected. If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter SharePoint Online application required for this discovery.

Permissions for Enterprise Reporter discoveries on NAS devices

The following table outlines the permissions required for Enterprise Reporter discoveries.

Table 10. Permissions required for Enterprise Reporter discoveries on NAS Devices
Discovery Type
Permissions Required for Discovery Credential

NetApp Cluster Mode

Multiple virtual machines belong to a single cluster. All of these virtual machines can be specified as discovery targets. These virtual machines must be part of a domain.

The NAS configuration must point to the cluster (name or IP address) with credentials that have read access to the cluster. These would typically be administrator credentials.

NetApp 7 Mode

In NetApp 7 mode, data can be collected on the storage controller or vFilers that are derived from the storage controller. Credentials with read access to the controller and vFiler are required.

NetApp Storage Controller

In NetApp 7 mode, data can be collected on the storage controller or vFilers that are derived from the storage controller. Credentials with read access to the controller and vFiler are required.

NetApp Filer

The vFiler can be a discovery target. In this case, the NAS configuration must point to the storage controller from which the vFilers are derived and the credentials must have read access to the storage controller.

Dell Fluid FS

The discovery target can be any Fluid FS VM. The NAS configuration must be the machine name or IP where Dell Enterprise Manager is installed and credentials must have access to Dell Enterprise Manager.

EMC Isilon

The discovery target can be any Isilon virtual machine. The NAS configuration must be the machine or IP that hosts the OneFS administration site and the credentials must have read access to it. By default, the connection is established using https and, if the connection is not deemed to be secure, the discovery will fail.

Permissions for Enterprise Reporter tenant applications

Enterprise Reporter requires Azure applications for the collection of Azure and Microsoft 365 objects and attributes. These applications must be registered in the Azure portal and consent must be granted for delegated permissions. To manage tenant applications used by Enterprise Reporter, you use the Configuration | Application Tenant Management option.

Azure Active Directory application permissions

For the Azure Active Directory discovery, the Exchange Online discovery, and the collection of group members for the OneDrive discovery, an application with a name that begins with “Quest Enterprise Reporter Azure Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Enterprise Reporter Azure discovery application, the following permissions are required:

 

Table 11. Required permissions
API Name
Permission
Permission Description
Type

Microsoft Graph

User.ReadBasic.All

Read all users' basic profiles

Delegated

Microsoft Graph

Directory.AccessAsUser.All

Access directory as the signed in user

Delegated

Microsoft Graph

Directory.Read.All

Read directory data

Delegated

Microsoft Graph

Group.Read.All

Read all groups

 

Microsoft Graph

IdentityRiskyUser.Read.All

Read identity risky user information

Delegated

Microsoft Graph

SecurityEvents.Read.All

Read your organization's security events

Delegated

Microsoft Graph

User.Read.All

Read all users' full profiles

Delegated

Microsoft Graph

Reports.Read.All

Read all usage reports

Delegated

Microsoft Graph

UserAuthenticationMethod.Read.All

Read all users' authentication methods

Delegated

Collecting user activity information

If you want to collect details about Microsoft 365 user activity, such as which licenses are assigned to a user and dates when a user last used a licensed service, the following delegated permission is required:
Microsoft Graph: Read all usage reports

Also, you must clear the Microsoft default setting that anonymizes the user-level data. To include user activity data in the Enterprise Reporter reports, do the following steps:

1
Open the Microsoft 365 admin center.
2
Navigate to Settings | Org Settings | Services.
3
Select Reports.
4
Clear the Display concealed user, group, and site names in all reports check box.

For more information, see https://learn.microsoft.com/en-US/microsoft-365/troubleshoot/miscellaneous/reports-show-anonymous-user-name

OneDrive application permissions

For the OneDrive discovery, an application with a name that begins with “Quest Enterprise Reporter OneDrive Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Quest Enterprise Reporter OneDrive Discovery application, the following permissions are required:

 

Table 12. Required permissions
API Name
Permission
Permission Description
Type

Microsoft Graph

Directory.Read.All

Read directory data

Delegated

Microsoft Graph

Files.Read.All

Read all files that user can access

Delegated

Microsoft Graph

Sites.FullControl.All

Have full control of all site collections

Delegated

Microsoft Graph

Directory.AccessAsUser.All

Access directory as the signed in user

Delegated

Office 365 SharePoint Online

MyFiles.Read

Read user files

Delegated

Azure Resource application permissions

For the Azure Resource discovery, an application with a name that begins with “Quest Enterprise Reporter Azure Resource Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Enterprise Reporter Azure Resource discovery application, the following permissions are required:

 

Table 13. Required permissions
API Name
Permission
Permission Description
Type

Microsoft Graph

User.ReadBasic.All

Read all users' basic profiles

Delegated

Microsoft Graph

Directory.AccessAsUser.All

Access directory as the signed in user

Delegated

Windows Azure Service Management API

user_impersonation

Access Azure Service Management as organization users

Delegated

Microsoft Teams application permissions

For the Microsoft Teams discovery, an application with a name that begins with “Quest Enterprise Reporter Microsoft Teams Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Quest Enterprise Reporter Microsoft Teams Discovery application, the following permissions are required:

 

Table 14. Required permissions
API Name
Permission
Permission Description
Type

Microsoft Graph

Directory.Read.All

Read directory data

Delegated

Microsoft Graph

User.ReadBasic.All

Read all users' basic profiles

Delegated

Microsoft Graph

Files.Read

Read user files

Delegated

Microsoft Graph

Sites.FullControl.All

Have full control of all site collections

Delegated

Microsoft Graph

Directory.AccessAsUser.All

Access directory as the signed in user

Delegated

Microsoft Graph

Group.Read.All

Read all groups

Delegated

Office 365 SharePoint Online

MyFiles.Read

Read user files

Delegated

SharePoint Online application permissions

For the SharePoint Online discovery, an application with a name that begins with “Quest Enterprise Reporter SharePoint Online Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Quest Enterprise Reporter SharePoint Online Discovery application, the following permissions are required:

 

Table 15. Required permissions
API Name
Permission
Permission Description
Type

Microsoft Graph

Directory.Read.All

Read directory data

Delegated

Microsoft Graph

Sites.FullControl.All

Have full control of all site collections

Delegated

Minimum permissions for installing Enterprise Reporter

 
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating