Contents:
Cayosoft Guardian System Requirements
Note: Installing the Administrator Service and Cayosoft Guardian on the same server is not supported. Cayosoft strongly recommends installing them on separate servers to ensure optimal performance.
Hardware Requirements
| Component | Requirements |
|---|---|
|
Platform |
2 GHz or higher Intel-compatible dual or quad-core CPU |
|
Memory |
8 GB minimum, 16 GB recommended
Note: For environments with 100k user accounts or more, 32 GB RAM or more is recommended.
|
|
Disk |
180 GB or more of free disk space |
|
Machine |
Physical, on-premises virtual, Azure VM, or AWS virtual server |
To help you determine the optimal hardware requirements for your environment, check the hardware configuration calculator.
Software Requirements
| Component | Requirements |
|---|---|
|
OS |
Windows Server 2016, 2019, 2022 and 2025 Windows 10 Pro |
|
Active Directory Forest Functional level |
2012R2, 2016
|
|
Active Directory Domain Functional level |
2012R2, 2016 |
|
Web browsers |
Important: Microsoft Internet Explorer is not supported. |
|
Database |
Cayosoft Guardian comes with a built-in SQL Server Express LocalDB. SQL Server 2017 or later, Azure SQL, or SQL Server on AWS is strongly recommended for production workloads. Azure SQL standard database must be created with one of the following configurations:
SQL Server on AWS must be created with at least the db.m5.large model. |
|
Required ports |
Required Permissions
Change Monitoring and Rollback
Connect to Entra ID / Microsoft 365 with a user account
Cayosoft Guardian uses multiple identities such as connection accounts and applications to access and manage your cloud environment.
Connection account
- Create a user account and assign the Global Administrator role to this account, before adding a tenant to Cayosoft Guardian.
- It is strongly recommended to use cloud-only (not synchronized with on-prem AD).
- The connection account should not be used in other applications or scripts.
- To send notifications via Teams or Exchange Online, assign an Office 365 license with Teams and Exchange Online options.
Connection account permissions
| Role | Details |
| Global Administrator |
Assign the Global Administrator role to this account, before adding a tenant to Cayosoft Guardian |
| User Access Administrator in Azure |
Cayosoft Guardian will automatically add the connection account to the User Access Administrator role in Azure. This role gives access to all subscriptions and management groups in Azure. Learn more. |
Enterprise application
- Cayosoft Guardian automatically creates an Enterprise application in your tenant and assigns all required permissions.
Application permissions
| Permission name |
Claim value |
Description |
|---|---|---|
|
Windows Azure Service Management API |
||
| Access Azure Service Management as organization users |
user_impersonationMonitor |
Azure role assignments, manage resources Before removing this permission, turn off the Collect Tenant Settings action in the Entra Event Collection job. After removing this permission, you cannot perform AD forest recovery into Azure recovery sites. |
|
Office 365 Management APIs |
||
|
|
ActivityFeed.Read |
Read Unified log, discover initiator for changes Before removing this permission, disable, Collect Office 365 Unified Log and Collect Exchange Online Audit Log actions in Entra Event Collection job. |
|
Microsoft Graph |
||
|
|
Directory.AccessAsUser.All |
Perform password resets during recovery After removing write permission, you will no longer be able to recover user objects in specific scenarios. |
|
|
Group.ReadWrite.All |
Audit, backup, recover directory groups Write permission is required to undo changes using the rollback action in the Change History. Read permission is required by the Entra Change Collection job to collect changes from Entra ID. After removing write permission, you cannot undelete or delete group objects within specific recovery scenarios with Cayosoft Guardian. Before removing read permission, disable an action related to a specific object type in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
AuditLog.Read.All |
Read Entra ID audit logs Before removing this permission, disable the Entra Audit Log Collection action of the Entra Event Collection job. |
|
|
Policy.ReadWrite. ConditionalAccess |
Audit, backup, and to recover objects in your organization's directory, such as conditional access policies and named locations. Write permission is required to undo changes using the rollback action in the Change History. After removing write permission, you cannot recover conditional access policies and named location objects with Cayosoft Guardian. Before removing the read permission, disable the Collect Changes for Named Locations and Collect Changes for Conditional Access Policies actions in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. Disabling this permission also affects the live browsing of the Conditional access node. |
|
|
Policy.Read.All |
Audit, backup, and recover objects in your organization's directory, such as conditional access policies and named locations Read permission is required by the Entra Change Collection job to collect changes from Entra ID. Before removing the permission, disable the Collect Changes for Named Locations and Collect Changes for Conditional Access Policies actions in the Entra ID Change Collection job. After disabling the selected actions, the corresponding objects' changes will no longer be collected. Disabling this permission also affects the live browsing of the Conditional access node. |
|
|
RoleManagement. ReadWrite.Directory |
Read and manage the role-based access control (RBAC) settings for your company's directory, on your behalf This includes instantiating directory roles, managing directory-role membership, and reading directory role templates, directory roles, and memberships. Write permission is required to undo changes using the rollback action in the Change History. After removing write permission you cannot recover objects of the corresponding object type with Cayosoft Guardian. Read permission is required by the Entra Change Collection job to collect changes from Entra ID. Before removing read permission disable an action related to a specific object type in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
RoleAssignment Schedule.ReadWrite. Directory
|
Audit, backup, and recover active role-based access control (RBAC) assignments for your company's directory Before removing this permission, disable the Collect Changes for Roles (PIM) action in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
RoleEligibilitySchedule. ReadWrite.Directory |
Audit, backup, and recover eligible role-based access control (RBAC) assignments for your company's directory Before removing this permission, disable the Collect Changes for Roles (PIM) action in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
Contacts.ReadWrite |
Audit, backup, and to recover user contacts in your organization's directory Write permission is required to undo changes using the rollback action in the Change History. After removing write permission you will no longer be able to recover user contacts with Cayosoft Guardian. Read permission is required by the Entra Change Collection job to collect changes from Entra ID. Before removing read permission, disable an action related to contacts in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
Agreement.Read.All |
Audit and backup conditional access policies Before removing the permission, disable the Collect Changes for Conditional Access Policies action in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
CrossTenantInformation. ReadBasic.All |
Audit and backup conditional access policies Before removing this permission, disable the Collect Changes for Conditional Access Policies action in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
Policy.ReadWrite. AuthenticationFlows |
Audit, backup, and recover authentication flows policy configuration in Entra ID Before removing this permission, disable the Collect Tenant Policies action in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
Policy.ReadWrite. Authorization |
Audit, backup, and recover Microsoft Entra authorization settings in Entra ID Before removing this permission, disable the Collect Tenant Policies action in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
Policy.ReadWrite. DeviceConfiguration |
Audit, backup, and recover organization's device configuration policies in Entra ID Before removing this permission disable Collect Tenant Policies action in the Entra Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
UserAuthentication Method.ReadWrite.All |
Audit, backup, and recover users' Entra ID authentication method settings Before removing this permission, disable the Entra Supplementary Change Collection job. |
|
|
DeviceManagement ManagedDevices. ReadWrite.All |
Audit, backup, and recover devices managed by Microsoft Intune Before removing this permission disable the Collect Changes for Managed Devices action in the Intune Change Collection job. After disabling the selected action, the corresponding objects' changes will no longer be collected. |
|
|
DeviceManagement Configuration. ReadWrite.All |
Audit, backup, and recover Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups Before removing this permission, disable the following actions in the Intune Change Collection job:
After disabling the selected actions, the corresponding objects' changes will no longer be collected. |
|
|
DeviceManagement Apps.ReadWrite.All |
Read the Intune audit log and discover the initiator for changes made in Intune Before removing this permission, disable the Collect Intune Audit Log action in the Entra Event Collection job. |
|
|
Exchange.Manage |
Audit, backup, and recover Exchange Online Mailboxes Before removing this permission, disable the Exchange Online Change Collection job. |
Notification permissions
The following API permissions are required for alerting. Removing these permissions may impact alerting capabilities.
| System or task | Permissions |
|---|---|
|
Send email alerts |
Exchange Online (E1 license recommended) |
|
Send Teams alerts |
Microsoft Teams (E1 license recommended) |
| Microsoft Graph | |
|
Send mail on behalf of others |
Mail.Send.Shared |
|
Send email alerts and notifications |
GraphMail.ReadWrite.Shared NOTE: Before removing this permission, disable related communication channels. |
Connect to Entra ID / Microsoft 365 using read-only mode
To add a tenant to Cayosoft Guardian in a read-only mode for data collection only (read-only mode), see How to configure Cayosoft Guardian for read-only access to an Entra ID tenant.
Connect to Active Directory with user account as connection account
Cayosoft Guardian can use a user account to manage your domains and partitions.
- Create a user account and assign the Domain Admin membership to this account, before adding a domain to Cayosoft Guardian.
Connection account permissions
| Task | Permissions |
|---|---|
|
Collect changes in domain partition |
Domain Admin |
|
Collect changes in schema partition |
Schema Admin |
| Collect changes in configuration or application partitions |
Enterprise Admin |
Connect to Active Directory using gMSA with administrative permissions
gMSA offers improved security via automatic password management. Cayosoft Guardian will automatically create gMSA with administrative permissions.
Account permissions required for initial configuration
| Task | Permissions |
|---|---|
|
Configure gMSA for domain partition |
Domain Admin |
|
Configure gMSA for schema partition |
Schema Admin |
| Configure gMSA for configuration or application partitions |
Enterprise Admin |
Permissions of gMSA with administrative permissions automatically created by Cayosoft Guardian
| Task | Permissions | Details |
|---|---|---|
| Collect events | Event Log Readers | Member of the Event Log Readers group in the managed domain (for forest-wide partitions, membership is required in each forest domain). |
| Access domain controllers via WinRM | Remote Management Users |
Member of the Remote Management Users group in the managed domain (for forest-wide partitions, membership is required in each forest domain). |
| Manage Entra Connect |
ADSyncOperators |
Member of the ADSyncOperators group in the managed domain (for forest-wide partitions, membership is required in each forest domain). |
| Collect changes from DirSync |
Replicate Directory Changes |
Grant the Replicate Directory Changes permission on the domain object in Active Directory. This allows the account to read and replicate directory changes for synchronization purposes. |
| Rollback actions in domain partition |
Domain admins |
Member of the Domain admins group in the managed domain |
| Rollback actions in configuration or application partitions |
Enterprise admins |
Member of the Enterprise admins group in the managed forest |
| Rollback actions in schema partition |
Schema admins |
Member of the Schema admins group in the managed domain |
Connect to Active Directory using read-only gMSA
gMSA offers improved security via automatic password management. Cayosoft Guardian will automatically create gMSA with read-only permissions. The Read-only gMSA can also be temporarily elevated to perform rollback. This approach ensures that privileges are granted only when needed, following just-in-time elevation principles, and minimizing security risks.
Permissions of account required for initial configuration
| Task | Permissions |
|---|---|
|
Configure gMSA for domain partition |
Domain Admin |
|
Configure gMSA for schema partition |
Schema Admin |
| Configure gMSA for configuration or application partitions |
Enterprise Admin |
Permissions of read-only gMSA
All permissions and group memberships are required for Read-Only gMSA (as outlined above).
| Task | Permissions | Details |
|---|---|---|
| Collect events | Event Log Readers | Member of the Event Log Readers group in the managed domain (for forest-wide partitions, membership is required in each forest domain) |
| Access domain controllers via WinRM | Remote Management Users |
Member of the Remote Management Users group in the managed domain (for forest-wide partitions, membership is required in each forest domain) |
| Manage Entra Connect |
ADSyncOperators |
Member of the ADSyncOperators group in the managed domain (for forest-wide partitions, membership is required in each forest domain) |
The following API permissions are required for change monitoring and recovery. Removing these permissions may impact monitoring and recovery capabilities.
Forest Recovery
Cayosoft Guardian uses multiple identities such as connection accounts and applications to access and manage your environment.
To add a subscription to Cayosoft Guardian for forest recovery, a connection account must be a member of the Global Admin role in this tenant.
Microsoft Azure permissions
Create resources
| System or task | Permissions | Details |
|---|---|---|
| Create Azure resources for recovery site | Contributor role in the resource group | Create a resource group manually and only allow Cayosoft Guardian to create the resources. |
| Create Azure resources for recovery site | Contributor role for the subscription | Assign this role to an account used to add a new subscription under Cloud Services. This allows the creation of resources across the subscription. |
Manage backups
| System or task | Permissions | Details |
|---|---|---|
| Create an Azure share for backups | Contributor role in the resource group | Create a resource group manually and only allow Cayosoft Guardian to create resources, such as Azure file shares, for backups. |
| Using an Azure blob storage in backup plans | Storage Blob Data Contributor role | Assign this role to an account used to add a new subscription under Cloud Services. Grants read, write, and delete access to blob data within the assigned subscription for backup and recovery purposes. |
AWS permissions
To back up to S3 storage and create resources in AWS, Cayosoft Guardian requires an account with the following permissions:
Create resources
| System or task | Permissions | Details |
|---|---|---|
| Provision and manage EC2 instances for the recovery site | AmazonEC2FullAccess | Full access to EC2 instances for provisioning, managing, and recovering resources at the recovery site. |
| Create and managing AWS resources | AWSCloudFormationFullAccess | Automating the deployment of the recovery site using infrastructure-as-code templates and defining the infrastructure setup in CloudFormation stacks. |
| Run automation scripts for failover, configuration adjustments, and recovery tasks | AWSLambda_FullAccess | Full access to AWS Lambda to run automation scripts for handling instance failover, configuration adjustments, and other event-driven recovery tasks. |
| Create and manage IAM roles and policies | IAMFullAccess | Create and manage IAM roles and policies required for the recovery site's services and components. Assign necessary permissions to recovery resources (e.g., allowing EC2 instances to access S3 or SSM). |
| Organize recovery-related resources using tags and resource groups |
ResourceGroupsandTagEditor FullAccess |
Organize recovery-related resources using tags and resource groups. Automate tagging of new resources to maintain proper tracking and cost allocation. |
Manage backups
| System or task |
Permission/Role |
Details |
|---|---|---|
| Store recovery site backups, logs, and configurations | AmazonS3FullAccess | Full access to Amazon S3 for storing recovery site backups, logs, and configurations. |
| Enable automated retrieval of backup data when initiating recovery | AmazonS3FullAccess | Retrieve backup data stored in S3 buckets when initiating recovery processes. |
| Automate recovery processes using AWS Systems Manager | AmazonSSMFullAccess | Full access to AWS Systems Manager to automate recovery processes, including instance management, patching, and configuration. |
NOTE: Cayosoft recommends creating a separate organization and accounts for instant forest recovery, so the service accounts can only access resources required for forest recovery, and do not have access to production workloads.
Comments
0 comments
Article is closed for comments.