On Demand Migration manages the following type of customer data:
When domain coexistence is turned on, all outgoing mail traffic from the customer’s source tenant is routed through Address Rewrite Service which changes the addresses in mail headers. The independent instance of Address Rewrite Service is created for each migration project.
The domain coexistence can be disabled at any moment from the On Demand Migration UI, which completely removes the Address Rewrite Service from outgoing mail processing, thus all outgoing mail will be sent directly from Exchange Online.
Check On Demand Migration User Guide for the detailed list of all customer configuration changes related to Domain Coexistence.
On Demand Migration requires access to the customer’s Azure Active Directory and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Azure Active Directory with minimum consents required by On Demand Migration (Groups, Users, Contacts). The Service Principal is created using Microsoft's OAuth certificate based client credentials grant flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. Customers can revoke Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
Following is the base consent required by On Demand Migration.
In addition to the base consents required by On Demand and On Demand Migration, On Demand Migration (Email) requires the following consents:
On creating the On Demand Migration project, the Quest group is automatically added to the exchange administrator role for mailboxes.
On Demand Migration currently uses the Microsoft Exchange Online PowerShell API with support for the "limited permissions" model for Accounts, Email, SharePoint, Teams and OneDrive migrations, without needing global administrator permissions during migration. After the consent has been granted using the global administrator account, thereafter all migration operations will be driven by the token generated using app Service Principal.
The Admin Consent process of On Demand Migration (OneDrive) will create a Service Principal in the customer's Azure AD tenant with the following permissions.
When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed and all data is stored in the selected region. The currently supported regions can be found here: https://regions.quest-on-demand.com/.
Mail messages intended for processing by Address Rewrite Service servers are temporary stored at Azure Virtual Machine disks before being delivered to recipients. The data are encrypted at rest.
Windows Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.
See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
The most sensitive customer data processed by On Demand Migration is the Azure Active Directory and Office 365 data including users, groups and contacts and their associated properties, content of emails and OneDrive for Business. On Demand Migration does not store or deal with end-user passwords of Azure AD objects.
To ensure that customer data is kept separate during processing, the following policies are strictly applied in On Demand Migration:
More information about Azure queues, tables, and blobs:
© ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー Cookie Preference Center