Administrator Consent and Service Principals
On Demand Migration requires access to the customer’s Microsoft Entra ID and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Microsoft Entra ID with minimum consents required by On Demand Migration. The Service Principal is created using Microsoft's OAuth certificate based client credentials grant flow.
Customers can revoke Admin Consent at any time. For more details, see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent.
The base consents required by Quest On Demand and On Demand Migration is shown below.
| Quest On Demand - Core - Basic | Quest On Demand - Migration - Basic |
 |
 |
In addition to the base consents required by On Demand Migration, On Demand Migration for Mailboxes requires the following consents:
When the On Demand Migration project is created, the Quest group is automatically added to the exchange administrator role for mailboxes.
In addition to the base consents required by On Demand Migration, On Demand Migration for OneDrive requires the following consents: OneDrive - Minimal or OneDrive - Full.
 |
 |
On Demand Migration uses the Microsoft Exchange Online PowerShell API with support for the "limited permissions" model for Accounts, Email, SharePoint, Teams and OneDrive migrations, without needing global administrator permissions during migration. After the consent has been granted using the global administrator account, thereafter all migration operations will be driven by the token generated using app Service Principal.
The Admin Consent process for On Demand Migration for OneDrive will create a Service Principal in the customer's Microsoft Entra ID tenant with the following permissions.
- Permissions required for On Demand Migration (Groups, Users, Contacts) as described in this Security Guide.
- Permissions required for On Demand Migration for SharePoint as described in the On Demand Migration for SharePoint Security Guide.
Role based access control
Quest On Demand is configured with default roles that cannot be edited or deleted, and allows you to add custom roles to make permissions more granular. Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform. For more information about role-based access control, see the Quest On Demand Migration User Guide.
Azure datacenter security
Microsoft Azure datacenters have the highest possible physical security and are considered among the most secure and well protected datacenters in the world. They are subject to regular audits and certifications including Service Organization Controls (SOC) 1, SOC 2 and ISO/IEC 27001:2005.
Relevant references with additional information about the Windows Azure datacenter security can be found here:
- Microsoft Azure Trust Center: https://azure.microsoft.com/en-us/overview/trusted-cloud/
- Microsoft Trust Center Compliance: https://www.microsoft.com/en-us/trust-center/compliance/compliance-overview?service=Azure#Icons
- Microsoft’s submission to the Cloud Security Alliance STAR registry: https://cloudsecurityalliance.org/star/registry/microsoft/
- Whitepaper: Standard Response to Request for Information – Security and Privacy: http://www.microsoft.com/en-us/download/details.aspx?id=26647
- Microsoft Global Datacenters: Security & Compliance: https://www.microsoft.com/en-us/cloud-platform/global-datacenters
- Azure data security and encryption best practices: https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices
Overview of data managed by On Demand Migration
On Demand Migration manages the following type of customer data:
- Microsoft Entra ID and Office 365 users, groups and contacts with their properties returned by Microsoft Entra ID Graph API including account name, email addresses, contact information, department, membership and other properties. Part of the information is stored in the product database.
- Product works with end-user mailbox and OneDrive content. The content processed by the product is not persistently stored by the product. OneDrive data content is temporary stored in Azure blob storage and is encrypted at rest for the period of migrating particular OneDrive account.
- Some data from end-user mailbox/OneDrive content can be stored by the product for troubleshooting purposes. This includes data to identify the items where some troubleshooting is required, e.g., mail item subject, OneDrive file names. The data are stored in product Elasticsearch database, Azure table storage and Application Insight and is encrypted at rest.
- The application does not store or deal with end-user passwords of Microsoft Entra ID objects.
- The application stores administrative account name and password to perform migration operations. The data are stored in Azure Key Vault and is encrypted at rest.
When domain coexistence is turned on, all outgoing mail traffic from the customer’s source tenant is routed through Address Rewrite Service which changes the addresses in mail headers. The independent instance of Address Rewrite Service is created for each migration project.
The domain coexistence can be disabled at any moment from the On Demand Migration UI, which completely removes the Address Rewrite Service from outgoing mail processing, thus all outgoing mail will be sent directly from Exchange Online.
Check On Demand Migration User Guide for the detailed list of all customer configuration changes related to Domain Coexistence.