Overview of data handled by On Demand Migration
On Demand Migration manages the following type of customer data:
- Azure Active Directory and Office 365 users, groups and contacts with their properties returned by Azure Active Directory Graph API including account name, email addresses, contact information, department, membership and other properties. Part of the information is stored in the product database.
- Product works with end-user mailbox and OneDrive content. The content processed by the product is not persistently stored by the product. OneDrive data content is temporary stored in Azure blob storage and is encrypted at rest for the period of migrating particular OneDrive account.
- Some data from end-user mailbox/OneDrive content can be stored by the product for troubleshooting purposes. This includes data to identify the items where some troubleshooting is required, e.g., mail item subject, OneDrive file names. The data are stored in product Elasticsearch database, Azure table storage and Application Insight and is encrypted at rest.
- The application does not store or deal with end-user passwords of Azure AD objects.
- The application stores administrative account name and password to perform migration operations. The data are stored in Azure Key Vault and is encrypted at rest.
When domain coexistence is turned on, all outgoing mail traffic from the customer’s source tenant is routed through Address Rewrite Service which changes the addresses in mail headers. The independent instance of Address Rewrite Service is created for each migration project.
The domain coexistence can be disabled at any moment from the On Demand Migration UI, which completely removes the Address Rewrite Service from outgoing mail processing, thus all outgoing mail will be sent directly from Exchange Online.
Check On Demand Migration User Guide for the detailed list of all customer configuration changes related to Domain Coexistence.
Admin Consent and Service Principals
On Demand Migration requires access to the customer’s Azure Active Directory and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Azure Active Directory with minimum consents required by On Demand Migration (Groups, Users, Contacts). The Service Principal is created using Microsoft's OAuth certificate based client credentials grant flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. Customers can revoke Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
Following is the base consent required by On Demand Migration.
In addition to the base consents required by On Demand and On Demand Migration, On Demand Migration (Email) requires the following consents:
On creating the On Demand Migration project, the Quest group is automatically added to the exchange administrator role for mailboxes.
On Demand Migration currently uses the Microsoft Exchange Online PowerShell API with support for the "limited permissions" model for Accounts, Email, SharePoint, Teams and OneDrive migrations, without needing global administrator permissions during migration. After the consent has been granted using the global administrator account, thereafter all migration operations will be driven by the token generated using app Service Principal.
The Admin Consent process of On Demand Migration (OneDrive) will create a Service Principal in the customer's Azure AD tenant with the following permissions.
- Permissions required for On Demand Migration (Groups, Users, Contacts) as per this Security Guide.
- Permissions required for On Demand Migration for SharePoint as per the On Demand Migration for SharePoint Security Guide.
Location of customer data
When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed and all data is stored in the selected region. The currently supported regions can be found here: https://regions.quest-on-demand.com/.
Mail messages intended for processing by Address Rewrite Service servers are temporary stored at Azure Virtual Machine disks before being delivered to recipients. The data are encrypted at rest.
Windows Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.
See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
Privacy and protection of customer data
The most sensitive customer data processed by On Demand Migration is the Azure Active Directory and Office 365 data including users, groups and contacts and their associated properties, content of emails and OneDrive for Business. On Demand Migration does not store or deal with end-user passwords of Azure AD objects.
- OneDrive for Business content for a particular user is temporarily stored during migration. The data is deleted once the migration task for the user is completed. The data is encrypted at rest when stored.
- Mail messages processed by Address Rewrite Service are temporary stored on the disks of Azure Virtual Machine where Address Rewrite Service is deployed. Once delivered, they are deleted from mail queues and removed from the disks. The data are encrypted at rest.
- Some user, group, contact properties are stored as a part of migration project to be displayed in UI and handled correctly during migration. The data are deleted once migration project is deleted.
- All migration project data and logs are encrypted at rest.
- Hybrid accounts are processed by Quest Migration Manager for Active Directory, deployed in on-premises environment. On Demand Migration has access to the migration progress only (events, errors, etc.) Account properties and other data are not stored and processed in the cloud.
To ensure that customer data is kept separate during processing, the following policies are strictly applied in On Demand Migration:
- The data for each customer is stored in separate Azure storage containers. This information is protected through the Azure built in data at rest Server-Side encryption mechanism. It uses the strongest FIPS 140-2 approved block cipher available, Advanced Encryption Standard (AES) algorithm, with a 256-bit key.
- A separate Elasticsearch server instance is used for each customer.
- A separate Azure Virtual Machine is used as mail transfer agent for each customer.
- On-premises deployment of Quest Migration Manager for Active Directory can be configured by customer to ensure required level of security and data protection. Refer to the Quest Migration Manager for Active Directory technical documents for details.
- The integration of On Demand Migration with Quest Migration Manager for Active Directory is secured by a secret that can be re-issued at any moment. Once re-issued, the original secret is immediately revoked.
More information about Azure queues, tables, and blobs: