Administrator Consent and Service Principals
On Demand Migration requires access to the customer’s Microsoft Entra ID and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Microsoft Entra ID with minimum consents required by On Demand Migration for Power BI. The Service Principal is created using Microsoft's OAuth certificate based client credentials grant flow.
Customers can revoke Admin Consent at any time. For more details, see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent.
The base consents required by Quest On Demand and On Demand Migration is shown below.
| Quest On Demand - Core - Basic | Quest On Demand - Migration - Basic |
 |
 |
In addition to the base consents required by On Demand Migration, On Demand Migration for PowerBI requires the following consents:
After creating the On Demand Migration for Power BI project, the On Demand Power BI service principal will be granted read access to Power BI tenant.
On Demand Migration for Power BI currently uses the Microsoft Power BI REST API, without needing global administrator permissions during migration. After the consent has been granted using a Power BI administrator, the administrator must also grant permissions for the app service principal to migrate workspaces. All migration operations will be driven by the token generated using app service principal.
The Admin Consent process for On Demand Migration for Power BI will create a Service Principal in the customer's Microsoft Entra ID tenant with the permissions described above.
Role based access control
Quest On Demand is configured with default roles that cannot be edited or deleted, and allows you to add custom roles to make permissions more granular. Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform. For more information about role-based access control, see the Quest On Demand Migration User Guide.
Azure datacenter security
Microsoft Azure datacenters have the highest possible physical security and are considered among the most secure and well protected datacenters in the world. They are subject to regular audits and certifications including Service Organization Controls (SOC) 1, SOC 2 and ISO/IEC 27001:2005.
Relevant references with additional information about the Windows Azure datacenter security can be found here:
- Microsoft Azure Trust Center: https://azure.microsoft.com/en-us/overview/trusted-cloud/
- Microsoft Trust Center Compliance: https://www.microsoft.com/en-us/trust-center/compliance/compliance-overview?service=Azure#Icons
- Microsoft’s submission to the Cloud Security Alliance STAR registry: https://cloudsecurityalliance.org/star/registry/microsoft/
- Whitepaper: Standard Response to Request for Information – Security and Privacy: http://www.microsoft.com/en-us/download/details.aspx?id=26647
- Microsoft Global Datacenters: Security & Compliance: https://www.microsoft.com/en-us/cloud-platform/global-datacenters
- Azure data security and encryption best practices: https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices
Overview of data managed by On Demand Migration for Power BI
On Demand Migration for Power BI manages the following type of customer data:
- Power BI workspaces. The content will passthrough our migration engine at migration time only. No workspace content will be stored after migration.
- Some source metadata may be stored by the product for troubleshooting purposes. This includes identifiers like workspace ID, report ID, dataset ID, user ID, etc.
- The product will store username and password of connection user profiles only for migration purposes. The data will be saved in a secure key vault and is encrypted at rest. For more information see the chapter Privacy and protection of customer data