Admin Consent and Service Principals
Metalogix® Content Matrix can access the customers Azure Active Directory and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Azure Active Directory with minimum consents required by Metalogix® Content Matrix migration. The Service Principal is created using Microsoft's OAuth certificate based client credentials grant flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.
Customers can revoke Admin Consent at any time. See hhttps://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
Following is the base consent required by Metalogix® Content Matrix.
Location of Customer Data
·All computation is performed on server(s) provided by the customer.
·All data and application logs are stored in a SQL server or file provided by the customer.
·In case of migration using "Import API" option, binary contents of files are uploaded to Azure blob storage. Metalogix® Content Matrix can use either SPO provided Azure container blob storage or customer provided private Azure container blob storage.
Privacy and Protection of Customer Data
Encryption of secrets uses MS DPAPI (PBKDF2, AES).
Security-sensitive information like the password and OAuth tokens used in SharePoint, eRoom and Public Folder connections are encrypted using Microsoft DPAPI (ProtectedData Class (System.Security.Cryptography) | Microsoft Docs).
SharePoint Database Connections
When a SharePoint 2013 or later database connection is used as source, large file content is fetched and temporarily stored in file system before it is copied to the target. AesCryptoServiceProvider is used to encrypt this content.