Overview of data handled by On Demand Migration
On Demand Migration for Hybrid Exchange migrates the following type of customer data.
- Email content
- Email attachments
- Calendar
- Contacts
- Personal distribution lists and tasks
- Mailbox settings
ODMHE does not retain the data or emails and their attachments that get migrated. They only exist in memory while they are in the process of being migrated.
The following customer data will, by default, be retained by ODMHE:
- Source and target mailbox names
- Product logs data which can include structured error message entries containing meta-data of email items that ODMHE failed to transport, such as subject line, date, size, the folder name (if any) in which the email resides, but not the email body, .
- MIME content of mailbox items to facilitate troubleshooting. The MIME content of mailbox items may be stored when an error occurs during migration. This is turned off by default, and activated only when the customer grants permission.
The persisted data is stored until a customer’s subscription ends. The data is stored in Azure Storage such as Table, Queue and BLOB (binary large object) storage, and persists as long as a customer’s subscription is active. If a customer decides to unsubscribe from Quest On Demand, the customer is notified 30 days before their subscription ends. When an organization is deleted, data related to the organization will be deleted after 30 days.
Admin Consent and Service Principals
On Demand Migration for Hybrid Exchange requires access to the customer’s Microsoft Entra ID and Microsoft 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which creates a Service Principal in the customer's Microsoft Entra ID with minimum consents required by ODMHE.
The Service Principal is created using Microsoft's OAuth2 certificate based client credentials grant flow. See https://docs.microsoft.com/en-us/azure/activedirectory/develop/v2-oauth2-client-creds-grant-flow for details.
Customers can revoke the Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
The admin permission consents required by ODMHE are described below:
- Quest On Demand - Core – Basic
These permissions are used by the Basic application, which extracts information from the user’s tenant Microsoft Entra ID, such as display name, default domain name, and other properties such as B2C and cloud type.
- Quest On Demand - Migration – Basic
The consent granted with this application allows On Demand Migration to access the Microsoft Entra ID and Exchange Online to read and write user and group in there.
- Quest On Demand - Migration – Mailbox
The consent granted with this application allows On Demand Migration module to access mailboxes, calendars and Exchange Web Services to write Mailbox content to the target tenant.
Location of customer data
When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed and all data is stored in the selected region. The currently supported regions can be found here: https://regions.quest-on-demand.com/.
Windows Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same data center for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication data centers reside within the geographic boundaries of the selected region.
See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
Privacy and protection of customer data
The admin account credentials of the source email environment is an example of sensitive customer data that is collected and stored by ODMHE. These credentials are required by ODMHE to run email migration operations. ODMHE protects these credentials by storing them in Azure Key Vaults.
Customer emails, attachments ant other mailbox items are obtained from the source on-premise mailbox via Exchange Web Services (EWS) over HTTPS1. They are processed by Azure Batched VM in memory and then sent into target M365 by EWS Online over HTTPS.
1 A customer has the choice of using a non-encrypted connection using HTTP. For more details, see the Network Communication topic.