Overview of data handled by On Demand Migration
On Demand Migration manages the following type of customer data:
- Product works with Office 365 groups, Microsoft Teams, channels, messages and files with their properties returned by Teams Graph API. The content processed by the product is not persistently stored by the product. Only migrated messages IDs are stored in the product database.
- Some data from Teams content can be stored by the product for troubleshooting purposes. This includes data to identify the items where some troubleshooting is required, e.g., a Team or channel name, attachment file names. The data is stored in product Elasticsearch database and Azure table storage and is encrypted at rest.
- The application does not store or deal with end-user passwords
Admin Consent and Service Principals
On Demand Migration requires access to the customer’s Azure Active Directory and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Azure Active Directory with minimum consents required by On Demand Migration. The Service Principal is created using Microsoft's OAuth certificate based client credentials grant flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. Customers can revoke Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
In addition to the base consents required by On Demand and On Demand Migration, On Demand Migration requires the following consents:
Location of customer data
When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed and all data is stored in the selected region. The currently supported regions can be found here: https://regions.quest-on-demand.com/.
Teams conversation messages intended for processing to rewrite users and teams mentions or attachments links are temporary stored at Azure Virtual Machine disks before being delivered to recipients. The data is encrypted at rest.
Windows Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.
See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
Privacy and protection of customer data
The most sensitive customer data processed by On Demand Migration is the content of Teams conversations including file attachments.
- File attachments are temporary stored during migration. The data is deleted once migration task for the team is finished. The data is encrypted at rest when stored
- All migration project data and logs are encrypted at rest.
To ensure that customer data is kept separate during processing, the following policies are strictly applied in On Demand Migration:
- The data for each customer is stored in separate Azure storage containers. This information is protected through the Azure built in data at rest Server-Side encryption mechanism. It uses the strongest FIPS 140-2 approved block cipher available, Advanced Encryption Standard (AES) algorithm, with a 256-bit key.
- A separate Elasticsearch server instance is used for each customer.
- A separate Azure Virtual Machine is used as mail transfer agent for each customer.
More information about Azure queues, tables, and blobs: