Overview of data handled by Nova Delegation and Policy Control
Quest Nova Delegation & Policy Control manages the following type of customer data:
·Azure Active Directory and Office 365 tenant, users, groups, devices, drives and teams with their properties returned by Azure Active Directory Graph API including account name, email addresses, contact information, department, membership and other properties. Part of the information is stored in the product database.
·Exchange Online mailbox information and contacts with their properties returned by Exchange Online Management including email account name, email addresses, contact information and other information.
·On-Premises Active Directory organizational units, users, groups and contact with their properties. Part of this information is stored in product database.
·Application does not access, process or store content of drive or mailbox items.
·The application does not read end-user passwords of Azure AD or On-Premises objects.
·Application temporarily stores password required for operations like create Azure AD user, reset Azure AD user password, create on-premises user.
·The application stores administrative account name and password to access and modify mailbox information via Exchange Online Management.
·Management of on-premises objects is performed via integration with Quest Nova On-Premises Agent.
Admin Consent and Service Principals
Quest Nova Delegation & Policy Control requires access to the customers Azure Active Directory and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Azure Active Directory with consents required by Quest Nova Delegation & Policy Control. The Service Principal is created using Microsoft's OAuth shared secret based client credentials grant flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. Customers can revoke Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
Following is the base consent required by Quest Nova Delegation & Policy Control.
Quest Nova Delegation & Policy Control currently uses the Microsoft Exchange Online, SharePoint Management Shell, Azure Active Directory and MSOnline PowerShell API with support for the "limited permissions" model for Accounts, Email, SharePoint, Teams and OneDrive migrations, without needing global administrator permissions during migration. After the consent has been granted using the global administrator account, thereafter all operations will be driven by the token generated using app Service Principal.
The Admin Consent process of Quest Nova Delegation & Policy Control will create a Service Principal in the customer's Azure AD tenant with the following permissions.
Location of customer data
When a customer signs up for Quest Nova, they select the region in which to run their Quest Nova organization. All computation is performed and all data is stored in the selected region. The currently supported regions are:
-East US
-West Europe (Netherlands)
Azure SQL Server databases are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.
See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/azure-sql/database/active-geo-replication-overview.
Privacy and protection of customer data
The most sensitive customer data processed by Quest Nova Delegation and Policy Control is the Azure Active Directory tenant metadata. Other data are stored in SQL.
Each customer has his own database. The database stores the customers sensitive data including Azure Active Directory and Office 365 users, groups, contacts and their associated properties. All customers Azure SQL databases are protected and encrypted by Azure SQL Database Feature Transparent Data Encryption.
More information about Azure SQL Database Transparent Data Encryption: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql
More information about Azure queues, tables, and blobs:
·https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
·https://docs.microsoft.com/en-us/azure/security/security-storage-overview
·https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption