Overview of data handled by Nova Delegation and Policy Control
Nova Delegation & Policy Control manages the following type of customer data:
·Microsoft Entra and Office 365 tenant, users, groups, devices, drives and teams with their properties returned by Microsoft Graph API including account name, email addresses, contact information, department, membership and other properties. Part of the information is stored in the product database.
·Exchange Online mailbox information and contacts with their properties returned by Exchange Online Management including email account name, email addresses, contact information and other information.
·On-Premises Active Directory organizational units, users, groups and contact with their properties. Part of this information is stored in product database.
·Application does not access, process or store content of drive or mailbox items.
·The application does not read end-user passwords of Microsoft Entra or On-Premises objects.
·Application temporarily stores password required for operations like create Microsoft Entra user, reset Microsoft Entra user password, create on-premises user.
·The application stores administrative account name and password to access and modify mailbox information via Exchange Online Management.
·Management of on-premises objects is performed via integration with Nova On-Premises Agent.
Admin Consent and Service Principals
Nova Delegation & Policy Control requires access to the customers Microsoft Entra and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Microsoft Entra with consents required by Nova Delegation & Policy Control. The Service Principal is created using Microsoft's OAuth shared secret based client credentials grant flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. Customers can revoke Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
Following is the base consent required by Nova Delegation & Policy Control.
Nova Delegation & Policy Control currently uses the Microsoft Exchange Online, SharePoint Management Shell, Microsoft Entra ID and MSOnline PowerShell API with support for the "limited permissions" model for Accounts, Email, SharePoint, Teams and OneDrive migrations, without needing global administrator permissions during migration. After the consent has been granted using the global administrator account, thereafter all operations will be driven by the token generated using app Service Principal.
The Admin Consent process of Nova Delegation & Policy Control will create a Service Principal in the customer's Microsoft Entra tenant with the following permissions.
Location of customer data
When a customer signs up for Nova, they select the region in which to run their Nova organization. All computation is performed and all data is stored in the selected region. The currently supported regions are:
-East US
-West Europe (Netherlands)
Azure SQL Server databases are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.
See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/azure-sql/database/active-geo-replication-overview.
Privacy and protection of customer data
The most sensitive customer data processed by Nova Delegation and Policy Control is the Microsoft Entra tenant metadata. Other data are stored in SQL.
Each customer has his own database. The database stores the customers sensitive data including Microsoft Entra and Office 365 users, groups, contacts and their associated properties. All customers Azure SQL databases are protected and encrypted by Azure SQL Database Feature Transparent Data Encryption.
More information about Azure SQL Database Transparent Data Encryption: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql
More information about Azure queues, tables, and blobs:
·https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
·https://docs.microsoft.com/en-us/azure/security/security-storage-overview
·https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption