지금 지원 담당자와 채팅
지원 담당자와 채팅

On Demand Migration Current - Security Guide - SharePoint Migration

Administrator Consent and Service Principals

On Demand Migration requires access to the customer’s Microsoft Entra ID and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Microsoft Entra ID with minimum consents required by On Demand Migration for SharePoint. The Service Principal is created using Microsoft's OAuth certificate based client credentials grant flow.

Customers can revoke Admin Consent at any time. For more details, see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent.

The base consents required by Quest On Demand and all associated online services for both source and target tenants is shown below.

Quest On Demand - Core - Basic

On Demand Migration

The base consent required by all On Demand Migration services is.

Quest On Demand - Migration - Basic - Minimal or Quest On Demand - Migration - Basic - Full consent for the source tenant.

Quest On Demand - Migration - Basic - Full consent for the target tenant.

The consents apps are as shown below:

Quest On Demand - Migration - Basic - Minimal Quest On Demand - Migration - Basic - Full
On Demand Migration for SharePoint

In addition to the base consents required by On Demand Migration, On Demand Migration for SharePoint requires the following consents:

Quest On Demand - Migration - SharePoint - Minimal or Quest On Demand - Migration - SharePoint - Full consent for the source tenant.

Quest On Demand - Migration - SharePoint - Full consent for the target tenant.

The consent apps are as shown below:

Quest On Demand - Migration - SharePoint - Minimal Quest On Demand - Migration - SharePoint - Full
On Demand Migration for Power Apps

In addition to the base consents required by On Demand Migration, On Demand Migration for SharePoint requires the following consents:

All operations will be driven by the token generated using app service principal. The Admin Consent process for On Demand Migration for SharePoint will create a Service Principal in the customer's Microsoft Entra ID tenant with the permissions described above.

After creating the On Demand Migration for SharePoint project, the administrator must also grant permissions for the app service principal to access Power Platforms by registering the app as a Power App management app using Microsoft’s PowerShell for Power Platform administrators.

Role based access control

Quest On Demand is configured with default roles that cannot be edited or deleted, and allows you to add custom roles to make permissions more granular. Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform. For more information about role-based access control, see the Quest On Demand Migration User Guide.

Azure datacenter security

Microsoft Azure datacenters have the highest possible physical security and are considered among the most secure and well protected datacenters in the world. They are subject to regular audits and certifications including Service Organization Controls (SOC) 1, SOC 2 and ISO/IEC 27001:2005.

Relevant references with additional information about the Windows Azure datacenter security can be found here:

Overview of data managed by On Demand Migration for SharePoint

On Demand Migration for SharePoint accesses customer SharePoint data (content) from the source tenancy and writes the data to a SharePoint site on the target tenancy.

  • Metadata that defines the SharePoint site structure and properties is temporarily stored in memory and deleted when the migration is completed.
  • Documents stored in the document libraries and lists of the SharePoint site are temporarily stored in Azure blob storage for the duration of the migration. The storage container is deleted when the migration is complete.
  • Manifest files and associated migration log files may be retained by the application for troubleshooting purposes. Manifest files contain data to identify the list items and documents. The troubleshooting data is stored in a separate storage account. Troubleshooting data is automatically deleted after 30 days.
  • The application does not require or store any passwords.

On Demand Migration for SharePoint manages the following type of customer data:

  • Power Apps content. The content will passthrough our migration engine at runtime only. No content will be stored after operation.
  • Some source metadata may be stored by the product for troubleshooting purposes. This includes identifiers like unique identifiers (e.g. object ID, user ID), timestamps, etc.
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택