Converse agora com nosso suporte

Obtenha ajuda em tempo real
Concluir registro

Entrar

Solicitar preços

Entre em contato com o setor de vendas

On Demand Global Settings Current - Security Guide

Navegação de conteúdo

About On Demand Shared Services

About On Demand Core

Architecture Overview Authentication and Consents

User Authentication Quest On Demand Application Consent Admin Consent and Service Principals

About the On-Premises Agent Role Based Access Control Auditing Notification Service Data Egress Service Azure Datacenter Security AWS Data Center Security Overview of Data Handled by On Demand Core

Data Handled by Core Data Handled by the Notification Service Data Handled by Common Storage Services

Location of Customer Data Privacy and Protection of Customer Data Separation of Customer Data Network Communications FIPS 140-2 Compliance SDLC and SDL Third party Assessments and Certifications

Penetration testing Certification

Operational Security

Access to Data Permissions Required to Configure and Operate On Demand Operational Monitoring Production Incident Response Management Security Incident Response Management

Customer Measures

User Authentication

Signing into On Demand is done through Microsoft Entra ID. Authenticating through Microsoft Entra ID provides native granular control and allows you to manage your configuration from a central location. It allows configuring advanced security layers through your own conditional access policies, such as MFA, integration with OKTA and other applications that work with the Microsoft Authentication Library (MSAL).

A Microsoft Entra ID access token (constrained to the Quest On Demand application) is obtained when the user proceeds through the authentication step. This Microsoft Entra ID access token has a lifetime limit of 10 minutes after which it is automatically refreshed if the user is actively using application. The user is automatically logged out following a period of inactivity. If the user token is revoked in Microsoft Entra ID, the user will continue to have access to On Demand until the token expiry, for a maximum of 10 minutes. User access to On Demand organization can be also revoked within On Demand by an On Demand Organization Administrator, resulting in access loss after token expiry.

Figure 1. User authentication with Microsoft Entra ID.

Quest On Demand Application Consent

As part of the login process with Microsoft Entra ID, users must consent to the set of minimal permissions required by the Quest On Demand application. By default, all users are allowed to consent to applications for permissions that do not require administrator consent. This behavior might be disabled in some Microsoft Entra tenants and may require tenant administrators to enable user consent flow for the Quest On Demand application.

NOTE:

•

The ability to consent on behalf of your organization is available if logging in as the global administrator in the tenant.

•

The ability to request consents will only be available if the global administrator has enabled the admin consent workflow. See https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow#enable-the-admin-consent-workflow.

•

The verified publisher domain and permissions will be clearly labeled and detailed.

Table 1. Quest On Demand Application required permissions
Permission	Description
View your basic profile	Permission required for Quest to access users name and email to display the logged in user.
Maintain access to data you have given it access to	Permission is automatically included and required by Microsoft for Single Page Applications as it gives access to critical refresh tokens for proper functionality. This permission scope is required for single sign on (SSO) and allows a refresh token to be returned from the authentication flow to avoid On Demand prompting the user every time their primary authentication token times out.

Figure 2. Quest On Demand application consent.

Admin Consent and Service Principals

On Demand requires some access to Microsoft Entra ID when adding tenants to your organization. You grant that access by using the Microsoft Admin Consent process. Customers can revoke Admin Consent at any time. See https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/delete-application-portal?pivots=portal#delete-an-enterprise-application.

Quest is a Microsoft Verified Publisher and, as an additional security measure during the Admin Grant process, the customer can verify that the grant request is indeed initiated by Quest.

Details on Verified Publisher are available at https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview.

The Admin Consent process of On Demand Core - Basic will create a Service Principal in the customer Microsoft Entra tenant with the following permissions.

•

Read organization information

•

Read all audit log data

•

Read all usage reports

•

Read directory data

•

Read all applications

•

Sign in and read user profile

Figure 3. Microsoft permissions needed for tenant.

About the On-Premises Agent

The Quest On Demand On-Premises Agent provides On Demand connectivity to on-premises Active Directory domains in hybrid environments to perform management activities such as modifying group memberships and collecting Active Directory object attribute data. All On-Premises Agent communication with On Demand is secured by means of a MQTT-based Shared Access Signature (SAS) token authenticated connection.

For more information about adding and configuring the On-Premises Hybrid Agent, see the “Adding an on-premises agent” section of the Quest On Demand Global Settings User Guide.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação

© 2025 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center