Data handled by Core
Managed data types
On Demand Core manages the following types of customer data. By default, the data is persisted in On Demand Core.
Admin Consent and Service Principals
As part of the on-boarding of the your organization into the On Demand solution, you (the customer) do not need to sign up for Quest account before going to On Demand. You can login with your Microsoft account to On Demand and your Quest account is automatically created. When your account is created with Quest, an On Demand organization is not automatically created. You must explicitly create your On Demand organization.
As part of the sign-up process, you (the customer) must provide a valid email address to receive and respond to a verification email from Quest Software.
On Demand Core requires some access to your Azure Active Directory. You grant that access by using the Microsoft Admin Consent process. Customers can revoke Admin Consent at any time. See https://msdn.microsoft.com/en-us/skype/trusted-application-api/docs/tenantadminconsent for details.
Quest is a Microsoft Verified Publisher and, as an additional security measure during the Admin Grant process, the customer can verify that the grant request is indeed initiated by Quest.
Details on Verified Publisher are available at https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview
The Admin Consent process of On Demand Core - Basic will create a Service Principal in the customer Azure AD tenant with the following permissions.
Quest Identity Broker
The Quest Identity Broker (QIB) stores the following personally identifiable information in its database:
In addition, the QIB stores the unique identifier for each user account as provided by the Quest account database, Azure Active Directory, or Microsoft Live account during the authentication process. QIB creates an audit trail log for all interactions, including login, logout, and account creation. Access to the log is restricted to QIB administrators.