Converse agora com nosso suporte
Chat com o suporte

On Demand Group Management Current - Security Guide

Overview of data handled by On Demand Group Management

On Demand Group Management takes advantage of Microsoft Graph API to manage and store customer’s Azure Active Directory and Office 365 users, groups, membership, and so on. On Demand Group Management manages the following types of customer data:

  • On Demand Group Management stores customer’s data, such as Azure Active Directory user/group information, naming rules, security levels, categories, and son on, in Azure SQL database.
  • On Demand Group Management stores intermediate data for functionality, such as to request payload, data to be processed and son on, in Azure tables and blobs.
  • On Demand Group Management stores Office 365 Service Account in Azure Key Vault as remote PowerShell credentials to manage Distribution Lists and Mail-enabled Security Groups.

On Demand Hybrid Group Management uses Microsoft WCF Service to manager and store customer’s Active Directory users/groups, organizations, domains, group memberships, and so on. On Demand Hybrid Group Management manages the following types of customer data:

  • On Demand Hybrid Group Management stores customer’s data, such as on-premises Active Directory user/group information, organization information, domain information, synchronization information, and so on, in Azure Cosmos DB.
  • On Demand Hybrid Group Management stores intermediate data for functionality, such as request payload, data to be processed and so on (excluding password), in Azure message queues
  • On Demand Hybrid Agent Service stores the Active Directory Administrator account and Exchange Service credentials in Azure Key Vaults to synchronize Active Directory user/group information.

Admin Consent and Service Principals

On Demand Group Management requires access to the customer’s Azure Active Directory. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Azure Active Directory with minimum consents required by On Demand Group Management (Groups, Users). The Service Principal is created using Microsoft's OAuth certificate based client credentials grant flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. Customers can revoke Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-pps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.

The following is the base consent required by On Demand Group Management.

Location of customer data

When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed and all data is stored in the selected region. The currently supported regions can be found here https://regions.quest-on-demand.com/.

  • On Demand Group Management stores customer data in Azure SQL database, Azure Cosmos DB (Hybrid only) and Azure Table, Queues (Hybrid only), Blobs, Key Vault – encrypted at rest, in Azure US (West US 2), CA (Canada Central), EU (North Europe), UK (UK South), AU (Australia East) datacenter.

Windows Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.

See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Privacy and protection of customer data

Customer data is differentiated and separated by customer’s organization and customer’s tenant. Each organization has its own organization ID(GUID). Tenant data is differentiated by Office 365 Tenant ID (GUID). The database stores the customer’s data, including Azure Active Directory and Office 365 users, groups, and their associated properties. The Azure SQL database and Azure Storage where the customer’s data is stored, protected, and encrypted by Azure SQL database and Azure Storage encryption at rest.

Customer data is differentiated and separated by customer’s organization and customer’s tenant. Each organization has its own organization ID(GUID). Tenant data is differentiated by Office 365 Tenant ID (GUID). The database stores the customer’s data, including Azure Active Directory and Office 365 users, groups, and their associated properties. The Azure SQL database and Azure Storage where the customer’s data is stored, protected, and encrypted by Azure SQL database and Azure Storage encryption at rest.

For more information about Azure Cosmos DB database, Azure SQL Database, and Azure Storage encryption at rest, click the following links:

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação