Overview of data handled by Nova Reporting
Quest Nova Reporting manages the following types of customer data:
·Azure Active Directory and Office 365 users, groups and contacts with their properties returned by the Microsoft Graph API including account name, email addresses, contact information, department, membership, licenses, and other properties.
·Microsoft product usage statistics and activity, such as Exchange emails, Yammer posts, Skype messages, Teams calls, OneDrive storage, SharePoint files, etc.
·The application does not store or deal with any product contents, such as Exchange/Teams messages or OneDrive file contents - only statistics relating to counts and sizes are stored.
·Audit events returned by the Management Activity API
·Service Status Messages returned by the Management Activity API
·Exchange objects are collected via the Microsoft Exchange Online PowerShell API
·The application does not store or deal with end-user passwords of Azure AD objects.
·The application stores administrative account name and password to perform data collections. The data are stored in Azure Key Vault and is encrypted at rest.
Admin Consent and Service Principals
Quest Nova Reporting requires access to the customers Azure Active Directory and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Azure Active Directory with minimum consents required by Quest Nova Reporting. The Service Principal is created using Microsoft's OAuth certificate based client credentials grant flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. Customers can revoke Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
Following is the base consent required by Quest Nova Reporting.
Location of customer data
When a customer signs up for Quest Nova, they select the region in which to run their Quest Nova organization. All computation is performed and all data is stored in the selected region. The currently supported regions are:
-US (hosted in the AWS us-east-1 region in North Virginia)
-EMEA (hosted in the AWS eu-west-1 region in Ireland)
The databases are hosted in AWS RDS with read-replicas in alternative Availability Zones for resiliency against hardware failure and to increase availability. All replication datacenters reside within the geographic boundaries of the selected region. Daily snapshots are stored for 30 days.
Management Activity API Audit events are stored in Elasticsearch clusters hosted on Microsoft Azure Virtual Machines, in the following regions:
-US (hosted in the Azure westus2 region in Washington, snapshot hosted in AWS us-west-1region)
-EU (hosted in the Azure northeurope region in Ireland, snapshot hosted in AWS eu-west-2)
Privacy and protection of customer data
The most sensitive customer data processed by Quest Nova Reporting is the Azure Active Directory and Office 365 data including users, groups and contacts and their associated properties. Quest Nova Reporting does not store or deal with end-user passwords of Azure AD objects, nor user-generated data such as Email/Teams message content or OneDrive files. All data and logs are encrypted at rest.