Chat now with support
Chat with Support

On Demand Global Settings Current - Security Guide

User Authentication

Signing into On Demand is done through Microsoft Entra ID. Authenticating through Microsoft Entra ID provides native granular control and allows you to manage your configuration from a central location. It allows configuring advanced security layers through your own conditional access policies, such as MFA, integration with OKTA and other applications that work with the Microsoft Authentication LIbrary (MSAL).

An Microsoft Entra ID access token (constrained to the Quest On Demand application) is obtained when the user proceeds through the authentication step. This Microsoft Entra ID access token has a lifetime limit of 10 minutes after which it is automatically refreshed if the user is actively using application. The user is automatically logged out following a period of inactivity. If the user token is revoked in Microsoft Entra ID, the user will continue to have access to On Demand until the token expiry, for a maximum of 10 minutes. User access to On Demand organization can be also revoked within On Demand by an On Demand Organization Administrator, resulting in access loss after token expiry.

Quest On Demand Application Consent

As part of the login process with Microsoft Entra ID, users must consent to the set of minimal permissions required by the Quest On Demand application. By default, all users are allowed to consent to applications for permissions that do not require administrator consent. This behavior might be disabled in some Microsoft Entra tenants and may require tenant administrators to enable user consent flow for the Quest On Demand application.

The ability to request consents will only be available if the global administrator has enabled the admin consent workflow. See


View your basic profile

Permission required for Quest to access users name and email to display the logged in user.

Maintain access to data you have given it access to

Permission is automatically included and required by Microsoft for Single Page Applications as it gives access to critical refresh tokens for proper functionality.

This permission scope is required for single sign on (SSO) and allows a refresh token to be returned from the authentication flow to avoid On Demand prompting the user every time their primary authentication token times out.


Admin Consent and Service Principals

On Demand requires some access to Microsoft Entra ID when adding tenants to your organization. You grant that access by using the Microsoft Admin Consent process. Customers can revoke Admin Consent at any time. See

Quest is a Microsoft Verified Publisher and, as an additional security measure during the Admin Grant process, the customer can verify that the grant request is indeed initiated by Quest.

Details on Verified Publisher are available at

The Admin Consent process of On Demand Core - Basic will create a Service Principal in the customer Microsoft Entra tenant with the following permissions.


About the On-Premises Agent

The Quest On Demand On-Premises Agent provides On Demand connectivity to on-premises Active Directory domains in hybrid environments to perform management activities such as modifying group memberships and collecting Active Directory object attribute data. All On-Premises Agent communication with On Demand is secured by means of a MQTT-based Shared Access Signature (SAS) token authenticated connection.

For more information about adding and configuring the On-Premises Hybrid Agent, see the “Adding an on-premises agent” section of the Quest On Demand Global Settings User Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating