On Demand Global Settings Current

If the current status is Regrant Consent, a change in the required permissions or new functionality might mean that you must regrant consent for a previously granted consent.

For the Exchange Online PowerShell consent type, the Exchange Admin Role must be assigned. After you grant consent for Exchange Online PowerShell, click Assign Role.


	NOTE: If you assign a role and immediately refresh the page, the Assignment state might be displayed as "Not Assigned" for a short time until you refresh the page again.

To view the permissions that are granted for each consent type, click View Details.


	NOTE: If additional admin consent permissions are required to perform specific tasks within a module, these consent types are listed below the core or basic consent type for the module.

About the Status and Actions column

For the following scenarios, you would click Grant Consent or Regrant Consent in the Status and Actions column.

•

The admin consent token for the module expired, resulting is a status of Consent Required. The status of Consent Required indicates that On Demand cannot obtain a token with delegated permissions based on a previously granted admin consent. To restore the interrupted services, you must regrant consent.

The Consent Required status can be caused if the Microsoft Entra ID Global Administrator account used to grant consent has been changed such as: password change, user role change in the organization, user account was disabled or removed, or all tokens were invalidated for a tenant after a tenant policy update.

•

A new feature in an On Demand module can require that additional permissions be granted. In this scenario, you would click Regrant Consent. For example, when On Demand implemented the new Microsoft Authentication Library (MSAL) in June 2022, admin consents had to be regranted for modules that use delegated permissions.

The following On Demand application registrations use delegated permissions:

•

On Demand - Recovery - Basic

•

On Demand - Recovery - Teams

•

On Demand - Migration - Teams

•

On Demand - License Management - Self Service License Reporting

For more information, see About the Microsoft Authentication Library (MSAL) .

•

Admin consent has been revoked in the Microsoft Azure portal, resulting in a status of Revoked. If you revoke the Core Basic admin consent in the tenant you will see Revoked status for Core Basic and Not Available for all other modules. The Core Basic application is used to determine the consent status for your tenant. If that consent is revoked, On Demand cannot determine consent status for the rest of the modules. Consent might be granted for the modules, but On Demand cannot verify it.

For this reason, it is strongly recommended that you do not revoke Core Basic consent.

About the Microsoft Authentication Library (MSAL)

The Microsoft Authentication Library (MSAL) is the recommended library that replaces the deprecated Azure Active Directory Authentication Library (ADAL). MSAL provides improved security, is resilient, and allows tokens to be generated with a very granular scope. Since MSAL supports generated tokens with a granular scope, On Demand can use tokens with a narrowed scope when accessing your tenant.

This feature provides a more secure and granular approach for accessing your data. For more information, see Permissions and consent in the Microsoft identity platform.

Prerequisite for Self Service License Reporting access

For the License Management module, to use Self Server License Reporting, you must grant additional permissions over the Base permissions.

Sometimes, when you grant consent for Self Service License Reporting, you might see an error that indicates that the app requires access to a service that your organization has not subscribed to or enabled. This error occurs if the Microsoft M365 License Manager API, required to gather self-service policy data, is not enabled in the tenant by default. You can resolve the error by enabling the M365 License Manager API in the tenant.

To enable the M365 License Manager API

Install the Azure PowerShell Az module if it is not already installed.

Run the Connect-AzAccount cmdlet to log into your tenant using an account that has Microsoft Entra ID administrative rights.

Run the following command:

New-AzADServicePrincipal -ApplicationId aeb86249-8ea3-49e2-900b-54cc8e308f85

After you complete these steps, you can complete the Grant Consent for Self Service License Reporting without errors.

About revoking admin consent

Completely revoking admin consent removes all permissions granted for the On Demand application. Revoking admin consent is a manual process that must be performed in the Microsoft Azure portal.

NOTE: You can revoke or disable consent in the Microsoft Azure Portal.

Revoking admin consent in the Azure Portal

Revoking admin consent removes all permissions granted for the On Demand application.

To revoke admin consent

Click on the Microsoft Entra ID icon in the left menu.

In the Active Directory panel, select Enterprise applications.

In the Enterprise applications panel, select All applications.

Search for and select the Quest On Demand application.

In the Manage section of the left menu, select Properties.

At the top of the Properties pane, select Delete, and then select Yes to confirm you want to delete the application from your Microsoft Entra tenant.

Alternately, to disable consent, you can disable a user from signing in.

To disable a user from signing in

Search for and select Microsoft Entra ID.

Select Enterprise applications.

Search for and select the Quest On Demand application.

Select Properties.

Select No for Enabled for users to sign-in?.

Select Save.

Removing a tenant

By removing a tenant, you are beginning the process of disabling all module functions related to the tenant. When you remove a tenant, you are removing the tenant from the On Demand organization for all users and this action cannot be undone.

All module operations will stop after 30 days. At that point, the following operations are halted:

•

Active backups and provisioning actions will be cancelled.

•

Migration project and status information will be lost.

•

Audit event data will no longer be collected.

•

Attestation will no longer be initiated.

•

License and cost data will no longer be collected.

•

Assessment data will no longer be collected.


	NOTE: If a tenant was inadvertently removed, it might be possible to restore a tenant and all the associated On Demand configuration for up to 30 days after it was removed from On Demand. In this situation, contact Technical Support. You must provide the tenant name, your organization ID, and the tenant region.

To remove a tenant

Click Tenants in the navigation panel on the left.

On the tenant tile for the tenant you want to remove, click Remove.

Review the list of results from the remove action and select each check box.

Click Remove Tenant.

When you previously added the tenant, a Service Principal was created in your tenant, under Enterprise applications, for each consent that you granted for this tenant. To remove the consents, log in to the Microsoft Azure portal and go to the Microsoft Entra Admin Center. Browse to Enterprise Applications, search for Quest on Demand -, and delete all the application records that you do not need.

Managing your on-premises domains

In addition to managing your Microsoft Entra tenants, On Demand provides support for connecting to on-premises domains in hybrid environments to perform data collection and management activities.

By installing an agent with a unique key and specifying domains to which the agent is connected, you can review information and perform actions in your hybrid environment. You start the process to install and configure an agent by selecting Tenants in the left navigation bar and selecting Hybrid Agents.

You can add on-premises domains to On Demand selecting Tenants in the left navigation bar and selecting Active Directory Domains. You can also add domains as part of the agent configuration process.

Agent prerequisites

You must meet the following prerequisites to download and install an agent for on-premises data collection from specified domains:

•

You must have the On Demand Organization Admin role and specifically must have the Can Configure Agents (core.configureAgents) permission.

•

You must have a passphrase, which you create on the How to Add an Agent page, that you enter when installing the agent.

•

You must have a valid paid subscription for the On Demand module with which you are using the agent. Currently, only On Demand License Management supports this feature.

•

The login account that you use to run the agent setup program must have local administrator rights.

The agent setup program will prompt you for service account credentials (username and password) that are used to run the agent service. The agent service account must be a domain account and must have local administrator rights on the computer on which the agent is being installed. Also, for License Management, the service account must have Write Members permissions on the directory group objects.