Domain Migrations

During domain migrations, On Demand Migration for Active Directory collects data for a variety of Microsoft Entra ID objects. 

• Directory objects are processed using Microsoft Graph API and PowerShell.

• Objects include users, groups, contacts, teams, and Microsoft 365 groups.

• Properties include account name, email addresses, contact information, department, membership and more.

• Access to Microsoft Entra ID is granted by the customer using the Microsoft Admin Consent process and requires administrative credentials. Customers can revoke Admin Consent at any time. See https://msdn.microsoft.com/en-us/skype/trusted-application-api/docs/tenantadminconsent for details.

• On Demand Migration for Active Directory does not store credentials for administrative accounts.

• On Demand Migration for Active Directory generates and manages dedicated service accounts in each Microsoft 365 tenant used for PowerShell queries. The service accounts password is randomly generated to be unique and highly complex. The password is also encrypted with AES 256-bit encryption using Azure Key Vault and is never stored unencrypted.

 

Email Rewrite Service

During domain migrations and from domain rewrite enabled projects, On Demand Migration for Active Directory rewrites email message recipients to provide seamless message delivery.

• Email messages are temporarily stored during processing and deleted as soon as they are written to the target. The temporarily stored messages are encrypted using AES symmetric-key encryption with a 256-bit key that is unique per message, randomly generated and only held in memory.

 

Directory Synchronization & Migration

On Demand Migration for Active Directory collects data for a variety of on premises and Microsoft Entra ID objects.  The directory locations, objects and properties collected are configurable to ensure only the desired objects and properties are processed.

 

Microsoft Entra ID

• Directory objects are processed using Microsoft Graph API and PowerShell.

• Objects include users, groups, contacts, teams, and Microsoft 365 groups.

• Properties include account name, email addresses, contact information, department, membership and more.

• Access to Microsoft Entra ID is granted by the customer using the Microsoft Admin Consent process and requires administrative credentials. Customers can revoke Admin Consent at any time. See https://msdn.microsoft.com/en-us/skype/trusted-application-api/docs/tenantadminconsent for details.

• On Demand Migration for Active Directory does not store credentials for administrative accounts.

• On Demand Migration for Active Directory generates and manages dedicated service accounts in each Microsoft 365 tenant used for PowerShell queries. The service accounts password is randomly generated to be unique and highly complex. The password is also encrypted with AES 256-bit encryption using Azure Key Vault and is never stored unencrypted.

 

On Premises Active Directory

• On-premises directory sync agents, running within the customers network, process Active Directory objects using LDAP or LDAPS (TLS 1.2) as configured within the user interface. Objects include users, groups, and contacts, computers, and servers. Properties include account name, email addresses, contact information, department, membership and more.

• When the optional password sync feature is enabled, the password hash of all user accounts in scope are collected using an encrypted connection to a signed Password Filter. The connection is encrypted using AES256 and a key derived from a customer-selected passphrase. Password hashes are stored encrypted with AES256 in Azure SQL Storage. The AES256 key is stored in Azure Key Vault. Once co-existence is no longer required for a specific user, the customer should use the reconcile option to ensure that information is promptly deleted.

• When the optional password change propagation feature is enabled, a signed Password Filter receives notifications when source users change their passwords. It relays those changes to the Password Change Propagation Service, which uses LDAPS to update the passwords of target users. Passwords are stored on disk temporarily, doubly-encrypted, first using AES256 with a key derived from a customer-selected passphrase, then again using the Windows Data Protection API (DPAPI).

• On-premises directory sync agents, running within the customers network, securely encrypt and store administrative credentials locally on the agent’s computer.

• On-premises device agents running locally on the end user’s workstation collect device properties using WMI and PowerShell. Device properties include device name, domain name, user profile locations and more.

• On Demand Migration for Active Directory optionally stores credentials required for network share re-permission and Active Directory domain joins. These credentials are provided by migration operators and are encrypted with AES 256-bit encryption using Azure Key Vault and are never stored unencrypted.

 

AI-Powered Migration Assistant

On Demand Migration for Active Directory uses Artificial Intelligence to generate summary reports from logging data produced during directory synchronization operations. Reports may contain suggestions from the On Demand Migration Knowledge Base. This feature is optional and requires the operator to initiate the analysis.

• All data stays within your On Demand Region and reports are only available to view in the On Demand organization where they were generated.

• AI generated reports are cached for a period and then subsequently removed on the same schedule as the logs used to generate the report.

• Data is consumed by AI only when you request a report be generated.

• Data is used only to generate the summary report and will never be used for AI training.

• AI does not have access to privileged accounts or application consents and is not provided with the rights to perform any migration activities. All user-initiated AI activities are recorded for auditing purposes via the Activity Trail module in On Demand.