On Demand Migration for Hybrid Exchange migrates the following type of customer data.
ODMHE does not retain the data or emails and their attachments that get migrated. They only exist in memory while they are in the process of being migrated.
The following customer data will, by default, be retained by ODMHE:
The persisted data is stored until a customer’s subscription ends. The data is stored in Azure Storage such as Table, Queue and BLOB (binary large object) storage, and persists as long as a customer’s subscription is active. If a customer decides to unsubscribe from Quest On Demand, the customer is notified 30 days before their subscription ends. When an organization is deleted, data related to the organization will be deleted after 30 days.
On Demand Migration for Hybrid Exchange requires access to the customer’s Microsoft Entra ID and Microsoft 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which creates a Service Principal in the customer's Microsoft Entra ID with minimum consents required by ODMHE.
The Service Principal is created using Microsoft's OAuth2 certificate based client credentials grant flow. See https://docs.microsoft.com/en-us/azure/activedirectory/develop/v2-oauth2-client-creds-grant-flow for details.
Customers can revoke the Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
The admin permission consents required by ODMHE are described below:
NOTE: Consents are required only for M365 or HMA tenants. They are not required for on-premise Microsoft Exchange Server. |
These permissions are used by the Basic application, which extracts information from the user’s tenant Microsoft Entra ID, such as display name, default domain name, and other properties such as B2C and cloud type.
The consent granted with this application allows On Demand Migration to access the Microsoft Entra ID and Exchange Online to read and write users and groups.
The consent granted with this application allows On Demand Migration module to access mailboxes, calendars and Exchange Web Services to migrate Mailbox content to the target tenant.
When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed and all data is stored in the selected region. The currently supported regions can be found here: https://regions.quest-on-demand.com/.
Windows Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same data center for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication data centers reside within the geographic boundaries of the selected region.
See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
The admin account credentials of the source email environment is an example of sensitive customer data that is collected and stored by ODMHE. These credentials are required by ODMHE to run email migration operations. ODMHE protects these credentials by storing them in Azure Key Vaults.
Customer emails, attachments ant other mailbox items are obtained from the source on-premise mailbox via Exchange Web Services (EWS) over HTTPS1. They are processed by Azure Batched VM in memory and then sent into target M365 by EWS Online over HTTPS.
1 A customer has the choice of using a non-encrypted connection using HTTP. For more details, see the Network Communication topic.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center