On Demand Migration Current - Security Guide

On Demand Migration Current - Security Guide - Self-Service

Introduction About On Demand Migration Self-Service (ODMSS) Architecture Overview Azure Datacenter Security Overview of Data Handled by ODMSS Admin Consent and Service Principals Location of Customer Data Privacy and Protection of Customer Data Separation of Customer Data Network Communications Authentication of Users Role Based Access Control FIPS 140-2 compliance SDLC and SDL Third party assessments and certifications Operational Security Customer Measures

Overview of Data Handled by ODMSS

ODMSS user data is stored in On Demand which collects data for a variety of on premises and Microsoft Entra ID objects. The directory locations, objects and properties collected are configurable to ensure only the desired objects and properties are processed.

Microsoft Entra ID

Directory objects are processed using Microsoft Graph API and PowerShell.
Objects include users, groups, contacts, teams, and Microsoft 365 groups.
Properties include account name, email addresses, contact information, department, membership and more.
Access to Microsoft Entra ID is granted by the customer using the Microsoft Admin Consent process and requires administrative credentials. Customers can revoke Admin Consent at any time. See https://msdn.microsoft.com/en-us/skype/trusted-application-api/docs/tenantadminconsent for details.
Neither ODMAD nor ODMSS store credentials for administrative accounts.

On Premises Active Directory

On-premises directory sync agents, running within the customers network, process Active Directory objects using LDAP or LDAPS (TLS 1.2) as configured within the user interface. Objects include users, groups, and contacts, computers, and servers. Properties include account name, email addresses, contact information, department, membership and more.
On-premises directory sync agents, running within the customers network, securely encrypt and store administrative credentials locally on the agent’s computer.
On-premises device agents running locally on the end user’s workstation collect device properties using WMI and PowerShell. Device properties include device name, domain name, user profile locations and more.
ODMAD optionally stores credentials required for network share re-permission and Active Directory domain joins. These credentials are provided by migration operators and are encrypted with AES 256-bit encryption using Azure Key Vault and are never stored unencrypted.

Admin Consent and Service Principals

As part of the login process with Microsoft Entra ID, users must consent to the set of minimal permissions required by the Quest On Demand application. By default, all users are allowed to consent to applications for permissions that do not require administrator consent. This behavior might be deactivated in some Microsoft Entra ID tenants and may require tenant administrators to enable user consent flow for the Quest On Demand application.

The base consents required by Quest On Demand are shown below.

Additional Admin consents are required when using ODMSS with ODMAD. For details about security in ODMAD, see the document On Demand Migration for Active Directory Security Guide.

Location of Customer Data

When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed in and all customer data is stored in the selected region. The currently supported regions can be found here: https://regions.quest-on-demand.com/. ODMSS customer data is stored in the selected region, entirely within Azure Services provided by Microsoft. For more information, see Achieving Compliant Data Residency and Security with Azure.

Customer data is stored in Azure SQL and is automatically replicated for failover using Azure SQL Active Geo replication. See this Microsoft reference for details: https://docs.microsoft.com/en-us/azure/azure-sql/database/active-geo-replication-overview
Application logs are stored in Azure storage tables. Windows Azure Storage, including the Blobs, Tables and Queues storage structures, by default get replicated three times in the same datacenter for resiliency against hardware failure. The data are replicated across different fault domains to increase availability. All replication datacenters reside with the geographic boundaries of the selected region. See this Microsoft reference for details: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Privacy and Protection of Customer Data

Sensitive customer data collected and stored by ODMSS includes end user UserPrincipalName and Email Addresses. This data is uploaded by the customer’s Migration Administrator and stored in On Demand.

All data is secured at rest using SQL Transparent Data Encryption (TDE) with Microsoft managed keys. For more information see https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview
Azure storage account data is secured at rest using storage service encryption with Microsoft managed keys. For more information see https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem