Chat now with support
Chat with Support

On Demand Migration Current - Security Guide - Self-Service

Separation of Customer Data

ODMSS is designed to prevent data commingling by logically separating customer data. Customer data are differentiated using a Customer Organization Identifier. The Customer Organization Identifier is a unique identifier obtained from Quest On Demand that is created when the customer signs up the application. This identifier is used throughout the solution to ensure strict data separation of customers' data.

Customer data is further separated as customer related services are isolated from any other OS process by the Microsoft Service Fabric exclusive process model.  See https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-hosting-model#exclusive-process-model for more information.

Network Communications

  • All communication to the ODMSS - including the user interface and associated Azure services - are secured with HTTPS. There are no unsecured external HTTP calls within ODMAD.
  • All communication with Microsoft Entra ID uses OAuth2 access tokens for Microsoft Graph API operations and HTTPS for PowerShell operations.
  • Internal network communication within Azure includes Inter-service communication between ODMAD, On Demand Core and the On Demand Platform.

 

Authentication of Users

  • ODMSS relies Microsoft Entra ID for authentication which provides customers with an integrated authentication experience where you can move from ODMSS to a Microsoft portal seamlessly, without multiple logins and passwords. All while keeping your account security under your organization’s policies, rules, and security protocols.
  • ODMSS also supports Multi Factor Authentication (MFA) for organizations that have enabled MFA within Microsoft 365.
  • Registering a Microsoft Entra tenant into ODMSS is handled through the Azure Admin Consent workflow and customers can revoke Admin Consent at any time. See https://msdn.microsoft.com/en-us/skype/trusted-application-api/docs/tenantadminconsent  for details.

Role Based Access Control

Quest On Demand is configured with default roles that cannot be edited or deleted, and also allows you to add custom roles to make permissions more granular. Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform. For more information on role-based access control, please refer to the Quest On Demand product documentation.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating