Overview of Data Handled by On Demand Audit
Overview of Data Handled by On Demand Audit
On Demand Audit collects events from a variety of on premises and Microsoft Cloud services that includes:
- Exchange Online
- SharePoint Online
- One Drive for Business
- Azure Active Directory
- Azure Sign-ins and Risk events
- On premises Change Auditor Active Directory
For further details on collected data, please consult the following references:
On Demand Audit does not record or store any user passwords.
Admin Consent and Service Principals
Admin Consent and Service Principals
On Demand Audit requires access to the customer’s Azure Active Directory and Office 365 tenancies. The customer grants that access using the Microsoft Admin Consent process, which will create a Service Principal in the customer's Azure Active Directory with minimum consents required by On Demand Audit (Groups, Users, Contacts).
The Service Principal is created using Microsoft's OAuth certificate-based client credentials grant flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. Customers can revoke Admin Consent at any time. See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/delete-application-portal and https://docs.microsoft.com/en-us/skype-sdk/trusted-application-api/docs/tenantadminconsent for details.
Following is the base consent required by On Demand.
In addition to the base consents required by On Demand, On Demand Audit requires the following consents:
On Demand Audit currently uses the Office 365 Management Activity API, Microsoft Graph API, and Azure AD Graph API for reading events from Office 365 and Azure AD using a “limited permissions model” which does not require global administrator permissions. After the consent has been granted using the global administrator account, thereafter all auditing operations will be driven by the token generated using the Application Service Principal.
The Admin Consent process of On Demand Audit will create a Service Principal in the customer's Azure AD tenant with the following permissions.
- Permissions required for On Demand Audit to read audit log activities and activity data from Azure AD and Office 365.
- Permissions required for On Demand Audit to read the identity risk event information.
- Permissions required for On Demand Audit to read service health information.
- Permissions required for On Demand Audit to read user profile data and directory data such as users, groups, and applications.
Location of Customer Data
Location of Customer Data
When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed in and all data is stored in the selected region. The currently supported regions can be found here https://regions.quest-on-demand.com/.
On Demand Audit customer data is stored in the selected On Demand region, entirely within Azure Services provided by Microsoft. For more information, see Achieving Compliant Data Residency and Security with Azure.
For US Organizations:
- All On Demand Audit data is stored and processed within the United States, using a single Azure Datacenter. Azure “West US 2” is used for all processed data within On Demand Audit. For disaster recovery duplicate copies of all data are stored in Azure “East US 2” and Azure “Central US”.
For Europe Organizations:
- All On Demand Audit data is stored and processed within the European Union, using a single Azure Datacenter. Azure “Northern Europe” is used for all processed data within On Demand Audit. For disaster recovery duplicate copies of all data are stored in Azure “Western Europe”.
For UK Organizations:
- All On Demand Audit data is stored and processed within the UK, using a single Azure Datacenter. Azure “UK South” is used for all processed data within On Demand Audit. For disaster recovery duplicate copies of all data are stored in Azure “UK West”.
For Canada Organizations:
- All On Demand Audit data is stored and processed within Canada, using a single Azure Datacenter. Azure “Canada Central” is used for all processed data within On Demand Audit. For disaster recovery duplicate copies of all data are stored in Azure “Canada East”.
For Australia Organizations:
- All On Demand Audit data is stored and processed within Australia, using a single Azure Datacenter. Azure “Australia East” is used for all processed data within On Demand Audit. For disaster recovery duplicate copies of all data are stored in Azure “Australia Southeast”.
All on premises data from Change Auditor is transmitted to and retained in the selected On Demand organization and region.
On Demand Audit makes use of Amazon SES (Simple Email Service) to provide email alerting capabilities via the On Demand Notification Service. These services require Amazon data centers outside of Azure data centers. All data is stored and processed within the matching region selected in On Demand. For further details, see the On Demand Core Security Guide
Privacy and Protection of Customer Data
Privacy and Protection of Customer Data
The most sensitive customer data collected and stored by On Demand Audit is the event data from activity occurring in the Azure Active Directory and Office 365 environment and event data from all connected Change Auditor installations. All data is segregated based on the organizational identifier. Whenever event data is stored or retrieved within the system the organizational identifier ensures data remains separate.
All event data is protected by service-level encryption present in Microsoft Azure Services.
For information on privacy and protection of customer data within On Demand and email alerting provided by Amazon SES, please refer to the On Demand and On Demand Notification Services security guides.
