Security Details
Two different architectures – Usage & Governance was developed earlier, at the time customers preferred virtual machines.
Calls & Meetings was developed later and is serverless (Azure functions, etc).
Work is ongoing to move Usage & Governance to similar serverless architecture.
Usage & Governance
Services running on Azure VM
Azure VM uses Windows Server 2016 Datacenter which uses TLS 1.2 by default.
Data protected at rest with server-side encryption (platform managed key).
Data collection
Service on VM querying Microsoft Graph API (shared service returning data from customer’s tenant) via HTTPS.
API endpoints used:
• Teams (teams/channels/usage)
• SharePoint (information on files stored in teams)
• Graph for User Attributes (map users to AD attributes such as department or city)
Reference for data collected by this process.
Data processing/storage
Data processed on VM via Windows services, stored in separate Azure SQL Server (connection made over port 1433, secured with TLS 1.2).
Automation (messages to Teams users)
The bot notification service is a Windows service that runs on the Teamwork Analytics VM, triggering SQL queries to match defined scenarios (e.g. teams not used in x days) and get relevant data (e.g. team names and owners).
The bot notification service builds a job that is placed on a Modality-hosted Azure ServiceBus queue. The job is processed, formatted using adaptive cards and sent to end users via a Modality-hosted app service and the Microsoft (shared/central) Bot Framework Service. All of these data flows are over HTTPS.
Calls & Meetings
Serverless – Azure functions for data collection and processing.
Azure SQL Database used for data storage.
Data collection
Azure functions querying Microsoft Graph API (shared service returning data about customer’s tenant) via HTTPS.
API endpoints used:
• Call Records – webhook API, constant data collection as calls/meetings are completed
• Graph for User Attributes (map users to AD attributes such as department or city)
Data processing/storage
Azure functions process data using Azure service buses for queuing and Azure storage tables for temporary storage of raw responses. A communication between functions and storage is via HTTPS.
Once processed, data is stored in Azure SQL Server (connection made over port 1433, secured with TLS 1.2).
Calls and Meetings Architecture – Data Flows
Calls and Meetings Database Schema
Automation (messages to Teams users)
The notification service is an Azure Logic App deployed in the CSP subscription, triggering SQL queries to match defined scenarios (e.g. teams not used in x days) and get relevant data (e.g. team names and owners).
The notification service builds a job that is placed on a Modality-hosted Azure ServiceBus queue. The job is processed, formatted using adaptive cards and sent to end users via a Modality-hosted app service and the Microsoft (shared/central) Bot Framework Service. All of these data flows are over HTTPS.
Ref https://docs.nasstar.com/docs/teamwork-analytics-architecture-overview/#articleTOC_6
SQL – applies to both
Azure SQL Server communications configured with minimum TLS 1.2. Data encrypted at rest with a service-managed key.
Standard Azure SQL firewall used – allowed to Azure services & resources (this includes the Azure VM, functions and Power BI service), no other non-Azure connectivity.
Firewall exceptions created only if direct connection necessary for support/troubleshooting (e.g. connecting SQL Management Studio) and removed after.
Power BI – applies to both
Report templates are deployed into customer’s Power BI workspace on their tenant. Data is synchronised from the Azure SQL Server databases into the reports (Import mode) for best performance.
Access to reports is granted by the customer’s administrator to report users. Access is secured via their Azure AD account. This can include external people such as Modality staff if required. Reports are used via HTTPS in a web browser.
Power BI data is encrypted at rest and in process using Microsoft-managed keys.
Reference: https://docs.microsoft.com/en-us/power-bi/guidance/whitepaper-powerbi-security