System Overview
Components
EasyLife 365 consists of several components hosted on Azure to provide the necessary provisioning logic and capabilities for all your users.
App
The EasyLife 365 Collaboration App is an Azure Web app responsible to host the end-user facing application. It is accessible through a web browser and directly through Teams. The authentication is ensured using a dedicated Azure AD application in the Microsoft Identity platform and can therefore be secured using Microsoft security standards. The aim of the application is to provide an overview of the resources owned by a user with all the necessary compliance requirements. Users can also request new resources specified by users allowed to configure EasyLife through the EasyLife 365 Collaboration Cockpit.
Cockpit
The EasyLife 365 Collaboration Cockpit is an Azure Web App hosting the configuration pages for EasyLife 365. It is accessible through a web browser and can be limited to selected users in your organization. You typically assign the permissions to this application to a small subset of administrators by using a security group. The authentication to the app is ensured by an Azure AD application in the Microsoft Identity Platform. Therefore, you can limit the access and force additional authentication techniques by using conditional access policies configured in your organization.
API
The EasyLife 365 API is accessed by the EasyLife 365 Collaboration App and EasyLife 365 Collaboration Cockpit to manage the necessary information stored in the back-end storage. This Web App is secured through a dedicated Entra ID (Azure Active Directory) app using the Microsoft Identity Platform.
The EasyLife 365 API uses Microsoft Graph to interact with the Microsoft 365 environment. The access to the endpoints is secured by using custom security scopes associated to your EasyLife 365 Collaboration Apps and users.
Engine
The EasyLife 365 Collaboration Engine is an Azure Function that is responsible to provision new resources and performing regular compliance checks in your tenant. It is also responsible to send notifications to your users and administrators. It uses a SendGrid account to send notification emails, it can also send notifications through Teams.
The engine can also send notifications to any other application or service using the Webhook feature.
The EasyLife 365 guest engine is a separate process and can be enabled or disabled in independently. The engine's operations are executed in the background.
Storage
The EasyLife 365 configuration (e.g. templates, policies, unique keys) are being stored in Azure Table Storages. The Storage account is accessible by the EasyLife 365 API and EasyLife 365 Collaboration Engine.
Logging
Application insights is used to log the operations performed by EasyLife. It will maintain 14 days of logs containing information about the metadata of Groups processed and e-mails of the users receiving notifications.
Microsoft Graph
Microsoft Graph is used by the EasyLife 365 components to interact with the Microsoft 365 tenant. Microsoft Graph is the data gateway to data and intelligence in Microsoft 365. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security.
Entra ID (Azure Active Directory)
The Microsoft Identity Platform is used in combination with Entra ID (Azure Active Directory) to secure the access to all EasyLife 365 components. The EasyLife 365 Collaboration App, EasyLife 365 Collaboration Cockpit, and EasyLife 365 API have dedicated Entra ID (Azure Active Directory) app registrations that can be secured using techniques such as Conditional Access.
Architecture and Data Flow
This page gives you an overview how the EasyLife 365 SaaS components interact with each other and how the environment is accessed. PaaS customer can follow the same architecture, or a different setup based on their requirements.
All components are secured behind an Azure Firewall blocking all external internet traffic to the EasyLife 365 environment. Only few services such as our Azure Dev Ops for the automated deployment and selected engineers over a secured network for emergency purposes have access to the environment.
Incoming user traffic is routed through an Azure Front Door and Web Application Firewall. This component is used for load balancing and secures the web applications and the environment from documented vulnerabilities. See details here. All endpoints are secured using Entra ID (Azure Active Directory) applications using the Microsoft Identity Platform. All interactions between the internal applications are secured with role-based access control and managed identities. Azure Key vaults, accessible only by managed identities and selected security engineers at EasyLife, store the security keys when a managed identity cannot be used for authentication purposes.
The EasyLife 365 Collaboration App and EasyLife 365 Collaboration Cockpit use Microsoft 365 Graph using delegated identity permissions to perform activities on your Microsoft 365 tenant. This means that users are only able to perform operations that they can perform in your Microsoft 365 tenant.
Users can request in the EasyLife 365 Collaboration App the creation of new resources based on the template configurations coming from the EasyLife 365 Collaboration Cockpit configurations. All CRUD operations performed on these configurations are passing through the EasyLife 365 API. The EasyLife 365 Collaboration App reads the information from the configuration while the EasyLife 365 Collaboration Cockpit allows you to create update and delete the settings based on your requirements.
The EasyLife 365 Collaboration Engine handles new resource requests coming from users. The creation of new resources is performed with Microsoft Graph. All operations are executed in the context of the EasyLife 365 Collaboration App.
The EasyLife 365 environment stores the information in multiple storage locations and accounts to ensure resiliency and improve performance for its customers. The data partition is ensured with the TenantID of the customer. The correct TenantID information applied to the different web accessible endpoints is ensured by the Microsoft Identity Platform. Microsoft Graph is using the generated access tokens to ensure the right access to proper resources by using the security tokens provided by the Microsoft Identity Platform.
Endpoints
EasyLife 365 Collaboration Applications communicate with the following endpoints, please make sure your firewalls and content filters allow access to the URLs in the following table. EasyLife 365 communicates exclusively over https (tcp/443).
| Endpoint | Protocol | Comment |
|---|---|---|
| https://app.easylife365.cloud | https | The EasyLife 365 Collaboration App |
| https://cockpit.easylife365.cloud | https | The EasyLife admin portal |
| https://api.easylife365.cloud | https | The EasyLife API |
| https://cdn.easylife365.cloud | https | Content delivery |
| login.microsoftonline.com | https | Azure AD Authentication |
| graph.microsoft.com | https | Microsoft Graph API |
| dc.services.visualstudio.com | https | Anonymous telemetry data |
Required permissions
EasyLife 365 uses the Microsoft Identity Platform to manage the authentication and authorization layer against your Microsoft 365 tenant. It uses the Microsoft Graph and the SharePoint REST API to access your resources. EasyLife 365 uses the EasyLife 365 Collaboration Cockpit and EasyLife 365 Azure AD application to perform the operations in the context of a user or administrator.
EasyLife 365 is a certified Microsoft 365 application. The certification phase is centered around a thorough security audit of the app and its supporting infrastructure. The app is vetted against a series of security controls derived from leading industry standard frameworks such as SOC 2, PCI DSS, and ISO 27001. Apps that are awarded a certification have demonstrated that strong security and compliance practices are in place to protect customer data. You can find details about the required permissions under the Microsoft 365 App Certification website.
Data location & retention
EasyLife 365 prioritizes the protection of customer information by reducing the amount of data stored in our environment. To achieve this objective, workflow data is directly saved in the customer's Azure AD environment, and it is connected to the lifetime of Azure AD resources such as Microsoft Teams and Azure AD Guest Accounts.
All activities performed by the "EasyLife 365" Azure AD application, such as resource creation and changes made to customer resources based on policy settings, are monitored in Microsoft Audit Logs and associated with the Azure AD Application "EasyLife 365". All activities performed in the administrative console are recorded in audit logs with the Azure AD Application "EasyLife 365 Collaboration Cockpit". The retention period for these logs can be configured on the customer's tenant.
Configuration data such as templates, policies, approval state, and notification settings are stored in their dedicated Azure Subscription situated in our European data center. Upon request, customers from the Americas and Asia Pacific can also have their configuration data saved in their respective regions. This data is kept as long as the customer has a valid EasyLife 365 license, and it is automatically erased after 90 days of license expiration.
Configuration and approvals backups are deleted after 180 days.
For internal support and troubleshooting purposes, EasyLife 365 keeps track of operations performed by the "EasyLife 365" and "EasyLife 365 Collaboration Cockpit" Azure AD app for a period of 30 days. During this time, information such as Microsoft 365 Group Metadata (e.g., Title, Description) or user contact data (e.g. e-mail address, preferred language) is saved. Your SignIn Logs to EasyLife are tracked for 90 days in our logs.
Mail notification history is monitored for 7 days if the SendGrid notification option is selected. For Microsoft Shared Mailboxes, this rule does not apply.
User tickets are tracked for 6 months until closure.