Microsoft Booking Security Architecture

%3CLINGO-SUB%20id%3D%22lingo-sub-1251060%22%20slang%3D%22en-US%22%3EMicrosoft%20Booking%20Security%20Architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1251060%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20customer%20is%20planning%20to%20use%20this%20Microsoft%20Booking%20and%20would%20like%20to%20know%20the%20following%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EWhat%E2%80%99s%20the%20architecture%20design%20of%20this%20service%3F%3C%2FLI%3E%0A%3CLI%3EHow%20is%20confidentiality%20of%20store%2Fregistered%20information%20managed%20(i.e.%20Customer%20A%20should%20no%20be%20able%20to%20search%20or%20see%20Customer%20B%20booking%20information)%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EWhere%20are%20all%20the%20submitted%20information%20stored%3F%20(e.g.%20SharePoint%20site%2C%20mailbox%2C%20etc.)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThese%20are%20some%20of%20the%20question%20asked%20by%20security.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1251060%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ebooking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1447809%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Booking%20Security%20Architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1447809%22%20slang%3D%22en-US%22%3EDear%20Jiehher%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20luck%20on%20the%20reply%20from%20Microsoft%3F%20or%20any%20documentation%20you%20managed%20to%20find%3F%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20side%20has%20similar%20security%20considerations.%20Especially%20in%20terms%20of%20if%20preventing%20mass%20booking%20by%20Bots%20(as%20we%20see%20the%20submission%20did%20not%20utilize%20anti-bot%20like%20Encapture)%3B%20and%20also%20data%20protection%20(eg.%20there%20is%20customer%20database%2C%20but%20is%20there%20access%20control%20on%20Staffs%20and%20any%20housekeeping%20functions).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1734129%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Booking%20Security%20Architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1734129%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20seen%20Security%20issue%20that%20when%20the%20mailbox%20user%20is%20created%20for%20the%20Bookings%20calendar%20its%20creating%20a%20user%20in%20Azure%20AD%20which%20is%20allowing%20signin.%26nbsp%3B%20Has%20anyone%20else%20seen%20this%20and%2For%20seen%20a%20solution%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3CP%3Emikie%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1879535%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Booking%20Security%20Architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1879535%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64936%22%20target%3D%22_blank%22%3E%40sup%20mikie%20swie%20o365%3C%2FA%3E%26nbsp%3BWe%20can%20see%20it%20create%20a%20customer%20profile%20but%20not%20one%20in%20azure%20have%20you%20any%20more%20information%20on%20what%20you%20are%20seeing%20or%20how%20you%20are%20creating%20the%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2321817%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Booking%20Security%20Architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2321817%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20seen%20some%20webinars%20%2B%20read%20the%20documentation%2C%20so%20got%20the%20info%20from%20there.%20Hope%20some%20of%20these%20answers%20help%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%408341BD79091AF36AA2A09063B554B5CD%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EWhat%E2%80%99s%20the%20architecture%20design%20of%20this%20service%3F%3C%2FSTRONG%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Markus_Johnsen_0-1620135103959.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F277855iB695A69E07636E3F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Markus_Johnsen_0-1620135103959.png%22%20alt%3D%22Markus_Johnsen_0-1620135103959.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EHow%20is%20confidentiality%20of%20store%2Fregistered%20information%20managed%20(i.e.%20Customer%20A%20should%20no%20be%20able%20to%20search%20or%20see%20Customer%20B%20booking%20information)%3C%2FSTRONG%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3ENo%20sure%20what%20you%20mean%20here.%20Only%20way%20you%20can%20see%20booking%20info%20is%20if%20you%20have%20access%20to%20the%20Bookings%20app.%20Per%20now%20you%20have%20Administrator%2C%20Viewer%20and%20Guest%20role.%20Admin%20and%20viewer%20are%20the%20only%20ones%20that%20can%20access%20the%20app%2C%20and%20have%20to%20have%20a%20account%20and%20O365%20license%2C%20and%20be%20invited%20to%20the%20Booking%20calendar.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EWhere%20are%20all%20the%20submitted%20information%20stored%3F%20(e.g.%20SharePoint%20site%2C%20mailbox%2C%20etc.)%3C%2FSTRONG%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EFrom%20the%20FAQ-page%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EWhere%20is%20%3C%2FSTRONG%3E%3CSTRONG%3EBookings%3C%2FSTRONG%3E%3CSTRONG%3E%20data%20stored%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EBookings%20is%20a%20Microsoft%20365%20app%2C%20meaning%20all%20data%20is%20stored%20within%20the%20Microsoft%20365%20platform%20and%20in%20Exchange.%20Bookings%20uses%20shared%20mailboxes%20in%20Exchange%20to%20store%20customer%2C%20staff%2C%20service%2C%20and%20appointment%20details.%20Compliance%20policies%20for%20shared%20mailboxes%20in%20Exchange%20also%20apply%20for%20Bookings%20mailboxes.%26nbsp%3B%26nbsp%3BAll%20customer%20data%20(including%20information%20provided%20by%20customers%20when%20booking)%20is%20captured%20in%20Bookings%20and%20is%20stored%20within%20the%20app%2C%20thus%20it%20is%20stored%20within%20Exchange.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

My customer is planning to use this Microsoft Booking and would like to know the following:

  • What’s the architecture design of this service?
  • How is confidentiality of store/registered information managed (i.e. Customer A should no be able to search or see Customer B booking information)
  • Where are all the submitted information stored? (e.g. SharePoint site, mailbox, etc.)

These are some of the question asked by security.

4 Replies
Dear Jiehher,

Any luck on the reply from Microsoft? or any documentation you managed to find?

My side has similar security considerations. Especially in terms of if preventing mass booking by Bots (as we see the submission did not utilize anti-bot like Encapture); and also data protection (eg. there is customer database, but is there access control on Staffs and any housekeeping functions).

I've seen Security issue that when the mailbox user is created for the Bookings calendar its creating a user in Azure AD which is allowing signin.  Has anyone else seen this and/or seen a solution?

 

thanks

mikie

@sup mikie swie o365 We can see it create a customer profile but not one in azure have you any more information on what you are seeing or how you are creating the account?

Have seen some webinars + read the documentation, so got the info from there. Hope some of these answers help :smile:

 

  • What’s the architecture design of this service?

Markus_Johnsen_0-1620135103959.png

 

  • How is confidentiality of store/registered information managed (i.e. Customer A should no be able to search or see Customer B booking information)

No sure what you mean here. Only way you can see booking info is if you have access to the Bookings app. Per now you have Administrator, Viewer and Guest role. Admin and viewer are the only ones that can access the app, and have to have a account and O365 license, and be invited to the Booking calendar. 

 

  • Where are all the submitted information stored? (e.g. SharePoint site, mailbox, etc.)

From the FAQ-page:

 

Where is Bookings data stored?

Bookings is a Microsoft 365 app, meaning all data is stored within the Microsoft 365 platform and in Exchange. Bookings uses shared mailboxes in Exchange to store customer, staff, service, and appointment details. Compliance policies for shared mailboxes in Exchange also apply for Bookings mailboxes.  All customer data (including information provided by customers when booking) is captured in Bookings and is stored within the app, thus it is stored within Exchange.