This article provides a high-level technical overview of the Eido hosted platform for customer security, architecture, procurement, and technical design reviews.
It explains how Eido is hosted, how customer Microsoft tenant data is connected, where data is stored, and how backups are managed. It does not expose internal infrastructure identifiers, environment-specific configuration, or sensitive implementation details.
Platform Hosting
Eido is hosted on Microsoft Azure.
Production environments are deployed in the following Azure regions:
- EU: Germany West Central
- UK: UK West
- US: East US 2
The EU, UK, and US environments operate as independent production deployments. There is no automatic cross-region failover between these environments.
Data Residency
Eido’s core application services and primary data stores are deployed in the relevant Azure region for the customer.
This means customer data processed by Eido is stored within the relevant Azure-hosted environment, subject to the Microsoft Azure services used by the platform.
Where backup storage is configured using locally redundant storage, backup data remains within the primary Azure region rather than being replicated to a paired region.
Microsoft Entra ID and Tenant Connectivity
Eido connects to customer Microsoft environments using Microsoft Entra ID and Microsoft Graph.
The connection is established through Microsoft Entra application registration and consent flows. This allows the customer to control and approve the permissions granted to Eido.
Depending on the enabled product features and permissions approved by the customer, Eido may use Microsoft Graph to access relevant Microsoft Intune and Entra ID information, such as:
- Users
- Groups
- Devices
- Intune device inventory
- Compliance and configuration policy information
- Application and assignment information
- Audit and operational information where required
Eido does not require a direct network connection into the customer environment. Connectivity is handled through Microsoft cloud APIs using approved Microsoft Entra ID permissions.
App Metering / Software Metering
Where App Metering is enabled, Eido can collect application usage information from managed Windows endpoints.
This feature uses PowerShell scripts deployed through Microsoft Intune Proactive Remediations. The collector runs on the endpoint, reads Windows process start and stop audit events, filters them against the configured list of metered applications, and sends matched usage sessions securely to the Eido platform.
App Metering requires outbound HTTPS connectivity from the endpoint to the Eido service. It does not require inbound network access into the customer environment.
App Metering is optional and is only used where it has been enabled and configured for the customer tenant.
High-Level Data Flow
Customers & Users
↓
Microsoft Entra ID
Authentication, authorisation and SSO
↓
Eido Application Services & APIs
Business logic and data processing
↓
Microsoft Graph / Intune APIs
Tenant-approved data access
↓
Eido Production Environment
Regional deployment: EU / UK / US
↓
Azure SQL Database
Application data, reporting data and tenant sync data
↓
Azure SQL Automated Backups
Encrypted automated backups and point-in-time restore
↓
Azure Monitoring and Diagnostics
Application Insights / Log Analytics
For core Intune reporting, this design allows Eido to securely retrieve relevant Microsoft Intune and Entra ID data without requiring VPNs or direct network access into the customer environment.
Backups
Eido uses Microsoft Azure SQL Database automated backup capabilities for relational application data.
Azure SQL Database backups are platform-managed by Microsoft Azure and support point-in-time restore within the configured retention period. This allows Eido to restore database data to a previous point in time where required.
Eido production databases are configured with locally redundant backup storage. This means backup copies are retained within the primary Azure region rather than being geo-replicated to a paired Azure region.
Where configured, long-term retention backups may also be available for production database environments.
The underlying backup process, including full, differential, and transaction log backups, is managed automatically by the Azure SQL Database service.
Encryption
Eido uses encryption in transit and at rest.
Data in transit is protected using HTTPS/TLS for communication between users, Microsoft cloud services, and the Eido platform.
Azure SQL Database provides encryption at rest using Microsoft Azure platform encryption capabilities. Azure Storage, where used, also provides encryption at rest using Microsoft Azure platform encryption capabilities.
Secrets, credentials, and application keys are stored securely using Azure Key Vault, with access controlled through Azure identity and role-based access controls.
Monitoring and Logging
Eido uses Azure monitoring services to support platform reliability, diagnostics, and operational support.
This includes Azure Application Insights and Log Analytics for application telemetry, diagnostic logs, and service health visibility.
Logging is used to support troubleshooting, operational monitoring, and service improvement. Access to operational logs is restricted to authorised Eido personnel.
Access Control and Security
Access to the Eido platform and supporting infrastructure is restricted to authorised personnel only.
Eido follows role-based access control principles and uses Microsoft Azure identity and security controls to manage access to production services.
Customer access to Eido is controlled through the product’s authentication model and, where applicable, Microsoft Entra ID authentication.
Customer Control
Customers remain in control of their Microsoft tenant and the permissions granted to Eido.
Microsoft Entra consent can be reviewed and managed by the customer’s Microsoft administrators. If permissions are removed, Eido’s ability to sync or report on the relevant tenant data may be affected.
Additional Information
This article provides a high-level technical overview for customer security and architecture reviews.
The specific hosting region can be confirmed for each customer or service instance where required.
For more detail on the Microsoft Graph, Microsoft Entra ID, and Microsoft Intune data collected by Eido, please refer to the attached Intune - Data Collection document.
More detailed information, such as specific Microsoft Graph permissions, product-specific data flows, security documentation, or architecture diagrams, can be provided where required as part of a formal customer security review.
Comments
0 comments
Article is closed for comments.