Adding Migration API documentation in

Author: VesaJuvonen

docs/apis/migration-api-azure-container-and-queue.md

@@ -0,0 +1,64 @@
+---
+title: SPO provided Migration Azure container and queue
+ms.author: jhendr
+author: JoanneHendrickson
+manager: pamgreen
+ms.date: 6/20/2018
+description: "One of the Main requirement for using our Migration API is the usage of an Azure container as a temporary storage. We now provide a default container that can be used for using the migration API."
+---
+
+# SPO provided Migration Azure container and queue
+
+Microsoft’s Migration API requires the use of an Azure container for temporary storage. To simplify the process, you are now provided with a default container while using the migration API. If you choose, you can still provide your own Azure container.
+
+## Encryption is required
+
+For the Migration API to accept a Migration Job coming from a SPO provided Azure container, the data needs to be encrypted at rest. The customer is still allowed to provide their own Azure account if they prefer to not use encryption.
+
+##  Advantages
+
+|Advantage|Description|
+|:-----|:-----|
+|Cost of Azure container goes to SPO|Since we are providing the containers, those containers are now part of the basic SharePoint online Offering. Every tenant who signs up for SharePoint Online will get this for free).|
+|Containers and queues are unique per request and not reused|Once a container is given to a customer this container will not be reused or shared.|
+|Containers and queue are automatically deleted|As per the standard SharePoint Online Compliance, we will destroy the container within 30 to 90 days automatically.|
+|Containers and queues are in the customer’s datacenter ___location|We make sure to provision containers that are in the same physical ___location than their SharePoint online tenant.| 
+|They are obtainable programmatically|There is no need to interact with Azure unless the user chooses.
+
+## How to use it
+
+### Getting Containers
+
+```csharp
+    public SPProvisionedMigrationContainersInfo ProvisionMigrationContainers()
+```
+
+The call will return an object that contains two strings containing two SAS tokens for accessing the two required containers and a byte array for the AES256CBC encryption. 
+
+This key will need to be used when encrypting the data. We forget the key once we give it out, therefore you must keep it to pass it again for the Submit Migration Job call.
+
+```csharp
+    Uri DataContainerUri 
+
+    Uri MetadataContainer Uri
+
+    byte[] EncryptionKey 
+```
+
+### Getting Queue
+
+```csharp
+    public SPProvisionedMigrationQueueInfo ProvisionMigrationQueue()
+```
+
+This method will return a string containing the SAS token for accessing the Azure queue.
+
+The queue can be reused across multiple migration jobs so this call should not be that frequently as the `SPProvisionedMigrationContainersInfo()` call.
+
+```csharp
+    Uri JobQueueUri
+```
+
+### After getting the Container and the Queue:
+
+Once those calls have been made, the rest of the flow remains the same for using the Migration API.

docs/apis/migration-api-encryption.md

@@ -0,0 +1,80 @@
+---
+title: OneDrive for Business and SharePoint Online Migration API – Encryption
+ms.author: jhendr
+author: JoanneHendrickson
+manager: pamgreen
+ms.date: 6/20/2018
+description: "How to pass encrypted content at rest to the API securely."
+---
+
+# OneDrive for Business and SharePoint Online Migration API encryption
+
+Using the Migration API requires a temporary storage container in Azure. This Azure container is already only openable by someone having a SAS key access to the container. The gGoal of this feature is to allow to pass eEncrypted content at rest to the API meaning that even if a malicious user has access to the Container he won’t be able to use its content.
+
+## What is stored in the Azure blob container
+
+The Migration API requires the Azure Container for content passing and also for log and queue reporting back. It can be split down as a summary into those buckets:
+
+Content
+
+- Files
+- Manifest
+    - Metadata
+    - Permissions
+    - List items
+    - Taxonomy
+    - Logs (created by SharePoint Online to report back on the migration results)
+- Queue
+    - Real time reportig on the progress
+
+## What is the encryption feature?
+
+When using the encryption parameter, everything listed above will be encrypted at rest and the key will need to be preserved in order to read the logs and the real time progress. 
+The main benefits is making the content useless for a malicious user who would manage to breach into the Azure container. 
+
+This comes with a small cost of performance. This feature is optional when using the API and it is recommended to only use it for the most confidential information since it does reduce the speed of the migration by a small portion. Microsoft destroys the key once the migration job is finished and there is no way to recover the key if lost, not even from support.
+
+## As a 3rd party developer how do I take advantage of the Encryption feature?
+
+### Calling the API
+
+The method for calling the Migration Job has a different name and an additional parameter at the end. The new name is: `CreateMigrationJobEncrypted`
+
+The new parameter is: `EncryptionOption`
+
+For now, it only supports receiving an AES256CBC Encryption Key.
+
+Example:
+
+```csharp
+    public Guid CreateMigrationJobEncrypted(
+        Guid gWebId,
+        string azureContainerSourceUri,
+        string azureContainerManifestUri,
+        string azureQueueReportUri,
+        EncryptionOption AES256CBCKey)
+```
+
+## Extra requirement
+
+For the encryption, each file must be encrypted and have an IV assigned to it. The encryption method should follow the AES CBC 256 Standard. The IV should be different for every file including the manifests in the package and should be stored as a property on each files. 
+
+- Name = [IV] 
+- Value = [Base64encoded byte array of the IV]
+
+## Reading the queue when encrypted
+
+When using the encryption option, the messages in the queue will also get encrypted.
+
+It is important to remember the Job ID. Without the specific key used for the job, you won’t be able to read the message back.
+
+Here is the JSON content in the queue message
+
+```json
+{"Label", "Encrypted"},
+{"JobId", "[JobId value]"},
+{"IV", "[IV value in base64format]"},     
+{"Content", "[encrypted message in base64string]"}  
+```
+
+Once the messages are decrypted, they will be the same as the API without encryption.