Windows 365 – Persona Consultant – Please give me a Cloud PC

Windows 365 has a lot of different use cases, and I have made a list of 6 personas use-cases here. But today lets talk more about Windows 365 for consultants.

Either you hire consultants or you are an consultant. In other words someone external who temporary works inside an organization or system.

They need access to your system, in order to help you out with expertise or more in general firepower to a team.

How we used to organize for consultants

Historically, in most cases consultants are provided the same as an employee. They get a company user identity and company device to work on. Even used to get a desk to work at the companies office. This has been flying for many years, but I can today say it is painful for the consultant.

No alt text provided for this image
Carrying 4 laptops – reminds me of school back in the days

How we organized for consultants during covid

Consultants are provided the same as an employee. They get a company user and company device to work on, but due to covid everyone where sitting in their home office, aka kitchen or living room for det most. Not much changed, but now I had multiple devices on my dining table and didn’t run around with all of them in a backpack.

It might be a slight overstatement, because working with Microsoft 365 and Azure for many years, we didn’t have the restrictions we enforce today. It was more wild wild west, and often I could access every organization from whatever location and device I had purchased back then.

But for many cases, it required an additional identity, additional device and even then an additional VPN connection now that we all worked from home.

No alt text provided for this image
Home office for most people

How we try to organize for consultants today

Consultants or external help can be invited into your infrastructure with their own identity as guests, and the consultant will not need a company user or device to work from. The consultant can keep using h*s identity and device provided by their original company.

But if your company have advanced enough in the world of modern device management, you are not allowing your own employees access without them using a compliant device. A consultant will most likely have a device managed by their original company, and one device can’t be managed by several device management systems at the same time. Hence you can’t require the consultant to have a compliant device according to your compliance rule.

Now lately we have seen the submerge of trusting MFA and compliance status across tenants, but it requires an administrative deal and continued process to be aligned in compliance policy. When you invite a consultant it will have a compliant device, but you don’t know which rules are configured to state a device is compliant in the trusted tenant.

We can do the same for MFA, so guests who uses Azure MFA doesn’t have to enter MFA when already done so by policies in their home tenant. But this is less complex as the options with MFA usually is between Authenticator App or allowing SMS code. Using the Authenticator App or other well known/developed OTP application is stronger authentication compared to SMS code, which is easier for someone to catch having a twin-simcard created.

This is called cross-tenant access with Azure Active Directory External Identities, documented here.

No alt text provided for this image
Cross tenant authentication flow for B2B guests

How we can organize for consultants today

By leveraging Cloud PCs like Windows 365 or Azure Virtual Desktop, we can easily provide consultants with desktop protected by your very own compliance policy. The Cloud PC can be available from any device and any location, with little to no risk from the physical device they connect from.

Gone are the days with multiple devices, but at least for now, we need additional identities for this scenario. Because these virtual desktops or Cloud PCs doesn’t support guests or external identities. At least not yet.

Recommendation

As security focused consultant I will recommend the last option using Cloud PCs with separate identities. Most consultants only require access to certain resources to get the work done, these identities can be equal to separate admin accounts. And the Cloud PC more of a Privileged Access Workstation, while using their own identity and local device to do collaboration.

#SecurityTip

In order to maximize your security today, it is crucial to control bought devices and identities, as long as you have the knowledge to do so.

Thank you for reading my blog. I hope it was helpful and if you want more from me try subscribing to my LinkedIn Newsletter here.


Leave a Reply

Ehlo!

I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts