Windows 365 has a lot of different use cases, and I have made a list of 6 personas use-cases here. But today lets talk more about Windows 365 for consultants.
Either you hire consultants or you are an consultant. In other words someone external who temporary works inside an organization or system.
They need access to your system, in order to help you out with expertise or more in general firepower to a team.
How we used to organize for consultants
Historically, in most cases consultants are provided the same as an employee. They get a company user identity and company device to work on. Even used to get a desk to work at the companies office. This has been flying for many years, but I can today say it is painful for the consultant.
How we organized for consultants during covid
Consultants are provided the same as an employee. They get a company user and company device to work on, but due to covid everyone where sitting in their home office, aka kitchen or living room for det most. Not much changed, but now I had multiple devices on my dining table and didn’t run around with all of them in a backpack.
It might be a slight overstatement, because working with Microsoft 365 and Azure for many years, we didn’t have the restrictions we enforce today. It was more wild wild west, and often I could access every organization from whatever location and device I had purchased back then.
But for many cases, it required an additional identity, additional device and even then an additional VPN connection now that we all worked from home.
How we try to organize for consultants today
Consultants or external help can be invited into your infrastructure with their own identity as guests, and the consultant will not need a company user or device to work from. The consultant can keep using h*s identity and device provided by their original company.
But if your company have advanced enough in the world of modern device management, you are not allowing your own employees access without them using a compliant device. A consultant will most likely have a device managed by their original company, and one device can’t be managed by several device management systems at the same time. Hence you can’t require the consultant to have a compliant device according to your compliance rule.
Now lately we have seen the submerge of trusting MFA and compliance status across tenants, but it requires an administrative deal and continued process to be aligned in compliance policy. When you invite a consultant it will have a compliant device, but you don’t know which rules are configured to state a device is compliant in the trusted tenant.
We can do the same for MFA, so guests who uses Azure MFA doesn’t have to enter MFA when already done so by policies in their home tenant. But this is less complex as the options with MFA usually is between Authenticator App or allowing SMS code. Using the Authenticator App or other well known/developed OTP application is stronger authentication compared to SMS code, which is easier for someone to catch having a twin-simcard created.
This is called cross-tenant access with Azure Active Directory External Identities, documented here.
How we can organize for consultants today
By leveraging Cloud PCs like Windows 365 or Azure Virtual Desktop, we can easily provide consultants with desktop protected by your very own compliance policy. The Cloud PC can be available from any device and any location, with little to no risk from the physical device they connect from.
Gone are the days with multiple devices, but at least for now, we need additional identities for this scenario. Because these virtual desktops or Cloud PCs doesn’t support guests or external identities. At least not yet.
Recommendation
As security focused consultant I will recommend the last option using Cloud PCs with separate identities. Most consultants only require access to certain resources to get the work done, these identities can be equal to separate admin accounts. And the Cloud PC more of a Privileged Access Workstation, while using their own identity and local device to do collaboration.
#SecurityTip
In order to maximize your security today, it is crucial to control bought devices and identities, as long as you have the knowledge to do so.
Thank you for reading my blog. I hope it was helpful and if you want more from me try subscribing to my LinkedIn Newsletter here.
Leave a Reply
You must be logged in to post a comment.