{"id":237,"date":"2024-06-14T23:50:43","date_gmt":"2024-06-14T21:50:43","guid":{"rendered":"http:\/\/deepdef.quaglia.fr\/?p=237"},"modified":"2024-06-14T23:58:48","modified_gmt":"2024-06-14T21:58:48","slug":"maitriser-et-limiter-les-postes-des-prestataires","status":"publish","type":"post","link":"https:\/\/deepdef.quaglia.fr\/index.php\/2024\/06\/14\/maitriser-et-limiter-les-postes-des-prestataires\/","title":{"rendered":"Ma\u00eetriser et limiter les postes des prestataires"},"content":{"rendered":"
[vc_row][vc_column][vc_column_text][\/vc_column_text][vc_column_text css=””]\r\n
\r\n
\r\n

Comment ma\u00eetriser et limiter les postes des prestataires avec Azure AD et l\u2019acc\u00e8s conditionnel – REX<\/span><\/span><\/h1>\r\n<\/div>\r\n<\/div>\r\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=””]\r\n
\r\n

Retour d\u2019exp\u00e9rience d\u2019un projet r\u00e9alis\u00e9 pour un grand compte bas\u00e9 en r\u00e9gion Occitanie, nomm\u00e9e par la suite l\u2019Organisation<\/strong>. <\/span><\/p>\r\n<\/div>\r\n

\u00a0<\/div>\r\n
\r\n
\r\n
\r\n
\r\n
\"\"<\/div>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n
\u00a0<\/span><\/div>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

Contexte<\/span><\/h3>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

A l\u2019instar de nombreuses entreprises, l\u2019Organisation<\/strong> en question ne fournit plus de postes de travail aux prestataires intervenant sur son SI (infog\u00e9rant, prestataires ponctuels, prestataires m\u00e9tiers\u2026). Chaque prestataire utilise un poste de travail multi-clients contr\u00f4l\u00e9 par sa propre soci\u00e9t\u00e9, ne permettant donc pas le d\u00e9ploiement du master de l\u2019Organisation<\/strong> sur ces postes.<\/span><\/p>\r\n<\/div>\r\n

\u00a0<\/div>\r\n
\r\n
\u00a0<\/span><\/div>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

De plus, l\u2019Organisation<\/strong>, dans une d\u00e9marche de bascule vers le cloud, publie au travers d\u2019Azure AD les applications et services utilis\u00e9s par les prestataires. Elle ne souhaite plus utiliser de solutions VPN pour contr\u00f4ler l\u2019acc\u00e8s \u00e0 ces ressources.<\/span><\/p>\r\n<\/div>\r\n

\u00a0<\/div>\r\n
\r\n
\u00a0<\/span><\/div>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

Dans un premier temps, l\u2019Organisation<\/strong> a utilis\u00e9 l\u2019acc\u00e8s conditionnel d\u2019Azure combin\u00e9 \u00e0 du MFA pour prot\u00e9ger l\u2019acc\u00e8s aux ressources. Mais tr\u00e8s rapidement, il est apparu que les prestataires utilisaient aussi bien leurs ordinateurs personnels, professionnels ou leurs smartphones pour y acc\u00e9der.<\/span><\/p>\r\n<\/div>\r\n

\u00a0<\/div>\r\n
\r\n
\u00a0<\/span><\/div>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

\u00a0<\/span><\/h3>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

Contraintes<\/span><\/h3>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

L\u2019Organisation<\/strong> souhaitait trouver une solution for\u00e7ant les prestataires \u00e0 utiliser un unique poste de travail professionnel, sans surco\u00fbt et sans surcharge de travail pour les \u00e9quipes internes en termes d\u2019exploitation.<\/span><\/p>\r\n<\/div>\r\n

\u00a0<\/div>\r\n
\r\n
\u00a0<\/span><\/div>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

\u00a0<\/span><\/h3>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

Difficult\u00e9s<\/span><\/h3>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

La principale difficult\u00e9 de ce projet r\u00e9side dans l\u2019h\u00e9t\u00e9rog\u00e9n\u00e9it\u00e9 des postes de travail des diff\u00e9rents prestataires. Certains postes sont dans un domaine AD, d\u2019autres sont enr\u00f4l\u00e9s dans un MDM ou d\u2019autres encore sont en Azure AD join ou hybrid Azure AD join.<\/span><\/p>\r\n<\/div>\r\n

\u00a0<\/div>\r\n
\r\n
\u00a0<\/span><\/div>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

\u00a0<\/span><\/h3>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

Solutions \u00e9tudi\u00e9es<\/span><\/h3>\r\n<\/div>\r\n
\u00a0<\/div>\r\n
\r\n

Plusieurs solutions ont \u00e9t\u00e9 \u00e9tudi\u00e9es, sans pour autant avoir \u00e9t\u00e9 retenues :<\/span><\/p>\r\n<\/div>\r\n

\u00a0<\/div>\r\n
\r\n
    \r\n
  • \r\n

    Le contr\u00f4le des acc\u00e8s aux applications au travers de MCAS (CASB de Microsoft) coupl\u00e9 avec un certificat utilisateur. Les contraintes d\u2019exploitation ont repr\u00e9sent\u00e9 un frein.<\/span><\/p>\r\n<\/li>\r\n

  • \r\n

    Le management des terminaux avec l\u2019Intune de l\u2019Organisation<\/strong>. La solution n\u2019est pas fonctionnelle pour les postes d\u00e9j\u00e0 manag\u00e9s par un MDM.<\/span><\/p>\r\n<\/li>\r\n

  • \r\n

    L\u2019utilisation d\u2019Azure Virtual Desktop, qui est la solution qui r\u00e9pond le mieux \u00e0 ce besoin d\u2019un point de vue s\u00e9curit\u00e9 et fonctionnel. Cependant, la solution n\u00e9cessite un vrai projet d\u2019int\u00e9gration et repr\u00e9sente un co\u00fbt \u00e0 l\u2019usage.<\/span><\/p>\r\n<\/li>\r\n<\/ul>\r\n<\/div>\r\n

    \u00a0<\/div>\r\n
    \r\n
    \u00a0<\/span><\/div>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n

    \u00a0<\/span><\/h3>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n

    Solution mise en \u0153uvre : Azure AD Registered + acc\u00e8s conditionnel<\/span><\/h3>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n

    La solution propos\u00e9e par Deepdef<\/strong> et s\u00e9lectionn\u00e9e par l\u2019Organisation<\/strong>, \u00ab Azure AD Registered + Conditional Access \u00bb, consiste \u00e0 faire enregistrer les postes de travail des prestataires sur l\u2019Azure AD de l\u2019Organisation<\/strong> et \u00e0 r\u00e9aliser un contr\u00f4le d\u2019acc\u00e8s en se basant sur la notion d\u2019\u00ab Azure AD Registered \u00bb.<\/span><\/p>\r\n<\/div>\r\n

    \u00a0<\/div>\r\n
    \r\n
    \u00a0<\/span><\/div>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n

    Ce scenario se base sur une fonctionnalit\u00e9 encore en preview du Conditional Access, Device state. Cette solution a \u00e9t\u00e9 choisie car elle r\u00e9pond aux deux pr\u00e9requis de l\u2019Organisation<\/strong>, \u00e0 savoir qu\u2019elle n\u2019entraine aucun co\u00fbt de licences suppl\u00e9mentaire, ni d\u2019efforts d\u2019exploitation de l\u2019\u00e9quipe interne, et se r\u00e9v\u00e8le simple \u00e0 mettre en \u0153uvre.<\/span><\/p>\r\n<\/div>\r\n

    \u00a0<\/div>\r\n
    \r\n
    \u00a0<\/span><\/div>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n
    Mise en \u0153uvre<\/span><\/h6>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n

    La r\u00e8gle d\u2019acc\u00e8s conditionnel s\u2019appuie sur le filtrage des devices enregistr\u00e9s, en cons\u00e9quence tout acc\u00e8s aux applications est refus\u00e9 sauf pour les devices enregistr\u00e9s dans Azure AD :<\/span><\/p>\r\n<\/div>\r\n

    \u00a0<\/div>\r\n
    \r\n
    \r\n
    \r\n
    \r\n
    \"\"<\/div>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n
    \u00a0<\/span><\/div>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n

    Une limite du nombre de devices enregistr\u00e9s par utilisateur est impos\u00e9e, ici un device :<\/span><\/p>\r\n<\/div>\r\n

    \u00a0<\/div>\r\n
    \r\n
    \r\n
    \r\n
    \r\n
    \"\"<\/div>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n
    \u00a0<\/span><\/div>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n

    L\u2019enregistrement du poste de travail est r\u00e9alis\u00e9 par l\u2019utilisateur lui-m\u00eame. La manipulation est simple et ne n\u00e9cessite pas de privil\u00e8ges \u00e9lev\u00e9s.<\/span><\/p>\r\n<\/div>\r\n

    \u00a0<\/div>\r\n
    \r\n
    \u00a0<\/span><\/div>\r\n<\/div>\r\n
    \u00a0<\/div>\r\n
    \r\n

    Cette solution a l\u2019avantage de fonctionner avec un grand nombre de modes de gestion des postes de travail des organisations prestataires :<\/span><\/p>\r\n<\/div>\r\n

    \u00a0<\/div>\r\n
    \r\n
      \r\n
    • \r\n

      Depuis un poste de travail inscrit dans un domaine AD :<\/span><\/p>\r\n<\/li>\r\n<\/ul>\r\n<\/div>\r\n

      \u00a0<\/div>\r\n
      \r\n
      \u00a0<\/span><\/div>\r\n<\/div>\r\n
      \u00a0<\/div>\r\n
      \r\n
      \r\n
      \r\n
      \r\n
      \"\"<\/div>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n
      \u00a0<\/div>\r\n
      \r\n
      \u00a0<\/span><\/div>\r\n<\/div>\r\n
      \u00a0<\/div>\r\n
      \r\n
        \r\n
      • \r\n

        Depuis un poste de travail d\u00e9j\u00e0 enr\u00f4l\u00e9 dans un Intune :<\/span><\/p>\r\n<\/li>\r\n<\/ul>\r\n<\/div>\r\n

        \u00a0<\/div>\r\n
        \r\n
        \r\n
        \r\n
        \r\n
        \"\"<\/div>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n
        \u00a0<\/div>\r\n
        \r\n
        \u00a0<\/span><\/div>\r\n<\/div>\r\n
        \u00a0<\/div>\r\n
        \r\n
          \r\n
        • \r\n

          Depuis un poste de travail Azure AD join :<\/span><\/p>\r\n<\/li>\r\n<\/ul>\r\n<\/div>\r\n

          \u00a0<\/div>\r\n
          \r\n
          \r\n
          \r\n
          \r\n
          \"\"<\/div>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n
          \u00a0<\/div>\r\n
          \r\n
          \u00a0<\/span><\/div>\r\n<\/div>\r\n
          \u00a0<\/div>\r\n
          \r\n

          Lorsque l\u2019utilisateur tente d\u2019acc\u00e9der \u00e0 une ressource depuis un poste non enregistr\u00e9, l\u2019acc\u00e8s est bloqu\u00e9 :<\/span><\/p>\r\n<\/div>\r\n

          \u00a0<\/div>\r\n
          \r\n
          \r\n
          \r\n
          \r\n
          \"\"<\/div>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n
          \u00a0<\/div>\r\n
          \r\n
          \u00a0<\/span><\/div>\r\n<\/div>\r\n
          \u00a0<\/div>\r\n
          \r\n

          Afin de s\u2019assurer que l\u2019utilisateur enregistre et utilise bien un poste de travail de sa soci\u00e9t\u00e9, il est possible de compl\u00e9ter la r\u00e8gle d\u2019acc\u00e8s conditionnel avec l\u2019identit\u00e9 du device :<\/span><\/p>\r\n<\/div>\r\n

          \u00a0<\/div>\r\n
          \r\n
          \r\n
          \r\n
          \r\n
          \"\"<\/div>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n
          \u00a0<\/div>\r\n
          \r\n
          \u00a0<\/span><\/div>\r\n<\/div>\r\n
          \u00a0<\/div>\r\n
          \r\n

          L\u2019alimentation de la liste de device ID peut \u00eatre script\u00e9e et se baser sur un fichier qui sera renseign\u00e9 par la soci\u00e9t\u00e9 prestataire elle-m\u00eame et ainsi n\u2019entrainer aucune charge de travail suppl\u00e9mentaire pour l\u2019Organisation<\/strong>.<\/span><\/p>\r\n<\/div>\r\n[\/vc_column_text][\/vc_column][\/vc_row]<\/div>","protected":false},"excerpt":{"rendered":"[vc_row][vc_column][vc_column_text][\/vc_column_text][vc_column_text css=””] Comment ma\u00eetriser et limiter les postes des prestataires avec Azure AD et l\u2019acc\u00e8s conditionnel – REX [\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=””] Retour d\u2019exp\u00e9rience d\u2019un projet r\u00e9alis\u00e9 pour un grand compte bas\u00e9 en r\u00e9gion Occitanie, nomm\u00e9e par la suite l\u2019Organisation. \u00a0 \u00a0 \u00a0 \u00a0 Contexte \u00a0 A l\u2019instar de nombreuses entreprises, l\u2019Organisation en question ne fournit plus […]\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-237","post","type-post","status-publish","format-standard","hentry","category-non-classe"],"_links":{"self":[{"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/posts\/237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/comments?post=237"}],"version-history":[{"count":3,"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/posts\/237\/revisions"}],"predecessor-version":[{"id":240,"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/posts\/237\/revisions\/240"}],"wp:attachment":[{"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/media?parent=237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/categories?post=237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepdef.quaglia.fr\/index.php\/wp-json\/wp\/v2\/tags?post=237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}