The CISO read the log. “What’s the lesson for the board?”
She showed him the log: A single API call to the AVD management plane, executed with stolen credentials. The call changed the assignment of a developer’s Cloud PC from “User A” to “Attacker B.” Then, the attacker launched a new session. No brute force. No malware. Just a misconfigured Azure RBAC role. securing cloud pcs and azure virtual desktop
She turned on Conditional Access policies with strict terms. No more trusting a token just because it came from a corporate device. Now, every connection to AVD required a compliant device claim (Intune-managed) AND a sign-in risk check (Microsoft Entra ID Protection). If the user’s behavior was unusual—like logging in from a new country at 3 AM—the session was blocked, even if the password was correct. The CISO read the log
The CISO went pale. “So they can just… reassign a computer to themselves?” No brute force
The attacker lasted seven minutes. Then they vanished.
Marta implemented what she called the Three Locks of Aether .
Because if you can access a virtual desktop from a beach in Bali, so can a threat actor—if they steal the right key.