The CISO read the log. “What’s the lesson for the board?”
“If we don’t lock down the control plane, yes,” Marta said. “The Cloud PC is a ghost. You can’t handcuff a ghost. You have to lock the séance room.” securing cloud pcs and azure virtual desktop
“They got through the firewall,” she said. “They got past the VPN. But they couldn’t fool the ghost.” The CISO read the log
At 2:17 AM, the alert fired again. A new ghost session. But this time, the Conditional Access policy rejected it. You can’t handcuff a ghost
She showed him the log: A single API call to the AVD management plane, executed with stolen credentials. The call changed the assignment of a developer’s Cloud PC from “User A” to “Attacker B.” Then, the attacker launched a new session. No brute force. No malware. Just a misconfigured Azure RBAC role.
The attacker lasted seven minutes. Then they vanished.
Frustrated, the attacker pivoted. They tried to deploy a new session host directly via the Azure API. But Marta had locked down the with Azure Privileged Identity Management (PIM) . You couldn’t spin up a host without a time-bound, approved, audited elevation request.