“They got through the firewall,” she said. “They got past the VPN. But they couldn’t fool the ghost.”
She showed him the log: A single API call to the AVD management plane, executed with stolen credentials. The call changed the assignment of a developer’s Cloud PC from “User A” to “Attacker B.” Then, the attacker launched a new session. No brute force. No malware. Just a misconfigured Azure RBAC role. securing cloud pcs and azure virtual desktop
Marta stared at the alert dashboard. It was 11:47 PM. The office was empty, but the Azure Virtual Desktop host pool was not. “They got through the firewall,” she said
Frustrated, the attacker pivoted. They tried to deploy a new session host directly via the Azure API. But Marta had locked down the with Azure Privileged Identity Management (PIM) . You couldn’t spin up a host without a time-bound, approved, audited elevation request. The call changed the assignment of a developer’s
Marta implemented what she called the Three Locks of Aether .