Frustrated, the attacker pivoted. They tried to deploy a new session host directly via the Azure API. But Marta had locked down the with Azure Privileged Identity Management (PIM) . You couldn’t spin up a host without a time-bound, approved, audited elevation request.
She showed him the log: A single API call to the AVD management plane, executed with stolen credentials. The call changed the assignment of a developer’s Cloud PC from “User A” to “Attacker B.” Then, the attacker launched a new session. No brute force. No malware. Just a misconfigured Azure RBAC role. securing cloud pcs and azure virtual desktop
“But I’ll lose my desktop shortcuts!” a power user complained. Frustrated, the attacker pivoted
Marta smiled. “The cloud isn’t a castle. It’s a river. You can’t build walls. You have to control the flow of trust. Secure the identity. Lock the control plane. And never, ever let the ghost sleep in the gold image.” You couldn’t spin up a host without a
A Security Architect’s Diary