She turned on Conditional Access policies with strict terms. No more trusting a token just because it came from a corporate device. Now, every connection to AVD required a compliant device claim (Intune-managed) AND a sign-in risk check (Microsoft Entra ID Protection). If the user’s behavior was unusual—like logging in from a new country at 3 AM—the session was blocked, even if the password was correct.
A Security Architect’s Diary
In the morning, Marta walked to the CISO’s office. She placed a single piece of paper on his desk. It was a printout of the failed login attempts. securing cloud pcs and azure virtual desktop
The CISO went pale. “So they can just… reassign a computer to themselves?”
The old network security groups were wide open. Marta redesigned the virtual network. She enabled AVD’s RDP Shortpath for low latency, but wrapped it in Azure Firewall with FQDN-based filtering. More critically, she deployed Network Security Groups (NSGs) at the subnet level that only allowed RDP traffic from the AzureInstanceMetadataService tag—no direct internet access for session hosts. If a Cloud PC was compromised, it couldn’t phone home. It was a silent room with no windows. She turned on Conditional Access policies with strict terms
The CISO read the log. “What’s the lesson for the board?”
Marta implemented what she called the Three Locks of Aether . If the user’s behavior was unusual—like logging in
Because if you can access a virtual desktop from a beach in Bali, so can a threat actor—if they steal the right key.