Hi all,

Just wondering what to do to get MDI to apply some basic intelligence to account alerts. We (and many customers) have been deploying services like Azure Virtual Desktop over recent months. These are used for ad-hoc access to legacy on-prem services. As a result MDI/MCAS turns into a stream of risky logon spam. 

All the AVD virtual machines are hybrid joined and compliant. 

I can't exclude/trust the source IP as it is dozens of Azure data centre outbound IP locations and shared amongst random tenants.

I was wondering about setting the AVD azure vnet as a trusted location, I don't like to do this as a user or intruder just needs to happen to use the same subnet on their internal network and treats it as trusted. This would be for MCAS and I'm not sure that would have any impact on MDI risky sign-ins.

I can't see a way to tell MDI that access from virtual desktop is fairly trusted, the access being intermittent and ad-hoc seems to be preventing it from learning that these are 'internal systems'. With Windows 365 and continued uptake of AVD I can see this getting much worse to the point where genuine sign-in risk just gets lost in the sea of virtual desktop spam.

Guidance and experience appreciated.

Pete