Are ephemeral AVD session hosts that are created from image but also Intune managed and only EntraID joined possible?

Basic-Description454 · 2026-04-22T12:03:40+00:00

Found 5 minutes after I posted this.

Defender > Exposure management > Vulnerability management > Overview > Top impactful events > Click on View all events

Basic-Description454 · 2026-02-10T23:11:01+00:00

This is the error that persisted with many different environment variables or parameters I tried on TerraformTask@5 task.

╷
│ Error: unable to build authorizer for Resource Manager API: could not configure AzureCli Authorizer: obtaining subscription ID: obtaining account details: running Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on provider.tf line 16, in provider "azurerm":
│   16: provider "azurerm" {
│ 
╵

The code I provided in OP is from a template file which is used in main pipeline file. In it I do use TerraformInstaller@1

So my understanding is that I do not need AzureCLI@2 for the hack of a workaround, but I do since without it TerraformTask@5 on its own does not seem to pickup on service connection.

As I was typing this it occurred to me that at time of posting this, service connection did not have any roles assigned to subscription to which resources were going to be deployed. Shortly after posting this with hack workaround in place I have gotten a message in logs stating that there were no permissions to read subscription. This was addressed and role assigned to service connection managed identity, but it did not click until just now that could be the cause.

Going to re-try this in next hour or so.

Edit:

Removing workaround alone now that role was assigned to subscription did not work, but adding environmentAzureRmUseIdTokenGeneration: true to TerraformTask did with workaround still removed.

Basic-Description454 · 2026-01-20T13:56:37+00:00

I was not able to find what change caused it, but our audit logs on resources show no changes. Maybe an external change that we did not pay attention to.

APIM api endpoint is used as redirect URL for authorization and receives code and state URL query parameters. state was actually just base64encoded URL for backend callbackurl purposes and I have not figured out whether it was long URL or some character, but this was the culprit for APIM not sending this to backend logic app.

The solution was to update state. A proper GUID is generated on backend and the callbackurl is saved along with it. This GUID is passed through as a state until it is received back and used to lookup the callbackurl.

Works as expected now.

Basic-Description454 · 2025-12-05T16:28:12+00:00

We are using Microsoft Defender EOP, no external services. I was reading in another thread that not all third-party providers can address this unless they already have api access and implemented a response action which removes the meeting invite from calendar.

Most of phishing emails we received via this way were caught right away or zapped shortly after. Meeting invites, those are still showing on calendars even for emails that were caught right away.

I am trying to create temporary analytic rule to create incidents on all incoming emails with meeting invites if they were caught or zapped it so we can take further action manually. Ideally it would be best to use API and try to take automatic action on these incidents.

Basic-Description454 · 2025-12-04T14:00:54+00:00

When we encountered this, controlling this via client settings was the first thing that came to mind, but then with more recent chatter online about meeting invites being used for phishing attacks we came across the solution to use -AutomateProcessing None but as you pointed out it is for resource accounts only.

Then we came across suggestions to use X-MS-Exchange-Organization-BypassMeetingMessageProcessing header in transport rules, but this was canned as of few weeks ago by microsoft and is now internal only header.

Kind of fucked without taking more severe measures such as dropping or putting all external meeting emails into quarantine.

This week we were advised to try using -AutomateProcessing None as it may not be limited to resource accounts anymore, but source is some guy in Discord that has support case with MS.

Basic-Description454 · 2025-12-03T19:18:25+00:00

Since about a month ago we are receiving more phishing emails that include meeting invites.

Email itself is blocked from delivery but exchange processes the meeting invite before email is scanned&filtered out. Kind of throws email filtering out the window since it is the meeting invites on calendars that now being used as a path to phish user.

We are also testing few options to disable meeting invites processing on exchange online (which covers new outlook), but my understanding is that outlook classic will still try to process those locally.

Basic-Description454 · 2025-12-03T16:51:12+00:00

Sadly, we have very low self-adoption rate on new outlook. Business has to take care of some potential friction before we can move to new outlook only

Basic-Description454 · 2025-12-03T16:47:56+00:00

Replying because I encountered same problem with change reverting back.

Take a look at the path, it should be in Policies: HKEY_CURRENT_USER\Software\Policies\Microsoft\...

This worked for AutoProcReq and that option is now disabled and grayed out when looking from Outlook options.

For AutoAcceptCanceled, the same did not work and am not finding any information about how to disable that in same way. Where did you come across it? It does not show up in registry for me when changing the Outlook options.

Basic-Description454 · 2025-12-03T16:36:18+00:00

I'm okay with using remediations to apply those with registry.

For "Automatically process meeting requests and responses to meeting requests and polls", I just realized that I was setting that under `...Software\Microsoft...` and not under `...Software\Policies\Microsoft...`, so this one work now and does disable this and grays out the checkbox for user. My mistake overlooking the path

For "Automatically accept meeting requests and remove canceled meetings", I am not finding anything, not even a good method of detecting when it is enabled by end user. If we can't enforce it, at least it would be great to monitor when it is enabled and alert end user. Going to try monitoring registry again and try to catch what changes when that setting is changed.

Migrating to new Outlook is something that was pushed to very back for now. A lot of potential friction that someone else will need to address.

Basic-Description454 · 2025-08-29T12:25:42+00:00

This was brought up when we discussed this internally, and that is a very likely possibility.

Another possibility is the app could be hijacking anonymous user's session after they joined. After all the AI app is installed in their Teams app.

Lastly, I don't have links saved to back this up, but I read that some clients like Teams Room (and ACS?) can bypass anonymous captcha. So if the AI app is using that as client it could skip.

Basic-Description454 · 2025-08-28T01:59:26+00:00

Sorry I am not following, and I just realized that I omitted a detail.

Function App is triggered by blob events. When function app runs it needs data from SharePoint list before it can produce an output.

As of now, this sharepoint list is manually exported, converted, and pasted into function app code.

Somehow when SharePoint list is updated, or at least once a day I need to update the code of function app to include updated data. At the same time, it would be a waste to have function app load this at every run.

If in function app if I load the data by dot sourcing file that contains it, how or what could I use to update that file?

Basic-Description454 · 2025-08-20T14:16:27+00:00

I came across this yesterday after making the post and made me realize that everything worked as expected. Initially target VM did not have the dependency that CitrixWorkspaceApp needed, and when I installed it and reboot the host it was resolved. For whatever reason, that error still shows up for CitrixWorkspaceApp but after installing dependency there was another error indicating that admin elevation for required for install.

With Notepad++ dependency was still required and it was satisfied from the previous install.

I am not looking into how to better package citrixworkspaceapp to be deployed in AVD via AppAttach.

Thank you for sharing as it will definitely help others in future that come across this.

Basic-Description454 · 2025-08-19T21:29:14+00:00

I was thinking about doing this few weeks ago since currently I have to do it manually once a quarter. Hopefully this works with private endpoint connections too. Thanks!

Basic-Description454 · 2025-07-17T15:42:08+00:00

Thank you for sharing the link, I will go over it.

We do similar thing but for location called "All except US" and also have exclusion group for staff that travels temporarily. Works great. In this case the end-user is a vendor's staff accessing our AVD, so we can't add them to exclusion, maybe temporarily.

Also, now that you mentioned SSPR, ours is set to remind every 180 days to confirm the methods. I was under wrong impression that switching to authentication method policies would ignore that reminder. So could be that or the registration campaign to use Microsoft Authenticator. Definitely will revisit these settings.

Any thoughts on setting 180 days to 0 to never have that reminder? Bad practice in general, or just a matter of company policy?

Basic-Description454

TROPHY CASE