At a high level, we are using Azure Virtual Desktop to provide an enclave that can access Preveil - the method of authentication to the AVD is Entra ID (with MFA and everything else) - we sync accounts from local AD. Would the domain controllers be considered Security Protection Assets and would that local AD be in scope of the assessment? Would it be better to simply make them CLOUD ONLY accounts?

https://preview.redd.it/qmmby08s8x1e1.png?width=733&format=png&auto=webp&s=100c3855227811c5943b6977fd42475f32d4fd0b

Edit - I also found this which makes me believe the DC's are in scope.

https://preview.redd.it/a2whhsgjix1e1.png?width=681&format=png&auto=webp&s=6be17dc98c50904e42402b38c91f8016feabed2a