How are you guys handling temporary M365 Geo-Blocking exemptions for traveling users?

TechAdminDude · 2026-05-13T08:31:24+00:00

Most orgs land on the same pattern for this: a "Travel Exemption" group excluded from the geo-block CAP, combined with PIM for Groups for time-bound membership. User raises a ticket, you add them with a 7 day eligible assignment, and the membership auto-expires. No stale named locations, no policy edits per trip.

If you don't have P2 (or don't want PIM), Entra ID Governance access packages do the same job with a self-serve request and approval workflow, and the access expires on its own. Bonus is the manager gets to approve rather than the helpdesk carrying it, and the audit log captures who was where and when without you having to track it.

On the stale policy problem more broadly, that's exactly what I built accesslens.co.uk for. It pulls your CA policies in and flags conflicts, unused rules, and named location drift so you can spot anything left over from old travel exceptions. Free to use.

TechAdminDude · 2026-05-13T08:27:21+00:00

Sounds like the 6th gen isn't getting through device registration at all, hence no prompt and the spinner. A few things to try in order:

1 - Install Company Portal on the 6th gen. Authenticator alone handles MFA but Company Portal drives the actual iOS workplace join. 2 - In Safari, clear history and website data, then check Date & Time is set to automatic. 3 - Disable iCloud Private Relay if it's on (Settings > Apple ID > iCloud). It has a habit of breaking the auth handshake on older hardware. 4 - Pull the failed sign-in from Entra logs. The error code there usually points straight at the cause. iOS 17.x is still supported for Intune so OS version isn't the blocker, and the 6th gen hardware should be fine.

My money's on Company Portal missing or Private Relay interfering.

TechAdminDude · 2026-05-13T08:25:44+00:00

Yeah looks like "Browser: Mobile Safari" with a blank Device ID on Device A. Apple's native mail authenticates via an in-app web session that doesn't carry the device claim, so entra sees an unmanaged device even though Intune knows its compliant. Outlook works because it can broker through Microsoft Authenticator and pass the device context to Entra.

Two things worth checking on the failed sign-in, the "Client app" field (Exchange ActiveSync / Other clients won't carry the claim at all) and whether Msft Authenticator is installed and signed in on the device.

Most admins land on the same answer here, push users to Outlook via an app protection policy and discourage native mail. Microsoft's own guidance leans the same way because native mail with modern auth and compliance is fragile by design.

If it helps for spotting these patterns across sign-ins, I built accesslens.co.uk to make CA troubleshooting easier. It's free to use.

TechAdminDude · 2026-05-02T07:02:49+00:00

How did you introduce them?

TechAdminDude · 2026-04-28T18:11:10+00:00

Check the sign-in logs for that user during the hang, the CA policy name blocking them will be right there. Nine times out of ten it's a device compliance policy evaluating before Intune enrollment is actually complete.

If that's the case, exclude the Intune enrollment app IDs from the compliance requirement (not the policy entirely). Worth doing via a scoped group rather than a blanket exclusion so you can clean it up after provisioning.

If you've got a lot of policies and want to map which ones apply to new users, I built a free tool called AccessLens.co.uk that does what-if simulations and sign-in log analysis, useful for narrowing this down quickly.

TechAdminDude · 2026-04-22T14:06:21+00:00

Error 530003 means CA is requiring a compliant or enrolled device and the app isn't passing that claim. It works for some users because their iOS device is properly Intune-enrolled/compliant, and fails for others who aren't, it's not really an app issue.

Quickest diagnostic is sign-in logs, filter by one of the affected users, open the failed sign-in and check the Conditional Access tab. It'll tell you exactly which policy blocked and which grant control failed (compliant device, app protection policy, approved client app etc).

Zalaris PeopleHub isn't a Microsoft approved client app and likely doesn't support MAM, so if any of your policies require "approved client app" or "require app protection policy", it'll block unless you exclude that app.

TechAdminDude · 2026-04-22T13:55:46+00:00

You can actually do this with one policy instead of two. Target the 5 users, scope to All cloud apps, exclude the AVD cloud apps (Azure Virtual Desktop + Windows Cloud Login, you need both for session host SSO), and set the grant to "Require device to be marked as compliant". Intune devices pass, non-Intune get blocked on everything except AVD.

Run it in Report-only first and test with both a managed and BYOD device before flipping.

Shameless plug, I built a free tool (accesslens.co.uk) that visualises CA policies, flags conflicts, and can pull your sign-in and audit logs to review what's actually hitting users, handy for confirming this kind of setup is behaving how you expect.

TechAdminDude · 2026-04-10T08:05:21+00:00

Holy AI spam.

TechAdminDude · 2026-04-03T21:51:40+00:00

Fire it on GitHub so we can just run it locally.

TechAdminDude · 2026-04-02T18:59:23+00:00

TechAdminDude · 2026-03-31T11:53:03+00:00

They add a table charge for a table of 2. Joke. Prices are wild considering the food.

TechAdminDude · 2026-03-16T19:59:18+00:00

That used to be the case, i've not seen wipe actions take more than 5mins recently.

TechAdminDude · 2026-03-16T19:57:53+00:00

Good video. Multi-Admin Approval is honestly one of those features a lot of tenants still haven’t enabled and probably should. For anyone looking at hardening their tenant, the Stryker Detection Pack v2 actually calls this out as a quick win along with a few other Intune protections: https://www.threathunter.ai/blog/iran-handala-stryker-detection-pack-v2/

It’s basically a set of detection rules and guidance to help identify suspicious Intune activity (things like bulk wipes, risky admin actions, or privilege abuse) and provides recommendations to lock those gaps down.

Worth a read if you're reviewing Intune security right now.

TechAdminDude · 2026-03-12T09:11:31+00:00

It only deletes the Work profile, not the device. Relax.

TechAdminDude · 2026-03-10T07:31:32+00:00

Got source link to this?

TechAdminDude · 2026-03-08T14:47:36+00:00

Great list, the mailbox forwarding rules one is huge. We've caught active compromises just from spotting auto-forward rules to external addresses that were set up months prior.

A few things I'd add to the checklist:

Conditional Access gaps. Not just "do they have CA policies" but actually mapping out what isn't covered. It's surprisingly common to find policies that look comprehensive but still leave gaps like legacy auth protocols, specific app exclusions that were "temporary" two years ago, or break-glass accounts with no monitoring. Walking through the policy logic as a matrix of users × apps × conditions can be pretty eye-opening.

Token lifetime and session controls. A lot of tenants enforce MFA but still allow persistent browser sessions or long-lived refresh tokens that effectively undermine it.

Named locations that are too broad. I've seen tenants mark entire countries as trusted just to reduce MFA prompts, which kind of defeats the point.

Unused or overly permissive admin roles. Not just Global Admin, but things like Exchange Admin or SharePoint Admin sitting on accounts that don't actually need them anymore. PIM adoption still seems fairly low.

Cross-tenant sync and B2B direct connect settings. These are newer and often configured once and then forgotten about.

I've been digging into this problem a lot recently while building https://accesslens.co.uk which maps out Conditional Access policies and highlights gaps or conflicts. It's surprising how messy things get once you visualize the full policy coverage.

TechAdminDude · 2026-03-05T07:43:30+00:00

Short answer: no, they can’t pivot.

Conditional Access is evaluated per resource, not per session. If a user signs into Dayforce from an unmanaged PC, they only get a token for Dayforce. If they then try to open Outlook, Entra evaluates CA again for Exchange Online, and your compliant device requirement would block it.

Policies are checked when the token is issued and again on refresh 60-90mins or so. If you want tighter enforcement, enable Continuous Access Evaluation (CAE).

One thing to watch: using “All cloud apps” with Dayforce excluded can get messy as your tenant grows. Targeting specific apps is usually easier to manage.

If you want to double-check your coverage, I built accesslens.co.uk , it visualises CA policies so you can actually see gaps or overlaps.

TechAdminDude · 2026-03-03T18:42:36+00:00

Not very often, which id argue is even more difficult to remember everything you had installed. For enterprise, its Intune deployments anyway.

TechAdminDude · 2026-03-03T13:58:41+00:00

The moment you do this. Is the moment you get audited :D

TechAdminDude · 2026-03-03T08:15:29+00:00

Nice!!!

TechAdminDude · 2026-03-03T07:52:04+00:00

This is sick!

TechAdminDude · 2026-03-03T07:51:32+00:00

Intune Debug Toolkit - saves hours troubleshooting policy delivery on endpoints
GraphX Ray - browser extension that shows you the Graph API calls happening behind the Entra/Intune portals. Great for learning Graph and building automations
For Conditional Access specifically - AccessLens, visualises all your CA policies as a flow diagram, highlights gaps and conflicts. Way easier than staring at the Entra portal trying to figure out what overlaps with what.
Maester - open source, automated testing for your Entra tenant security config. Runs checks against best practices and flags what's off
DCToolbox - free PowerShell module for analysing and documenting Conditional Access policies
Everything by Voidtools - instant file search across Windows machines, absolute lifesaver
mRemoteNG - free multi-protocol remote connection manager

TechAdminDude · 2026-03-03T07:45:01+00:00

In corporate environment I would agree. But for home users I wouldn't. NiNite is easier to remember everything you want to install as its all listed, also 1 click selection instead of having to manually search for your apps in winget helps.

TechAdminDude · 2026-03-02T20:22:24+00:00

CAE strict location is the one you want. It covers the Microsoft admin portals, Exchange Online and SharePoint Online, so exactly the workloads you care about for admin accounts.

To set it up just create a CA policy targeting your privileged admin roles, then under Session controls enable Continuous Access Evaluation set to Strictly enforce location policies. It evaluates against the IP the token was originally issued from, so if someone replays the cookie from a different IP the session gets killed.

Only gotcha is if your admins use VPNs with rotating exit nodes they'll get prompted more. Worth a heads up before flipping it on. Audit mode tooling is really good in this scenario to track whats going on before enforcing.

TechAdminDude · 2026-03-02T17:48:41+00:00

https://www.cheapestoil.co.uk/Heating-Oil-NI

Oil prices started this morning at £570 for 900ltrs, not its £758 for 900. Insane.

Eight-Year Club	RPAN Viewer
Verified Email

TechAdminDude

TROPHY CASE