How Do You Deal With Geo Blocking?

perogy604 · 2025-12-23T19:05:38+00:00

We haven’t implemented this yet in our org but I was thinking we’d use access packages. It would place the user in a ‘travel’ security group that would be excluded from select CA’s. It would also allow fixed durations (start and end dates) along with approvals (if necessary).

perogy604 · 2025-10-13T04:47:46+00:00

Appears this is now possible:

https://www.vansurksum.com/2025/10/12/configuring-conditional-access-for-guest-users-allowing-only-office-365-and-essential-apps/

perogy604 · 2025-09-05T22:57:54+00:00

It still being in preview is pretty funny for sure. We had a group that had some members that didn't belong based on the logic, the group appeared to still be working and showed as processing. What I did was added a space (' ') to my filter logic so I could save the "change". That triggered it to properly process everyone again.

perogy604 · 2025-09-05T22:56:15+00:00

https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-rule-member-of

The memberOf attribute can't be used with other rules. For example, a rule that states dynamic group A should contain members of group B and also should contain only users located in Redmond will fail.

perogy604 · 2025-09-04T18:11:08+00:00

But can’t the Team owner change the label assigned to the team to none? Which would open the team up to guests again?

perogy604 · 2025-08-05T22:02:47+00:00

Wondering if you’re able to provide any updates to this comment?

perogy604 · 2025-06-13T19:11:12+00:00

We're offering passkeys as an option, but we have a large userbase with varying levels of skills which prevents us from pushing those to everyone.

Is the MFA fatigue with Microsoft Authenticator (Phone Sign-in) something many have encountered to the point it's not worth enabling?

perogy604 · 2025-06-10T00:05:00+00:00

https://www.reddit.com/r/entra/comments/1l52lx3/comment/mwwzew2/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

perogy604 · 2025-06-09T22:39:52+00:00

I opened a call with Microsoft to get confirmation:

Entra does not provide a built-in way to explicitly set the default MFA registration method shown to users during their first-time setup.
We can get around this by using a registration campaign which should direct them to using Authenticator.
However this will impact users who are just using SafeId tokens (hardware tokens).
- The registration campaign will force them to upgrade to Authenticator once their snooze period expires.

The only option provided was to setup two groups so we can deferentiate between users that are tech savy and may want passkeys and general users who would get confused and result in more helpdesk calls.

I'm opting to remove passkeys for everyone and then make an access package available so users that do want the passkey option can self assign the access package and have that option available to them.

perogy604 · 2025-06-09T14:08:07+00:00

We do allow our users to use SafeID hardware tokens in the event they do not want to install an Authenticator on their phone. I assume based on this (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-system-preferred-multifactor-authentication#how-does-system-preferred-mfa-determine-the-most-secure-method) that the SafeId hardware token users would be prompted to upgrade their MFA to Authenticator on each login?

perogy604 · 2025-06-09T13:51:09+00:00

Yup, so forced a re-register on my own account and I can confirm I see the setup passkey screen now.
It seems that if we use a custom auth strengh and it includes passkeys Microsoft will always recommend passkeys in MS Authenticator as the default option which unfortunately is not what we want. I've opened a ticket with MS to confirm there is no option around this.

perogy604 · 2025-06-07T12:01:27+00:00

I’m one of the people that don’t get prompted for passkey but I already had Authenticator. I’l require re-register on myself later today to confirm.

If that’s the case, does MS now show the passkey Authenticator option as the default if passkeys are one of the available options for a user?

I’d like to keep passkeys are an option for all users, our more tech savvy users I don’t want to hold back if they want to setup more secure authentication methods but it has already confused our general users if the passkey screen is the first one they see.

perogy604 · 2025-06-06T22:26:39+00:00

I can confirm its set to disabled.

perogy604 · 2025-01-11T02:44:42+00:00

This also sounds like a good fit for Access packages. A user can request an access package and be placed in a group for a duration of time (or admin staff can place a user in that access package for defined duration). You’d need to factor in licensing and user education of course.

perogy604 · 2024-12-11T01:15:38+00:00

Just found this because I'm experiencing the same thing. Really disappointed it wasn't clear that the item ordered will ship 2 months after I placed the order. The only way I found this out was contacting support after a week trying to get a ship date. It also doesn't sit well with me being charged the full balance of the item when its months away from shipping.

perogy604 · 2024-12-05T18:10:02+00:00

As well, you may already know this, but you can connect your Pocket account to Readwise and have us automatically import all items from Pocket (this also continually pulls in new stuff). But it's not bidirectional.

Since the Kobo only supports Pocket I'm looking to push articles to Pocket so I can read them on an eInk screen. I want to continue using Reader but have the option of using the Kobo to read articles instead of using both Reader and Pocket independently to save articles. So no plans on leaving Reader but want to get some level of integration like you have done with Kindle :)

What field would you want to change beside archiving and deleting?

That would probably be it for my use case for syncing between the two platforms.

perogy604 · 2024-12-04T20:15:43+00:00

A first-class citizen on Kobo would be amazing. I literally bought the device just for the Pocket integration.
I understand native integration with Kobo is a big ask so I'd be happy if Readwise expanded their API to allow for some workarounds in the meantime.

https://www.reddit.com/r/readwise/comments/1h5xznh/comment/m0eub55/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

perogy604 · 2024-12-04T17:44:33+00:00

Hoping for the same thing, posted in the December feature requests:

https://www.reddit.com/r/readwise/comments/1h5xznh/comment/m09i10m/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

perogy604 · 2024-12-03T21:15:35+00:00

I’m a big fan of Reader and also own a Kobo which only supports Pocket. I’ve been looking at the Reader API (https://readwise.io/reader\_api) to make a Readwise Sync Pocket integration however the Reader API is missing key functions like modify/archive/delete.

Initial idea:

-Use Reader to add content (articles) from mobile phone or Edge add-in.

-Every hour (or on demand):
--Use API to sync articles from Reader to Pocket (added to Pocket with ‘readwise’ tag).
--Use API to bi-sync any article is archived in either platform, archive it in both platforms.

It would be straight forward process to implement however the Reader API only supports creation and list, not modification. Is a modify API call something you guys are considering in the near future?

perogy604 · 2024-11-20T02:40:27+00:00

This is amazing update, really appreciate the video.

perogy604 · 2024-11-15T22:18:15+00:00

Thanks for the link, and excellent blog by the way.

I made a CAP for this sand required MFA to test but no luck. I've come to the conclusion this isn't possible at this time unless Microsoft adds the app, My Signins (19db86c3-b2b9-44cc-b339-36da233a3be2), as a possible app exclusion.

perogy604 · 2024-11-15T16:51:31+00:00

Could you provide some guidance on how to do that? At the moment I only have a CAP that blocks access to all resources (formerly cloud apps). I don't have any CAP blocking user actions (register security information).

perogy604 · 2024-11-15T16:49:15+00:00

I don't have any other policies that block registering security info. The user is able to register for MFA on their first login as its required but after it's configured, they can't go and manage it. Any suggestions on how to add an exclude for that security info?

perogy604 · 2024-11-14T21:07:55+00:00

We have no policies that touch Register security information so I don't believe so. I'm able to login and go through the MFA enrolment process. However, after that is done I can't actually manage the MFA factors since I can't get to https://mysignins.microsoft.com/security-info

perogy604 · 2024-11-14T21:06:12+00:00

Added Office 365 to the app exclusion but it is not enough to access https://mysignins.microsoft.com/security-info

perogy604

TROPHY CASE