Modern enterprise security teams often focus on defending against ransomware and data theft.

But some attacks have a different objective entirely.

Instead of stealing data or demanding ransom, the attackers seek to inflict operational damage.

That appears to have been the case in the recent attack affecting Stryker’s Microsoft Intune environment, where attackers reportedly gained administrative access and used the platform to wipe a large fleet of corporate devices, including workstations and personal mobile devices.

Rather than extorting the company, the adversaries appeared focused on causing maximum disruption to business operations.

The incident highlights an uncomfortable reality for modern IT organizations:

Your device management platform is one of the most powerful and potentially destructive systems in your entire environment.

And if attackers gain administrative control of it, they can weaponize it instantly.

Why Intune Is an Attractive Target

Microsoft Intune is designed to give organizations centralized control over endpoint devices.

Administrators can:

• Deploy configuration policies
• Reset device credentials
• Lock or wipe devices remotely
• Push applications and updates
• Remove access to corporate resources

These capabilities are critical for security and compliance—but they also create high-impact destructive potential.

With the right permissions, a single compromised account can:

• Issue mass device wipe commands
• Retire thousands of devices
• Lock users out of corporate resources
• Destroy endpoint availability across the enterprise

In other words, the same tools that keep devices secure can also be used to disable them at scale.

The Real Attack Surface: Administrative Identity

Most cloud attacks today do not exploit software vulnerabilities.

They exploit privileged identities.

If attackers obtain administrative credentials for Intune or Microsoft Entra ID, the platform itself becomes the attack tool.

The key security question therefore, becomes:

How do we prevent a single compromised account from executing destructive actions across the environment?

There are three critical controls that dramatically reduce this risk.

Control #1: Enforce Privileged Identity Management (PIM)

Administrative privileges should never be permanent.

Using Microsoft Entra Privileged Identity Management (PIM), organizations can enforce just-in-time access for Intune administrators.

This ensures that elevated privileges must be explicitly activated before use.

Recommended PIM Configuration

Enable PIM for the following roles:

• Global Administrator
• Intune Administrator
• Security Administrator
• Conditional Access Administrator
• Privileged Role Administrator

Example PIM Configuration

Activation Settings

Require:

• MFA during activation
• Justification for role use
• Approval from security leadership
• Maximum activation duration: 1 hour

Example configuration:

Role: Intune Administrator

Activation Requirements:
✔ MFA required
✔ Justification required
✔ Approval required

Maximum duration:
1 hour

Notification:
Security Operations Team

This ensures that even if an attacker obtains credentials, they cannot execute administrative actions without activating the role first.

Control #2: Require Strong MFA for Privileged Accounts

Privileged accounts should always require phishing-resistant MFA.

Weak MFA is still one of the most common root causes of administrative compromise.

Recommended Conditional Access Policy

Policy Name

Require Phishing Resistant MFA for Privileged Roles

Assignments

Users:

Directory roles:
- Global Administrator
- Intune Administrator
- Security Administrator

Conditions:

All cloud apps
All locations

Grant Controls:

Require authentication strength:
Phishing-resistant MFA

Recommended authentication methods:

• FIDO2 hardware keys
• Microsoft Authenticator with number matching
• Certificate-based authentication

Avoid relying solely on:

• SMS authentication
• Voice-based MFA

These methods are vulnerable to social engineering and SIM swapping attacks.

Control #3: Implement Multi-Admin Authorization (MAA)

One of the most important safeguards against destructive actions is Multi-Admin Authorization. Think of this as the nuclear option, which requires multiple parties to prevent the actions of a rogue individual.

This introduces a two-person rule for sensitive operations.

Instead of allowing a single administrator to wipe devices or perform critical actions, the request must be approved by multiple authorized administrators.

This control is similar to security protocols used in financial systems and nuclear command processes.

Example MAA Use Cases

Require multi-admin approval for:

• Device wipe operations
• Mass device retire commands
• Conditional access changes
• Security policy removal

Example Workflow

Admin A initiates device wipe request

↓ Pending Approval

Admin B reviews and approves request

↓ Execution allowed

Without approval, the action can simply not execute.

Even if attackers compromise one administrator account, they cannot perform destructive operations without the second approval.

Additional Intune Hardening Best Practices

Security leaders should also consider implementing the following safeguards:

Restrict Administrative Scope

Use role-based access control (RBAC) in Intune to limit administrative access.

Example:

Helpdesk Administrator:
Can reset devices
Cannot wipe devices

Endpoint Admin:
Can manage policies
Cannot modify security policies

Implement Privileged Access Workstations (PAWs)

Administrators should only access management portals from hardened administrative devices.

This prevents attackers from stealing tokens or credentials from compromised user workstations.

Monitor Administrative Activity

Enable logging and monitoring for:

• Intune administrative operations
• Device wipe commands
• Privilege activations
• Conditional access changes

Feed these logs into Microsoft Sentinel for real-time detection.

The Management Plane Is the New Attack Surface

Organizations often invest heavily in protecting:

• endpoints
• email systems
• applications
• sensitive data

But many overlook the management plane.

This includes systems like:

• Microsoft Intune
• Entra ID
• Azure administration portals
• automation platforms

If attackers compromise these systems, they gain control over the infrastructure itself.

This makes them one of the most valuable targets in the enterprise.

Why Continuous Security Governance Matters

Implementing security controls once is not enough.

Cloud platforms evolve rapidly, and configurations drift over time.

Security teams must continuously:

• evaluate identity risks
• audit privileged access
• monitor administrative activity
• validate configuration baselines
• review device management policies

This is why many organizations adopt a continuous security improvement model.

Programs like Quisitive’s Spyglass security improvement program provide ongoing analysis of an organization’s Microsoft security environment, helping identify misconfigurations, vulnerabilities, and governance gaps before they can be exploited.

Spyglass combines security advisory services, monitoring, and implementation guidance to help organizations operationalize Microsoft security capabilities while continuously strengthening their security posture.

Quisitive incorporates good security practices, such as what I have shared with you here, always and especially in a project to deploy Intune in your environment.

Final Takeaway

Attacks like the one that impacted Stryker demonstrate how destructive actions can occur when a single privileged identity gains administrative access to a device management platform.

Controls such as Privileged Identity Management, phishing-resistant MFA, and multi-administrator authorization can significantly reduce or neutralize the risk of these types of attacks.

This one highlights an important lesson for all of us as security practitioners:

Your device management platform can become a weapon if it is not properly governed.

Organizations deploying Microsoft Intune should ensure they have implemented:

• Privileged Identity Management for administrative roles
• Strong MFA enforcement for all privileged accounts
• Multi-Admin Authorization for destructive actions
• RBAC restrictions for administrative scope
• Monitoring and alerting for administrative operations

These controls dramatically reduce the risk that a single compromised identity could disrupt an entire enterprise.

Because in today’s cloud environments, the management plane is often the most powerful, and most dangerous, system you operate.

Until next time,

Ed Higgins