On March 11, 2026, medical technology maker Stryker experienced a massive cyberattack that used the company’s own IT management tools wipe most devices. A single compromised administrator account was used to remotely wipe 80,000 devices in 79 countries using the wipe feature of Intune.
There was no malware involved. The attackers used only Intune’s own legitimate device management capabilities, causing widespread disruption to all company operations. This incident is unfortunately just another cautionary tale for IT departments everywhere, and underscores how critical it is to implement safeguards, such as multi-admin approval, for high-impact actions.
Incident Metrics
| Metric | Value | Description |
|---|---|---|
|
Devices Wiped |
80,000+ |
Devices Wiped 80,000+ Devices factory-reset via Intune in a single attack |
|
Compromised Admin Accounts |
1 |
One stolen credential led to a tenant-wide incident |
|
Recovery Time |
3 weeks |
Time to fully restore operations |
Intune as a Powerful and Potentially Dangerous System
When a device is enrolled into Intune, Intune manages the device and has full access to the device. If a command to factory reset is sent to the device from Intune, the device will execute it immediately because device wipe is also seen as a security feature to guard against theft and misuse.
When attackers hijacked an account with admin access to Intune, they effectively held the “kill switch” for every enrolled device in the company. All it took was one malicious Intune command to simultaneously factory-reset employee laptops, mobile phones, and tablets. There are also reports that employees had personal devices enrolled (computers, smart phones, and tablets), which were also wiped during the attack.
Bottom line, the Stryker incident was actually not a sophisticated attack. Attackers likely phished an account and then used legitimate functionality within the company’s own IT systems pull off the attack.
Multi-Admin Approval: Secondary Approval for High-Risk Actions
Intune’s Multi-Admin Approval (MAA) is a governance feature that, when configured correctly, can help prevent a repeat of the Stryker attack. With MAA enabled, high-impact changes in Intune will not execute until a second administrator reviews and approves the action. Two admin accounts would need to be compromised.
MAA can be applied to such actions as remote wipe, script deployment, RBAC changes, and policy configuration changes (as well as other actions). These are all high-risk/high-impact changes that should be reviewed another admin.
How to Enable MAA in Microsoft Intune
Here is how you can configure MAA in your environment.
1. Prerequisites
- Your tenant needs at least two Intune administrator accounts.
- Assign Intune licenses to the admin accounts that will use MAA.
- Define three role groups. Bonus points if you use PIM to control these groups so that admins are not permanently assigned to these roles.
- Access Policy Manager: Creates and manages the MAA policies.
- Approver: Reviews the requests and can either approve or reject them.
- Change Requestor: perform high-impact actions. This should include all admins with access to Intune.
2. Create an Access Policy
- Navigate to the Intune Admin Center → Tenant Administration → Multi Admin Approval.
- Click + Create to define a new access policy.
- Choose the resource type you’re going to protect (e.g., Device Actions, Scripts, RBAC, Apps).
- Specify the approver group.
- Configure the policy scope and justification requirements.
3. Endpoint and Intune Security
Control the device, control the action
Restrict admin access to compliant and managed devices only
Block all administrative actions from unmanaged devices
Enforce device compliance across your environment
This prevents attackers from operating outside controlled endpoints
3. Assign Roles and Permissions
- Use Intune RBAC to assign:
- Custom roles for Access Policy Managers. They will need permissions to create, read, update, and delete access policies.
- Approver roles with read permissions for the Intune resource type.
- Assign the approver group to the Intune role as a member group.
4. Test the Workflow. Look for these items.
- Confirm that the action enters a pending state and requires the approver’s approval.
- The approver can log in, review the request, and either approve or reject it.
- Once approved, the original requestor can sign back in to complete the action.
Basic Security Recommendations for Entra ID, M365, and Intune Administrators
Beyond MAA, there are several other things you can do out-of-the-box with Entra to better protect Entra ID, M365, and Intune.
Lock Down Privileged Access
- Perform an audit of privileged admin roles. Remove any assignments that are no longer necessary.
- Use dedicated admin accounts that are not also used for general computing, email, or web browsing.
- Use cloud-only admin accounts for high-privileged roles like global admin or Intune admin. This prevents a compromise in on-prem systems from spreading to your cloud-based systems.
- Use Conditional Access to restrict admin account use only to approved physical devices.
Use Just-in-Time Access
- Use Microsoft Entra Privileged Identity Management (PIM) to remove permeant admin privileges.
- Require approval, justification, and phishing-resistant MFA for all PIM activations, no exceptions.
- Monitor and alert on unusual PIM activations (such as activating from a new device, strange time of day, new location, etc.).
Strengthen MFA & Conditional Access
- Enforce phishing-resistant MFA, such as FIDO2 security keys, for all privileged accounts.
- Prevent weaker MFA methods, such as OTP and SMS, on admin accounts.
- Apply Conditional Access policies to restrict admin access by device compliance, location, and risk.
- Block risky sign-ins and enforce reauthentication, including MFA, for sensitive actions.
Monitor and Alert on Unusual Activity
- Set up alerts for high impact or high-risk actions such as:
- Mass device wipes
- New admin role assignments
- Unusual admin logins, such as from different geographies or devices
- Use Microsoft Defender for Cloud Apps, Microsoft Sentinel, and Microsoft Entra ID logs for aggregation and visibility.
Final Thoughts
The Stryker incident is another example of how an attacker can use your own IT systems against you if they are not properly secured. It underscores that endpoint management platforms like Intune must included in plans for Tier-0 critical infrastructure, with dedicated time and effort put into securing them.
Going forward, enabling MAA on Intune’s high-impact actions should be considered a baseline requirement for any enterprise using the service at scale. By applying the right security measures, those same tools can be used for IT management without being a security incident waiting to happen.
Stop Unauthorized Admin Actions in Your Environment
Prevent device wipe, control privileged access, and secure your Microsoft Intune setup with expert implementation.
Talk to a Microsoft Security Expert
