You’ve probably heard about the recent activity at Stryker, and to put it bluntly: it sucks. In March 2026, the medtech giant got hit by a massive “living off the land” attack. The scary part? The attackers reportedly hijacked Microsoft Intune to send remote wipe commands to over 200,000 devices.
Imagine waking up to find your entire fleet—including employee personal devices—factory reset by your own MDM. It’s every admin’s worst nightmare.
If you’re managing an Azure/Intune environment, this is a loud wake-up call. The problem isn’t the tool; it’s the single point of failure in how we grant access. Here is the blueprint to harden your tenant so your own tools aren’t used against you.
A Note on the “Security Journey”
Before we dive into the technical bits, let’s be real: information security is never “finished.” There is always another layer to peel back, another log to analyze, and another zero-day to patch. Think of the steps below as your “Security 101” foundation—they are designed to mitigate the biggest, easiest risks and get your team’s juices flowing toward a true Zero Trust mindset. Once these are in place, you can start looking at more advanced stuff like E5 Sentinel hunting or automated playbooks.
1. Multi-Admin Approval (The “Nuclear Key” Strategy)
In the Stryker case, if an attacker gets an Intune Admin’s credentials, they have the keys to the kingdom. Multi-Admin Approval (MAA) changes that. It requires a second pair of eyes before high-impact actions (like wiping a device or changing a security baseline) actually happen.
- The Fix: In the Intune admin center, go to Tenant administration > Multi Admin Approval.
- How it works: You create an access policy for “Wipe” or “Delete” actions. Even if “Admin A” is compromised, the attacker can’t trigger a mass wipe because “Admin B” (who is hopefully drinking coffee and not being hacked) has to hit Approve in their own console first.
2. Privileged Identity Management (PIM)
Nobody should be a Global Admin 24/7. Standing privileges are a massive liability. Azure PIM ensures that admins only have “God Mode” when they’re actually working.
- The Fix: Make your sensitive roles (Intune Admin, Global Admin) Eligible instead of Active.
- The Flow: When you need to do work, you “activate” the role, provide a reason, and pass an MFA challenge. Once your 2-hour window is up, the permissions vanish. If an attacker steals your creds at 2:00 AM, they have zero permissions to use.
3. The “Admin Fortress” Conditional Access Policy
Why should an admin be able to log in from a random IP in another country? Or from a personal, unmanaged PC? We need to build a wall around the management portals.
The Template:
- Name:
CA001: Admins - Require Compliant Device & Trusted Location - Users: Include Directory Roles (Intune Admin, Global Admin). Exclude one emergency “Break-Glass” account.
- Target Apps: Select Microsoft Intune and Microsoft Entra ID.
- Conditions: * Location: Include Any, Exclude Trusted Locations (Your Office/VPN IPs).
- Device State: Require device to be marked as Compliant.
- Grant: Select Block access if conditions aren’t met, or Require MFA + Compliant Device.
Why this works: Even if an attacker has the password and session token, if they aren’t on a Stryker-managed, healthy laptop inside the corporate network, they are dead in the water.
4. Admin Hygiene: Phishing-Resistant MFA
If you’re still using SMS or simple “Approve/Deny” push notifications for admins, you’re vulnerable to “MFA Fatigue” (where an attacker spams your phone until you hit ‘Approve’ just to make it stop).
- The Fix: Move to Microsoft Authenticator with Number Matching or FIDO2 Security Keys.
- Password Rotation: Ensure passwords for “Break-Glass” accounts are long, complex, and rotated automatically via Azure Key Vault or stored in a physical safe.
The Bottom Line
The Stryker event shows that attackers aren’t just trying to break into your house; they’re trying to take over the remote control for your security system. Moving to a Zero Trust model for your admins isn’t just “best practice” anymore—it’s the only way to sleep at night.
By implementing PIM, MAA, and strict Conditional Access, you ensure that even if one account falls, the rest of the organization stays standing.
Leave a Reply