The recent cyber incident involving Stryker, whereby there entire device fleet was remotely wiped, has become one of the clearest modern examples of why identity protection and administrative governance matter just as much as traditional endpoint security. Reports surrounding the attack suggest that threat actors leveraged compromised privileged access within Microsoft’s cloud management ecosystem to issue destructive actions at scale, reportedly using legitimate tooling rather than malware in the traditional sense. That distinction is important. The attack was not necessarily about exploiting a vulnerability in Microsoft Microsoft Intune itself, but rather exploiting trust, permissions, and the absence of additional control gates around highly destructive administrative actions.

In light of the Stryker incident, Microsoft quickly unveiled Multi Admin Approval (MAA) controls within Microsoft Intune. MAA requiring a second authorised administrator to approve sensitive actions such as device wipes, script deployment, or high-risk configuration changes. By enabling MAA organisations introduce a deliberate operational pause into the attack chain. Even if an attacker successfully compromises a privileged account, they are no longer able to immediately execute large-scale destructive actions unchecked. In practical terms, Multi Admin Approval transforms a single point of failure into a controlled, observable workflow, significantly reducing the likelihood of a catastrophic “one-click” compromise of an entire managed estate. In an era where attackers increasingly abuse legitimate management tooling rather than deploying obvious malware, dual-approval models are rapidly becoming a necessary part of modern endpoint governance rather than simply a “nice to have” security feature.

How to enable Multi Admin Approval

Login to Intune, browse to Tenant Administration and within Tenant Admin, click on Multi Admin Approval.

Click on Access Policies, and Create Policy.

Select the Policy Type, i.e. choose what you’re trying to “lock” behind a Multi Admin Approval workflow. In this example, we’ll restrict the ability to perform a Device Wipe without first seeking additional approval. Enter a description and when ready, click Next.

Select the Approvers group.

On the Review screen, you will be required to enter business justification before Creating the Access Policy.

Another administrator within the environment must then approve the Access Policy request. This is done by logging into Intune, browsing to Tenant Administration and within Tenant Admin, clicking on Multi Admin Approval. Within, pending requests will be visible on the dashboard.

Clicking the pending request will reveal further details. Within, you will be required to enter an approval reason.

After the policy creation has been seconded/approved, the creator needs to complete the policy to make it good.

And now, with the policy in place. If anyone tries to Wipe a device, the Multi Admin Approval flow will kick in and the command must not only be justified, but it must be approved before the Wipe command is actually sent.

Unfortunately, out of the box, there is no “notification” system that would alert you to the fact Multi Admin Approval requests are sat waiting, so for now, checking this for requests should become part of your daily checks. Or, alternatively, developing a system to monitor this on your behalf and triggering a notification should be explored 😉