Introduction
Cloud-based management platforms like Microsoft Intune, Microsoft Entra ID, AWS IAM, Google Workspace Admin, and comparable MDM and identity governance tools have become the operational backbone of how organisations manage their devices, user identities, and access controls. That centralisation of power is also a critical concentration of risk. A single compromised administrative account in any of these environments can enable an adversary to affect thousands of devices and users simultaneously, without deploying a single line of malware.
Following the March 2026 attack on Stryker Corporation, both CISA and Microsoft issued formal guidance urging organisations to harden their endpoint management environments. This advisory consolidates those recommendations alongside broader best practices for securing privileged administrative access across cloud management platforms.
The risk is demonstrated clearly by the Stryker incident of March 2026, in which the Iran-linked threat actor Handala compromised an administrative account at the medical technology company and used it to issue a mass remote wipe through Microsoft Intune, affecting approximately 80,000 devices across Stryker’s global operations. Stryker confirmed no conventional ransomware or malware was deployed. The broader attack succeeded primarily through valid credentials and legitimate administrative tooling. The exact scenario that traditional endpoint security is not designed to detect.
The real-world consequences extended beyond IT. Supply chains were disrupted at hospitals across the United States, and patient-specific procedures were rescheduled due to shipping delays. This pattern is not new, nor is it limited to Intune. The 2022 Okta breach and the Uber compromise share the same underlying dynamic, i.e., an adversary gained access to a trusted administrative platform and operated it exactly as intended. The threat is not the tool. The threat is uncontrolled access to the tool.
Why Administrative Platforms Are a Primary Target
Platforms such as Microsoft Intune, Microsoft Entra ID, AWS IAM, Google Workspace Admin Console, and VMware Workspace ONE are designed for scale. That is their value to IT teams and their value to adversaries alike. A single administrative session in any of these environments can enumerate every managed device, modify access policies across thousands of accounts, push configuration changes to an entire endpoint estate, or issue bulk destructive commands, all through legitimate, logged functions that generate no malware signatures. Endpoint detection and response tools, antivirus, and network monitoring solutions are simply not built to flag a Global Administrator performing actions that match documented platform behaviour. The attack surface here is not a software vulnerability. It is standing access held by too many accounts, protected by too few controls.
This class of attack is commonly described by security professionals as ‘living off the land’. Adversaries exploit existing infrastructure rather than introducing foreign tooling. In the context of cloud management platforms, this means the attacker’s actions are functionally indistinguishable from legitimate administrative activity until the damage is already done. Organisations that have invested heavily in perimeter defences, endpoint protection, and malware detection may find that those investments provide no meaningful protection against an adversary operating through a valid admin session in their MDM or identity platform. The controls that matter in this context are those that govern who can access these platforms, under what conditions, and with what level of oversight.
Common Control Gaps in Administrative Platform Security
Privileged Credentials Are Managed Without Adequate Controls
Across most organisations, administrative accounts for management platforms are provisioned and managed without meaningful differentiation from standard user accounts, despite conferring a vastly greater level of control. A Global Administrator in Microsoft Entra ID, a root account in AWS, a Super Admin in Google Workspace, or a full console administrator in Jamf/intune can each affect an organisation’s entire managed environment with a handful of actions. Yet these accounts are routinely protected by nothing more than a password, with no strong authentication requirement, no usage monitoring, and no periodic review of whether the access is still warranted. The Stryker incident demonstrated precisely what this exposure enables: a compromised admin credential provided immediate, unrestricted access to every managed device in the organisation.
High-Impact Administrative Actions Lack Secondary Authorisation
Cloud management platforms are designed to enable administrators to act at scale, and most do so without any requirement for a second approver. A single administrator can wipe an entire device fleet, revoke access for every user in a tenant, or push a destructive policy change across an organisation, and in most environments, nothing in the platform will stop them. This is as much a process gap as a technical one. Organisations operating platforms such as Intune, Entra ID, AWS IAM, or Google Workspace Admin should define which actions constitute high-impact operations and require that those actions receive a second authorisation before execution. Without this control, the difference between a legitimate IT operation and a catastrophic security incident can come down to whose credentials were used.
Cloud Management Platforms Fall Outside Standard Security Monitoring
Security operations centres are typically configured to monitor network traffic, endpoint telemetry, and authentication events. The administrative consoles of cloud management platforms—Intune, Entra ID, AWS CloudTrail, Google Admin Audit Logs, ServiceNow, and similar tools—are rarely brought within the same monitoring scope. This creates a significant and exploitable blind spot. High-risk activity within these platforms, including privilege escalations, bulk policy changes, and the creation of new administrator accounts, can go undetected for extended periods precisely because nobody is watching. The telemetry exists in every one of these platforms; the gap is in whether it is ingested, alerted on, and acted upon..
Note: Traditional security tools like antivirus, EDR, malware scanning, perimeter firewalls are not designed to detect an attacker operating through valid credentials in an authorised management console. Organisations that have invested heavily in these controls while leaving privileged access to cloud platforms ungoverned have a significant and largely invisible gap in their security posture. Identity and administrative access have become the primary attack surface. Defences should reflect that reality.
Recommended Controls
The following controls apply to any organisation utilizing management platforms, identity providers, or MDM solutions. These recommendations address specific, documented gaps that have enabled real incidents to succeed.
- Establish Full Visibility Over Privileged Accounts
The starting point for any hardening programme is a complete and accurate inventory of which accounts hold elevated privileges across administrative platforms. This includes Microsoft Intune, Microsoft Entra ID, AWS IAM, Google Workspace Admin, and any other platform through which bulk actions can be taken against users, devices, or data. Every account holding global or highly privileged roles should be explicitly identified, formally documented, assigned to a named individual or purpose, and subject to periodic access review. Particular attention should be paid to accounts associated with former employees, dormant service accounts, vendor or third-party access, and helpdesk roles that have accumulated permissions over time. In many organisations, this inventory does not exist in any reliable form. Establishing it is the prerequisite for every other control in this list. - Enforce Phishing-Resistant MFA on All Privileged Accounts
Phishing-resistant multi-factor authentication must be enforced on every privileged account across all administrative platforms, without exception. Compromised credentials alone should never be sufficient to access a console with the capacity to affect thousands of users or devices. Hardware security keys or passkeys are the recommended implementation; SMS-based verification and authenticator app push notifications are weaker and should not be accepted as the primary MFA method for highly privileged accounts. Any service or shared account that cannot accommodate MFA should be treated as an active risk requiring remediation, not a standing exception to be documented and forgotten. - Require Dual Authorisation for Bulk Destructive Actions
No individual administrator should be able to execute a high-impact action unilaterally across any management platform. This is both a technical control and a process requirement. Organisations should define what constitutes a high-impact action. Actions such as mass device wipes, bulk account deletions, large-scale policy changes, the creation of new administrator accounts, or the modification of tenant-wide security settings should have approval workflows requiring a second authorised individual to review and confirm before execution. This control applies equally across Intune, Entra ID, AWS IAM, and any platform where a single action can have organisation-wide consequences. Introducing a mandatory second checkpoint does not impede routine administration; it specifically targets the category of action that causes irreversible damage if misused. - Implement Just-in-Time Access for Administrative Roles
Persistent administrative access is a standing risk across every platform that grants it. Just-in-Time (JIT) access addresses this by granting elevated privileges only for the duration of a specific, approved task, with access expiring automatically, typically within one hour. This model is supported natively in Microsoft Entra Privileged Identity Management for Azure and Intune environments, in AWS IAM through temporary credential mechanisms via STS, and through equivalent tooling in other enterprise identity platforms. With JIT in place, a compromised account is far more likely to hold standard user privileges than persistent global administrative access, significantly limiting the potential impact of a credential compromise. Organisations that cannot implement JIT immediately should prioritise removing persistent Global Administrator or equivalent assignments as an interim measure and replacing them with role assignments scoped to specific tasks. - Extend Security Monitoring to Cover Management Platforms
The majority of security operations teams monitor endpoints, firewalls, and authentication logs as a matter of routine. Activity within management consoles, however, receives far less attention. Platforms such as Microsoft Intune, Microsoft Entra ID, AWS CloudTrail, and Google Admin Audit Logs are frequently excluded from core monitoring workflows, creating a significant and exploitable visibility gap. These systems should be brought within the organisation’s monitoring scope, with defined alerts configured for high-risk activities including: administrative logins from unrecognised locations or devices, bulk enrolment or wipe operations, policy modifications outside of business hours, the creation of new privileged accounts, and privilege escalations. - Validate Assumptions Through Structured Simulation Exercises
Consider simulating a realistic scenario in which an attacker has obtained valid global administrator credentials for your MDM platform. Work through the actions they could take, the speed at which your security operations team would detect the activity, and the manner in which your organisation would respond and recover. Many organisations have never conducted this exercise end-to-end. The findings are frequently uncomfortable, but it is considerably preferable to identify these gaps through a controlled exercise than to discover them in the aftermath of an actual incident. - Restrict Administrative Access to Dedicated, Hardened Workstations
Administrative access to cloud management platforms should be restricted to dedicated, hardened devices commonly referred to as Privileged Access Workstations (PAWs). These are purpose-configured devices used exclusively for administrative tasks, isolated from general browsing, email, and productivity applications that represent common credential compromise vectors. For cloud-only environments, this can be implemented through cloud-only administrator accounts that are not synchronised from on-premises Active Directory, combined with Conditional Access policies that restrict sign-in to compliant, managed devices. Restricting high-privilege access to PAWs or compliant managed devices would have substantially raised the barrier to exploitation. Organisations that permit administrative access to Intune, Entra ID, or equivalent platforms from general-purpose, unmanaged, or personal devices are accepting a level of risk that is inconsistent with the sensitivity of those environments. - Align Security Posture to Sector-Specific Threat Intelligence
Threats vary by sector and region. Adversaries choose targets based on geopolitical ties, acquisitions, or public profile. Shape your defences around those factors. A practical step is geolocation‑based access control. Restrict admin logins to countries where your team operates, block or flag high‑risk regions, and alert on unexpected access attempts. This raises strong barriers against nation‑state and hacktivist campaigns.
Conclusion
The controls outlined in this advisory are not new concepts, they are well-established security practices that apply to any platform where a single account can affect thousands of devices or users. Visibility over privileged accounts, strong authentication, approval workflows for high-impact actions, restricted access workstations, and active monitoring of management consoles together form a baseline that significantly reduces the risk of administrative platform abuse.
Organisations that have these controls in place are considerably harder to damage, even when credentials are compromised. Those that do not are one stolen password away from an incident of the scale seen at Stryker.
References
Best practices for securing Microsoft Intune | Microsoft Community Hub
CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization | CISA