CISA warns on Intune risk

CISA published an alert on March 18, 2026 that points organizations to vendor hardening resources after the March 11 incident affecting a U.S. corporation’s Microsoft environment. (content.govdelivery.com) Stryker’s customer notice states the company detected the cyber incident on March 11, 2026 and described the disruption as contained to its Microsoft environment while it worked with external advisors. (stryker.com) CISA said it consulted with Microsoft and the affected company and is coordinating follow‑up efforts with the FBI and other federal partners to identify additional threat activity. (cybersecuritydive.com) Microsoft’s Intune team published a “Best practices for securing Microsoft Intune” post on March 14, 2026 that lists three prescriptive controls: least‑privilege role design, phishing‑resistant authentication, and Multi‑Admin Approval for sensitive changes. (techcommunity.microsoft.com) Microsoft’s Multi‑Admin Approval (MAA) documentation shows MAA can protect device actions (wipe, retire, delete), role changes and scripts, and requires a separate approver account and an approver group to apply or reject requests. (learn.microsoft.com) Microsoft’s Windows Backup for Organizations feature gives tenants a tenant‑wide restore option for Entra‑joined Windows devices and lists supported OS builds and enrollment prerequisites that administrators must enable. (learn.microsoft.com) Technical guidance warns that MAA and access policies have operational constraints—MAA applies at tenant scope and requires at least two admin identities, which organizations must plan around to avoid blocking legitimate changes. (endpointmgt.com) Microsoft has been enforcing mandatory MFA for administrative sign‑ins through Microsoft Entra and is rolling out phishing‑resistant options such as Entra passkeys (public preview mid‑March 2026) for stronger admin authentication. (learn.microsoft.com)