Kamal Ghorui
US government has issued an advisory urging companies to implement Microsoft’s newly released best practices for securing Microsoft Intune. The advisory, issued by Cybersecurity and Infrastructure Security Agency (CISA) comes after a cyberattack on America’s largest medical device maker by Iran-linked hackers last week. The attack disrupted the company’s service for more than 5 days. “CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment,” the advisory says. “To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert,” it adds. As per the advisory, principles of these recommendations can be applied to Intune and more broadly to other endpoint management software:
- Use principles of least privilege when designing administrative roles.
Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to.
- Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune.
- Configure access policies to require Multi Admin Approval in Microsoft Intune.
Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc. The advisory further informs that CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions.
US cyber agency’s advisory to companies
In addition to strengthening Microsoft system, CISA also recommends reviewing the following resources to strengthen defenses against similar malicious cyber activity:Microsoft resources:
- For recommendations on securing Microsoft Intune, see Best practices for securing Microsoft Intune.
- For guidance on implementing Multi Admin Approval in Microsoft Intune, see Use Access policies to implement Multi Admin Approval.
- For recommendations on configuring Microsoft Intune using zero trust principles, see Configure Microsoft Intune for increased security.
- For guidance on implementing Microsoft Intune RBAC policies, see Role-based access control (RBAC) with Microsoft Intune.
- For guidance on deploying Privileged Identity Management (PIM) across Microsoft Intune, Entra ID, and other Microsoft software, see Plan a Privileged Identity Management deployment.
CISA resources:
- For guidance on implementing phishing-resistant multifactor authentication (MFA), see Implementing Phishing-Resistant MFA.
