So gain access to a machine that can ask microsoft intune to eviscerate the company, ask it to do so, done. Bit of a shame all the machines had that installed really. Reminds me of crowdstrike.
My 95% bet is that the attacker just gained access to an account with suitable privileges and then went on to use existing automation. The fact that it’s intune is largely irrelevant - I’m not aware of any safeguards that any provider would implemen.
So the options here are MDM or no MDM and that’s a hard choice. No MDM means that you have to trust all people to get things as basic as FDE or a sane password policy right. No option to wipe or lock lost devices. No option to unlock devices where people forgot their password. Using an MDM means having a privileged attack vector into all machines.
How does that look exactly? Someone has to be able to use MDM to manage devices or there’s no point in having it. This scenario is firmly in rubber hose/crescent wrench cryptanalysis territory. Can updates have delays with approval gates built in? Does MDM need a break glass capability?
Do not use global admin or admin account as daily driver for one. Dont save it in browser etc either.
Limit roles, even within the application, here Intune.
Office 365 also has conditional access and many policy leavers to tweak, many cases of people locking themselves OUT of 365. So the gates work but you need to configure them.
Microsoft keeps disappointing and chief technology officers keep paying them. Wasn’t Elon Musk supposed to prove you could vibe code their entire product line? What happened to all that?