[mcoliver]

Intune has two modes. Device registration and User registration. And two kinds of wipes, retire and wipe. Retire means only delete your work profile and is only available for User registration mdm. Sounds like Stryker didn't configure intune properly for byod to force users with personal devices to use User registration.

Beyond that there are so many other things in intune you can use to prevent this sort of thing. Short lived / JIT credentials with MFA, ip restrictions, multi admin approval, rbac (role based fine tuned permissions eg help desk can't wipe, only retire ) etc. sounds like there were some big misses here.

Also sounds like they were in the system long enough to exfiltrate 50+ TB of data without setting off alarm bells.