- Use principles of least privilege when designing administrative roles.
- Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to.
- Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
- Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune.
- Configure access policies to require Multi Admin Approval in Microsoft Intune.
- Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.
