Senior Microsoft Cloud Engineer

About The Position

Requirements

• Candidates without direct GCC High or M365 Government environment experience will require a ramp period this build cannot accommodate.
• M365 GCC High: hands-on tenant provisioning and administration; Azure Commercial equivalents do not qualify
• Microsoft Sentinel: MSSP workspace architecture, cross-workspace KQL, Lighthouse-delegated RBAC, analytics rule configuration
• Azure Virtual Desktop: deployment and administration in Azure Government (not commercial AVD)
• Microsoft Intune (GCC High): device enrollment, Compliance policies, Conditional Access integration
• Entra ID Governance: Privileged Identity Management (PIM), Conditional Access, Named Locations, Identity Protection
• Microsoft Lighthouse: multi-tenant delegation configuration and RBAC scoping for MSSP management
• Azure Arc: server and hybrid endpoint onboarding and management
• SharePoint GCC High: site architecture, permissions model, and document library structure
• Azure Key Vault: provisioning, access policy configuration, and secrets management

Nice To Haves

• CrowdStrike Falcon sensor deployment and policy baseline configuration — Falcon Gov and/or Falcon Commercial
• Azure DevOps Boards configuration and administration
• Prior experience building or operating within a CMMC Level 2 or FedRAMP High environment
• Client-facing technical experience — security advisory, vCISO support, client onboarding, or security architecture reviews
• Microsoft certifications: SC-200, SC-300, AZ-800/801, MS-102, or equivalent

Responsibilities

• Provision Atom’s GCC High Operations Tenant through an AOS-G authorized partner and build the parallel Azure Commercial Operations Tenant as isolated sovereign tracks
• Establish Entra ID baseline across both tenants: admin account structure, security group naming conventions, and identity governance configuration
• Deploy Azure Virtual Desktop host pool in Azure Government for SOC analyst and vCISO secure access
• Configure Microsoft Lighthouse delegation framework across both tracks to support multi-client MSSP management
• Implement FIDO2/phish-resistant MFA and Conditional Access policies across all administrative accounts on both tenants
• Configure Privileged Identity Management (PIM) for all privileged roles across both tenants
• Enroll all analyst devices, vCISO devices, and AVD session hosts into GCC High and Commercial Intune respectively
• Document the separate Entra identity model (distinct UPNs per track) as a formal access control artifact
• Stand up Microsoft Sentinel MSSP workspaces on both tracks with baseline analytics rules, alert routing, and cross-workspace KQL queries
• Apply Defender XDR P2 baseline policy across the GCC High tenant
• Deploy CrowdStrike Gov endpoint agents to CMMC client environments; deploy CrowdStrike Commercial Falcon for non-CMMC clients
• Activate Azure Arc and Intune management on Atom operations devices
• Verify track separation end-to-end and reflect findings in finalized network diagrams
• Build SharePoint GCC High site structure to receive runbooks, SOPs, and client documentation migrated from legacy documentation platforms
• Configure Azure DevOps Boards (GCC High) as the ticketing and work management replacement
• Provision Azure Key Vault and execute controlled credential migration with documented access policy review
• Update Atom’s System Security Plan (SSP) to remove transitional tool entries upon retirement confirmation
• Support compliance documentation sprints — provide infrastructure evidence artifacts for SSP completion
• Conduct end-to-end Lighthouse delegation testing for both anchor clients prior to go-live
• Complete final infrastructure verification pass against the go-live readiness checklist
• Support onboarding of client accounts to the Atom service delivery model post-launch
• As the practice scales, participate in client-facing technical work — including vCISO engagements, client onboarding, security architecture reviews, and direct advisory relationships with DIB and commercial clients

Benefits

• GROUP HEALTH INSURANCE: After a 30-day waiting period, full-time employees (who work at least 30 hours per week) and their dependents, are eligible to enroll in health benefits utilizing the Cigna network. Health options include a choice of 2 PPO plans or a High Deductible Health Plan with employer contributions to a Health Savings Account (HSA). In addition, Dental benefits are available as well as a Vision PPO plan utilizing the EyeMed network. Proven also offers voluntary worksite benefits including critical illness, hospital indemnity, accident coverage, short-term disability insurance, supplemental life and pet insurance. Additional offerings include an employee discount program, home and auto insurance services and commuter/transit FSA.
• EMPLOYER PROVIDED LIFE/AD&D INSURANCE: After a 30-day waiting period, Proven IT provides a flat $25,000 Life Insurance benefit, administered by BlueCross BlueShield, to all full-time employees (who work at least 30 hours per week). Accidental Death & Dismemberment (AD&D) benefit payments are determined based on the type of loss incurred and are payable up to the full Life Insurance benefit amount. Life and AD&D Insurance coverage amounts are reduced at ages 65, 70 and 75.
• EMPLOYER PROVIDED LTD: Long-Term Disability (LTD) insurance is an employer-provided benefit and provides protection from loss of income in the event that an employee is unable to work due to illness, injury, or accident for a long period of time. The elimination period is 90-days, and the maximum benefit is 60% of covered payroll up to $6000/month. This benefit is paid entirely by Proven IT and has no cost to the employee.
• EMPLOYEE ASSISTANCE PROGRAM: All employees may utilize the Disability Resource Services through BlueCross BlueShield of Illinois to assist themselves and their immediate family with convenient resources to help address emotional, legal and financial issues. Telephonic counseling and web-based services are available as well as a limited number of geographically accessible face-to-face sessions.
• 401K PLAN: All employees are eligible after 120 days of service to contribute on either a pre-tax or post-tax (Roth) basis to the 401K plan, administered by Principal Financial Services. Proven offers an employer match equal to 100% of the first 3% of deferrals plus 50% of the next 2% of deferrals.
• FINANCIAL ADVISORY SERVICES: Proven IT partners with Merrill Lynch to offer financial advisement to all employees. Merrill Lynch financial advisors are available to assist employees at no cost, with their 401k and retirement questions.
• PERMISSIVE TIME OFF POLICY: Proven provides a competitive paid time off policy for all full-time regular employees after a 90-day waiting period. Proven IT empowers their employees to work with their managers and team to coordinate all time off. Managers may impose a limit to requests for time off based on performance and tenure.
• PARENTAL LEAVE: Proven IT offers a generous parental leave policy for new parents. After 24-months of employment, Proven provides full-time regular employees with 90-days of paid Maternity leave and 10-days of paid Paternity leave. Employees with less than 24-months of service may take the same amount of unpaid time off.
• FITNESS CENTER: Proven IT offers a free on-site fitness center at the Tinley Park headquarters office location to all employees 24/7 Monday through Sunday. Employees utilize the gym equipment at their own risk.