Senior Microsoft Cloud & Security Engineer

About The Position

Requirements

• 5+ years of hands-on Microsoft cloud engineering experience in a senior systems administration or cloud engineering role, preferably in healthcare or another regulated industry.
• Demonstrated ownership of Microsoft 365 tenant administration: configuration, governance, security hardening, and continuous optimization at scale.
• Deep expertise in Microsoft Entra ID: Conditional Access, MFA, identity protection, PIM/RBAC, group-based access, break-glass patterns, and least-privilege design.
• Advanced Intune endpoint engineering: enrollment, compliance policies, configuration profiles, security baselines, application deployment, update rings, and Autopilot provisioning.
• Senior administration experience across Exchange Online, Teams, SharePoint, and OneDrive with a security-first lens.
• SSO engineering experience: build and deploy integrations using SAML and/or OAuth/OIDC; implement SCIM provisioning; troubleshoot federation, claims, and token issues.
• Hands-on Microsoft Defender for Endpoint experience: policy configuration, investigation, containment, and operational tuning.
• Security operations experience with Microsoft Sentinel or a comparable SIEM (Splunk, QRadar, LogRhythm): log ingestion, analytics rules, investigation workflows, and incident response.
• Strong operational discipline: change management (CAB), root cause analysis, configuration documentation, and runbook authorship.
• PowerShell scripting proficiency for M365, Entra ID, and Intune administration — able to write, maintain, and operationalize scripts for user lifecycle automation, compliance reporting, and bulk configuration tasks.
• Microsoft Graph API experience: querying and automating tenant operations (identity, device, policy, reporting) via Graph; ability to build and maintain Graph-based automation workflows using PowerShell or Power Automate.
• Familiarity with HIPAA technical safeguards and experience supporting audit readiness and evidence collection in a compliance framework (HITRUST CSF, NIST CSF 2.0, ISO 27001, or comparable).

Nice To Haves

• Microsoft Copilot for Security: hands-on experience using AI-assisted investigation, threat summarization, incident triage, and guided response within the Microsoft security stack.
• Microsoft 365 Copilot administration and governance: understanding of Copilot data residency, privacy controls, sensitivity label integration, and tenant-level configuration to enable AI features responsibly in a regulated environment.
• AI-assisted automation and engineering: demonstrated use of AI tools (GitHub Copilot, Claude, ChatGPT, or comparable) to accelerate scripting, runbook authorship, Graph API development, and operational workflow design.
• Azure security architecture: RBAC design, Managed Identities, Private Endpoints, and secure PaaS configuration.
• Microsoft Purview and/or DLP/DSPM experience for data governance, classification, labeling, and compliance reporting.

Responsibilities

• Identity & Access Engineering Architect and administer the Microsoft Entra ID tenant: Conditional Access policies, MFA enforcement, identity protection, PIM/RBAC design, group-based access, break-glass patterns, and least-privilege governance.
• Build and maintain SSO integrations for SaaS applications using SAML and OAuth/OIDC; implement SCIM provisioning where supported; own federation troubleshooting, claims mapping, and token diagnostics.
• Own the identity lifecycle (joiner/mover/leaver) workflows, access governance patterns, privileged access controls, and role hygiene across the tenant.
• Engineer and document identity standards, runbooks, and integration procedures to support repeatable, auditable operations.
• Endpoint Engineering Own Intune endpoint engineering: enrollment standards, compliance policy design, configuration profiles, security baselines, application deployment rings, and update management.
• Build and maintain Windows Autopilot provisioning profiles and pre-provisioning workflows; ensure device standards meet security posture requirements.
• Configure, tune, and operationalize Microsoft Defender for Endpoint: policy configuration, investigation workflows, containment actions, and ongoing posture optimization.
• Maintain endpoint compliance reporting and drive remediation of non-compliant devices in coordination with the MSP.
• Collaboration Platform Administration Administer Exchange Online with focus on mail flow, transport rules, anti-phishing/anti-spam tuning, and delivery reliability.
• Manage Teams governance: meeting policies, external/guest access controls, channels, and org-wide settings.
• Administer SharePoint and OneDrive: sharing governance, permissions architecture, lifecycle management, and secure collaboration standards.
• Enforce DLP, retention, and sensitivity labeling policies across the M365 collaboration surface in coordination with compliance requirements.
• Security Engineering & Operations Support Operate Microsoft Sentinel: support log ingestion and connector health, tune analytics/detection rules, perform alert investigation and threat hunting, and maintain/improve playbooks.
• Coordinate vulnerability assessment findings and remediation tracking across endpoints, identities, and cloud configurations; partner with MSSP as appropriate.
• Own security documentation and compliance evidence as a first-class responsibility: maintain control narratives, produce audit-ready evidence artifacts, and support HITRUST r2 assessment activities including evidence collection, control mapping, and assessor inquiries. This is not a supporting role in compliance — you will be a primary contributor.
• Participate in change management (CAB) by authoring change records, risk assessments, validation steps, and rollback plans.
• Support incident response coordination with the MSSP; execute containment and remediation actions and ensure lessons learned are captured.
• Tier 2/3 Support & Engineering Escalations Provide Tier 2/3 technical support for clinicians and staff, ensuring rapid resolution and minimal disruption to patient care workflows.
• Troubleshoot complex Microsoft 365 and endpoint issues: Teams collaboration, Exchange mail flow, SharePoint permissions, Entra sign-in failures, SSO/provisioning errors.
• Develop, own, and continuously maintain a complete library of technical runbooks, SOPs, and KB articles covering all systems and processes you are responsible for. Documentation is not optional or aspirational here — it is a core job expectation and a direct contributor to organizational resilience. If it is not documented, it does not exist.
• Define and refine ITSM workflows (incident, request, change, knowledge, problem) and train Service Desk personnel when new processes or technologies are introduced.
• Coordinate with partner clinics, third-party vendors, and the MSP/MSSP to resolve application, SSO, and integration issues.

Benefits

• First-year compensation $100,000 - $120,000 annually (DOE)
• Bonuses driven by self-care, professional development, and individual KPIs
• $1,200 annual technology allowance
• 401(k) company match up to 3%
• Competitive Benefits – We offer competitive benefits including medical, dental, vision, EAP, life insurance, voluntary short-term, and employer-paid long-term disability.
• Generous PTO which includes 80 hours of vacation, 40 hours of sick leave, seven holidays, PLUS Winter Break (the last week of December).
• For those in the military reserves we offer 80 hours of paid military leave, and after one year of employment we offer 80 hours of Parental Leave for each birth/adoption.