Microsoft 365 Engineer

Fast-paced Managed Services Provider needs a Microsoft 365 to work on client projects. This is a long-term contract, likelt contract-to-hire. Must be willing to handle basic IT support duties when there are no 365 projects on the calendar.

Tenant Architecture - Start New or Reconfigure

• Define tenant structure, domain configuration, admin role hierarchy, and governance framework before any user provisioning begins

• Establish licensing architecture - map E3/E5 tiers and add-on licenses to actual client security and compliance requirements; eliminate waste

• Design and enforce naming conventions, group policy, and organizational unit structure that scales as client environments grow

• Set security baselines aligned to CIS Benchmarks and Microsoft Secure Score; document deviations with business justification

• Conduct architecture reviews of existing tenants; produce gap assessments and remediation roadmaps

Identity Architecture - Entra ID and Hybrid Identity

• Own the identity model end to end: Entra ID (Azure AD) design, hybrid identity with on-premises Active Directory synchronization, SSO configuration, and Privileged Identity Management

• Design Conditional Access policy frameworks - device compliance requirements, location-based controls, session policies, and risk-based authentication

• Architect MFA enforcement strategy including DUO integration and phased rollout across managed and unmanaged device populations

• Configure and govern external identity - guest access policies, B2B collaboration controls, and cross-tenant access settings

• Design RBAC frameworks for client administrative teams; enforce least-privilege across all admin roles

Security Architecture - M365 Defender Suite and Compliance

• Architect and configure Microsoft Defender for Office 365 - anti-phishing policies, safe links, safe attachments, attack simulation training, and threat intelligence integration

• Design and implement Microsoft Purview governance: data classification taxonomy, sensitivity labels, DLP policies, retention schedules, and eDiscovery readiness

• Own email authentication architecture - SPF, DKIM, and DMARC configuration, validation, and ongoing monitoring across client domains

• Configure and maintain Mimecast policy frameworks as a layered security control alongside native M365 defenses

• Lead M365 tenant security audits using tools including Prowler and Microsoft Secure Score; produce findings reports and drive remediation to closure

• Design network perimeter integration - Entra ID connectors to Palo Alto for device-group-based conditional access; coordinate with network engineering team

Migration Architecture - On-Premises to Cloud

• Lead the full architecture of on-premises Exchange to Exchange Online migrations: hybrid coexistence design, namespace planning, migration batching strategy, and cutover sequencing

• Architect SharePoint Online and OneDrive migrations from file servers and on-premises SharePoint; define permission model, site architecture, and external sharing policy before data moves

• Own pre-migration assessment - identify legacy dependencies, archive mailbox complexity, and third-party integration conflicts that affect migration timeline

• Direct migration tooling selection and execution - BitTitan MigrationWiz and equivalent platforms; own quality validation at each phase

• Produce client-facing migration plans, change control documentation, and rollback procedures; own stakeholder communication throughout

Endpoint and Device Architecture

• Design Microsoft Intune enrollment and compliance policy frameworks - Windows, macOS, iOS - aligned to Conditional Access requirements

• Architect application deployment and update management strategy through Intune; integrate with Autopilot for zero-touch provisioning

• Configure Apple Business Manager and Apple Push Notification certificate management for mobile device environments

Practice Leadership and Knowledge Transfer

• Serve as the architectural escalation point for the M365 practice team

• Document architecture decisions, configuration standards, and design patterns in a reusable internal knowledge base

• Mentor mid-level M365 engineers on security architecture, platform governance, and design methodology

Do you have experience in Tooling?, * 7+ years of Microsoft 365 experience with at least 3 years in an architect or senior design role

• Multiple greenfield M365 tenant builds delivered end-to-end - from initial design through user cutover - in a multi-client environment

• At least 3 completed on-premises Exchange to Exchange Online migrations including hybrid coexistence configuration

• Deep, hands-on expertise with Entra ID, Conditional Access policy design, and hybrid identity architecture

• Demonstrated ownership of M365 security architecture - Defender for Office 365, Purview/Compliance Center, DLP, and sensitivity labeling

• Proficiency in PowerShell for M365 architecture automation, tenant auditing, and reporting

• Experience designing and validating SPF, DKIM, and DMARC configurations across multiple client domains

• Track record of producing architecture documentation - design decisions, gap assessments, remediation roadmaps - that non-technical stakeholders can act on

Preferred Qualifications

• Microsoft Certified: M365 Enterprise Administrator Expert (MS-102)

• Microsoft Certified: Identity and Access Administrator (SC-300)

• Microsoft Certified: Information Protection and Compliance Administrator (SC-400) or Azure Security Engineer (AZ-500)

• Experience with Mimecast policy architecture in conjunction with native M365 security controls

• Familiarity with Lepide, CloudAlly, or equivalent M365 auditing and backup platforms

• Exposure to Microsoft Copilot deployment governance and AI integration policy design

• MSP background with financial services or regulated-industry client base

$60 - $70 an hour - Full-time, Contract