Microsoft 365 Engineer

Microsoft 365 Engineer

Location: On Site in our Jacksonville, FL Headquarters

Reports To: IT Infrastructure Manager / Director of IT

Experience: 7+ years professional IT; 5+ years hands‑on with Microsoft 365/Entra ID/Intune in enterprise settings

Position Summary

The Microsoft 365 Engineer is the primary administrator and service owner for our Microsoft cloud stack. You will design, deploy, secure, and operate Microsoft 365 (Exchange Online, SharePoint, OneDrive, Teams), Intune/Endpoint Manager, and Entra ID (Azure AD) with strong emphasis on Conditional Access, MFA, device compliance, and identity governance. You’ll partner with infrastructure/networking (Cisco ASAv, Meraki), datacenter, and applications teams to deliver a resilient, compliant, and cost‑effective service.

What You’ll Own (Core Responsibilities)

Tenant Architecture & Identity (Entra ID)

• Design and run the target Microsoft 365 tenant (greenfield or separated), including domain and DNS cutover, directory topology, and identity lifecycle.
• Implement Conditional Access (per‑user/per‑app/per‑device), MFA, Named Locations (including VPN egress IPs and HQ/DC public ranges), risk‑based policies, and break‑glass controls.
• Deploy and maintain Entra Connect (Cloud Sync/AAD Connect) as needed; plan for hybrid to cloud‑only identity transitions where appropriate.
• Stand up PIM (Privileged Identity Management), access reviews, entitlement management, and least‑privilege admin RBAC across workloads.
• Govern B2B/B2C/guest access and external collaboration settings with clear guardrails.

Endpoint Management with Intune (Windows/iOS/Android/macOS)

• Lead Intune architecture: device compliance, configuration profiles, security baselines, BitLocker escrow, WUfB/feature update rings, Autopatch (where applicable), and Autopilot provisioning.
• Build a scalable application packaging program (Win32, LOB, MSIX), pilot rings, rollback plans, and secure app protection policies (MAM).
• Migrate GPOs to Intune policy equivalents; rationalize legacy builds and drive modern management adoption.
• Establish gold images/profiles, device naming, asset tagging, and lifecycle processes.

Collaboration & Data Protection (Exchange/Teams/SharePoint/OneDrive + Purview)

• Plan and execute cross‑tenant migrations (mailboxes, Teams, SharePoint sites, OneDrive) with coexistence strategies (free/busy, guest access, shared channels).
• Implement Microsoft Purview: sensitivity labels, DLP, retention/records, insider risk (as needed), and eDiscovery (Standard/Premium) processes.
• Define Teams/SharePoint information architecture and governance (naming, lifecycle, external sharing, sprawl control).

Threat Protection & Operations (Defender XDR + Sentinel optional)

• Operate and tune Microsoft Defender XDR (Endpoint/Identity/Office/Cloud Apps) and leverage Advanced Hunting (KQL) for detection/response.
• Integrate with SIEM (Microsoft Sentinel or existing), define alert routing/runbooks, and lead incident response for Microsoft 365 scope.
• Build dashboards/SLOs for patch compliance, device posture, CA/MFA effectiveness, and threat metrics.

Integration & Network Awareness (Coordinate with ASA/Meraki/Datacenter)

• Coordinate with network teams on VPN/IP allowlists, Named Locations, split‑tunnel considerations, and service endpoints impacting Conditional Access and Microsoft 365 reliability.
• Support secure connectivity models across HQ, Datacenter, and new racks; ensure cloud posture reflects changing ISP/public IPs and DMZ patterns.
• Align Autopilot/Intune content delivery with network design to avoid hairpinning and optimize end‑user experience.

Automation, Cost & Governance

• Automate admin at scale with PowerShell and Microsoft Graph API (configuration‑as‑code for Intune/M365 where feasible).
• Optimize licensing (E3/E5 add‑ons), storage, and service plans for cost control and best value.
• Author SOPs/runbooks, DR/BCP playbooks, and admin guardrails; train IT and power users.

Qualifications

Qualifications & Experience

• 7+ years progressive IT experience; 5+ years hands‑on administering Microsoft 365/Entra ID/Intune at scale (1,000+ endpoints preferred).
• Expert in Intune/Endpoint Manager (Windows 10/11, iOS/Android; macOS nice‑to‑have), Autopilot, BitLocker, baselines, compliance & update rings.
• Deep Conditional Access/MFA design experience; practical PIM/RBAC and least‑privilege patterns.
• Proven cross‑tenant migration experience (Exchange Online, Teams, SharePoint/OneDrive), coexistence, domain/DNS cutovers.
• Strong PowerShell and Graph API skills; configuration drift detection and automation.
• Hands‑on with Defender XDR (onboarding, policies, Advanced Hunting/KQL) and Purview (DLP, labels, retention).
• Understanding of network dependencies for Microsoft 365 (VPN egress, Named Locations, split tunnel, egress IP stability) and ability to collaborate with ASA/Meraki teams.
• Security‑first mindset; familiarity with Zero Trust, CIS Benchmarks, NIST CSF, and audit‑ready documentation.

Preferred

• Microsoft certifications: MS‑100, MS‑101, MD‑102, SC‑300, SC‑200, AZ‑104 (or equivalent experience).
• Experience with Entra ID Governance, access reviews, entitlement management.
• KQL proficiency; Sentinel or other SIEM integration.
• Intune/macOS management; packaging (IntuneWin/MSIX), and app modernization.
• Experience collaborating around Cisco ASAv, Meraki MX, and datacenter changes that affect CA/Named Locations.
• Prior work on merger/separation/tenant carve‑out programs with staged migration waves.
• Infrastructure‑as‑Code mindset for M365/Intune (“config as code”).

Work Conditions

• Occasional after‑hours windows for cutovers/security changes.
• Ability to join an on‑call rotation for P1/P2 incidents related to Microsoft 365/Intune.