Key Responsibilities

Cloud & Infrastructure Architecture

• Design and maintain a Secure Cloud Architecture for IaaS, PaaS, and SaaS solutions with Microsoft security technologies such as Defender, Sentinel, Purview, Endpoint Management, and Entra ID to protect enterprise and client assets.

• Build and deploy security architecture that enforces Zero Trust principles across M365, tenants, Azure subscriptions, B2C tenants, enterprise virtual systems, landing zones, virtual desktops and devices.

• Establish security controls around DevOps, secrets management, key vaults, and managed identities to secure service to service patterns.

• Architect resilient, scalable, and cost-optimized cloud solutions using Azure best practices and risk-based spending alignment

• This role will own security architecture standards, reference architecture, guardrails, and exception decisions in partnership with the Chief Information Security Officer.

Identity & Access Management

• Establish and enforce hardened identity management for identities including Entra ID, service principles, and workload identities while enforcing least-privilege across environments and mitigating path to privilege.

• Architect identity security using conditional access, MFA, phishing resistant authentication, Privileged Identity Management (PIM), and Zero Trust principles

• Design and integrate Privileged Access Management (PAM) tools in active directory environments which include both Windows and Linux to eliminate the use of interactive service accounts and password handling while providing secure privilege access management practices, automation, and secure service-to-service communications.

• Design and incorporate security best practice for device & endpoint management incorporating identity and access management with internet access restrictions supporting Windows, macOS, iOS, and Android devices.
  

Security & Compliance

• Architect and govern AI platforms and data flows across Azure OpenAI and Microsoft Copilot extensibility, integrating MCP-based systems with enterprise identity, device, and data protection controls to prevent leakage, enforce consent boundaries, and ensure auditability.

• Establish and enforce AI governance controls for MCP endpoints and AI-driven data access, including Entra ID–based authorization, data provenance, policy enforcement, and compliance logging.

• Drive Purview-based data governance including classification strategy, sensitivity labels, DLP enforcement, information barriers, and cross-tenant controls.

Collaboration & Leadership

• Act as a technical authority and advisor to engineering, security, and operations teams

• Translate business requirements into technical cloud solutions

• Produce architecture diagrams, documentation, and standards

• Mentor engineers and elevate team maturity by contributing to cloud best practices and roadmaps, conducting design reviews, building hardened security patterns, and providing coaching to strengthen engineering practices.

Minimum Qualifications:

• Bachelor’s degree in computer science, engineering, or related field.

• 8-10 years of security design, implementation and ownership experience with Microsoft security tooling

• 10+ years of hands-on proficiency in multiple cybersecurity competencies (e.g., network security, systems security, application security, security operations)

• 10+ years’ experience performing security testing or technical controls validation, including documentation of testing methods and results.

• 10+ years’ experience in Azure cloud architecture and security services.

Preferred Qualifications:

• Experience with End User Workstation Security Controls to include MAC, Windows and Virtual Desktops.

• Experience with Microsoft products to include Microsoft Endpoint Manager, Entra, Defender, Sentinel and M365.

• Experience with securing both Azure cloud as well as hybrid cloud environments using the Microsoft security tooling.

• Advance knowledge of Microsoft Defender and Sentinel and proficiency in KQL query language.

• Experience with Microsoft Defender for Cloud to include regulatory compliance dashboard configuration and continuous assessment; integrating Defender for Cloud into CI/CD pipelines and IaC workflows; and practical knowledge of CSPM and CWPP capabilities.

• Experience with Azure Policy, subscription structure, billing account, and management groups

• Proactive awareness of emerging cybersecurity threats and technologies

• Detail oriented with strong verbal and presentation skills.

• Excellent interpersonal, communication, and negotiation skills

• Effective written and oral communication, technical writing, and editing skills

• Security-related certification (i.e., Security+, CISSP, GIAC, etc.)

• Experience with landing zone security baselines and guardrails