NO H1S OR 3RD PARTIES
THIS ROLE WILL BE ONSITE 4-5 DAYS PER WEEK IN PHILADELPHIA.
Fast-paced Managed Services Provider needs a Microsoft 365 to work on client projects. This is a long-term contract, likely contract-to-hire. Must be willing to handle basic IT support duties when there are no 365 projects on the calendar.
Tenant Architecture — Start New or Reconfigure
• Define tenant structure, domain configuration, admin role hierarchy, and governance framework before any user provisioning begins
• Establish licensing architecture — map E3/E5 tiers and add-on licenses to actual client security and compliance requirements; eliminate waste
• Design and enforce naming conventions, group policy, and organizational unit structure that scales as client environments grow
• Set security baselines aligned to CIS Benchmarks and Microsoft Secure Score; document deviations with business justification
• Conduct architecture reviews of existing tenants; produce gap assessments and remediation roadmaps
Identity Architecture — Entra ID and Hybrid Identity
• Own the identity model end to end: Entra ID (Azure AD) design, hybrid identity with on-premises Active Directory synchronization, SSO configuration, and Privileged Identity Management
• Design Conditional Access policy frameworks — device compliance requirements, location-based controls, session policies, and risk-based authentication
• Architect MFA enforcement strategy including DUO integration and phased rollout across managed and unmanaged device populations
• Configure and govern external identity — guest access policies, B2B collaboration controls, and cross-tenant access settings
• Design RBAC frameworks for client administrative teams; enforce least-privilege across all admin roles
Security Architecture — M365 Defender Suite and Compliance
• Architect and configure Microsoft Defender for Office 365 — anti-phishing policies, safe links, safe attachments, attack simulation training, and threat intelligence integration
• Design and implement Microsoft Purview governance: data classification taxonomy, sensitivity labels, DLP policies, retention schedules, and eDiscovery readiness
• Own email authentication architecture — SPF, DKIM, and DMARC configuration, validation, and ongoing monitoring across client domains
• Configure and maintain Mimecast policy frameworks as a layered security control alongside native M365 defenses
• Lead M365 tenant security audits using tools including Prowler and Microsoft Secure Score; produce findings reports and drive remediation to closure
• Design network perimeter integration — Entra ID connectors to Palo Alto for device-group-based conditional access; coordinate with network engineering team
Migration Architecture — On-Premises to Cloud
• Lead the full architecture of on-premises Exchange to Exchange Online migrations: hybrid coexistence design, namespace planning, migration batching strategy, and cutover sequencing
• Architect SharePoint Online and OneDrive migrations from file servers and on-premises SharePoint; define permission model, site architecture, and external sharing policy before data moves
• Own pre-migration assessment — identify legacy dependencies, archive mailbox complexity, and third-party integration conflicts that affect migration timeline
• Direct migration tooling selection and execution — BitTitan MigrationWiz and equivalent platforms; own quality validation at each phase
• Produce client-facing migration plans, change control documentation, and rollback procedures; own stakeholder communication throughout
Endpoint and Device Architecture
• Design Microsoft Intune enrollment and compliance policy frameworks — Windows, macOS, iOS — aligned to Conditional Access requirements
• Architect application deployment and update management strategy through Intune; integrate with Autopilot for zero-touch provisioning
• Configure Apple Business Manager and Apple Push Notification certificate management for mobile device environments
Practice Leadership and Knowledge Transfer
• Serve as the architectural escalation point for the M365 practice team
• Document architecture decisions, configuration standards, and design patterns in a reusable internal knowledge base
• Mentor mid-level M365 engineers on security architecture, platform governance, and design methodology
Required Experience
• 7+ years of Microsoft 365 experience with at least 3 years in an architect or senior design role
• Multiple greenfield M365 tenant builds delivered end-to-end — from initial design through user cutover — in a multi-client environment
• At least 3 completed on-premises Exchange to Exchange Online migrations including hybrid coexistence configuration
• Deep, hands-on expertise with Entra ID, Conditional Access policy design, and hybrid identity architecture
• Demonstrated ownership of M365 security architecture — Defender for Office 365, Purview/Compliance Center, DLP, and sensitivity labeling
• Proficiency in PowerShell for M365 architecture automation, tenant auditing, and reporting
• Experience designing and validating SPF, DKIM, and DMARC configurations across multiple client domains
• Track record of producing architecture documentation — design decisions, gap assessments, remediation roadmaps — that non-technical stakeholders can act on
Preferred Qualifications
• Microsoft Certified: M365 Enterprise Administrator Expert (MS-102)
• Microsoft Certified: Identity and Access Administrator (SC-300)
• Microsoft Certified: Information Protection and Compliance Administrator (SC-400) or Azure Security Engineer (AZ-500)
• Experience with Mimecast policy architecture in conjunction with native M365 security controls
• Familiarity with Lepide, CloudAlly, or equivalent M365 auditing and backup platforms
• Exposure to Microsoft Copilot deployment governance and AI integration policy design
• MSP background with financial services or regulated-industry client base
#PRITechJobs