Microsoft 365 Engineer

Location: On Site in our Jacksonville, FL Headquarters

Reports To: IT Infrastructure Manager / Director of IT

Experience: 7+ years professional IT; 5+ years hands-on with Microsoft 365/Entra /Intune in enterprise settings

Position Summary

The Microsoft 365 Engineer is the primary administrator and service owner for our Microsoft cloud stack. You will design, deploy, secure, and operate Microsoft 365 (Exchange Online, SharePoint, One Drive, Teams), Intune/Endpoint Manager, and Entra  (Azure AD) with strong emphasis on Conditional Access, MFA, device compliance, and identity governance. You'll partner with infrastructure/networking (Cisco ASAv, Meraki), datacenter, and applications teams to deliver a resilient, compliant, and cost-effective service.

What You'll Own (Core Responsibilities):

Tenant Architecture & Identity (Entra )

• Design and run the target Microsoft 365 tenant (greenfield or separated), including domain and DNS cutover, directory topology, and identity lifecycle.
• Implement Conditional Access (per-user/per-app/per-device), MFA, Named Locations (including VPN egress IPs and HQ/DC public ranges), risk-based policies, and break-glass controls.
• Deploy and maintain Entra Connect (Cloud Sync/AAD Connect) as needed; plan for hybrid to cloud-only identity transitions where appropriate.
• Stand up PIM (Privileged Identity Management), access reviews, entitlement management, and least-privilege admin RBAC across workloads.
• Govern B2B/B2C/guest access and external collaboration settings with clear guardrails.

Endpoint Management with Intune (Windows/iOS/Android/macOS)

• Lead Intune architecture: device compliance, configuration profiles, security baselines, Bit Locker escrow, WUfB/feature update rings, Autopatch (where applicable), and Autopilot provisioning.
• Build a scalable application packaging program (Win
  32, LOB, MSIX), pilot rings, rollback plans, and secure app protection policies (MAM).
• Migrate GPOs to Intune policy equivalents; rationalize legacy builds and drive modern management adoption.
• Establish gold images/profiles, device naming, asset tagging, and lifecycle processes.

Collaboration & Data Protection (Exchange/Teams/SharePoint/One Drive + Purview)

• Plan and execute cross-tenant migrations (mailboxes, Teams, SharePoint sites, One Drive) with coexistence strategies (free/busy, guest access, shared channels).
• Implement Microsoft Purview: sensitivity labels, DLP, retention/records, insider risk (as needed), and eDiscovery (Standard/Premium) processes.
• Define Teams/SharePoint information architecture and governance (naming, lifecycle, external sharing, sprawl control).

Threat Protection & Operations (Defender XDR + Sentinel optional)

• Operate and tune Microsoft Defender XDR (Endpoint/Identity/Office/Cloud Apps) and leverage Advanced Hunting (KQL) for detection/response.
• Integrate with SIEM (Microsoft Sentinel or existing), define alert routing/runbooks, and lead incident response for Microsoft 365 scope.
• Build dashboards/SLOs for patch compliance, device posture, CA/MFA effectiveness, and threat metrics.

Integration & Network Awareness (Coordinate with ASA/Meraki/Datacenter)

• Coordinate with network teams on VPN/IP allowlists, Named Locations, split-tunnel considerations, and service endpoints impacting Conditional Access and Microsoft 365 reliability.
• Support secure connectivity models across HQ, Datacenter, and new racks; ensure cloud posture reflects changing ISP/public IPs and DMZ patterns.
• Align Autopilot/Intune content delivery with network design to avoid hairpinning and optimize end-user experience.

Automation, Cost & Governance

• Automate admin at scale with Power Shell and Microsoft Graph API (configuration-as-code for Intune/M365 where feasible).
• Optimize licensing (E3/E5 add-ons), storage, and service plans for cost control and best value.
• Author SOPs/runbooks, DR/BCP playbooks, and admin guardrails; train IT and power users.

Qualifications & Experience

• 7+ years progressive IT experience; 5+ years hands-on administering Microsoft 365/Entra /Intune at scale (1,000+ endpoints preferred).
• Expert in Intune/Endpoint Manager (Windows 10/11, iOS/Android; macOS nice-to-have), Autopilot, Bit Locker, baselines, compliance & update rings.
• Deep Conditional Access/MFA design experience; practical PIM/RBAC and least-privilege patterns.
• Proven cross-tenant migration experience (Exchange Online, Teams, SharePoint/One Drive), coexistence, domain/DNS cutovers.
• Strong Power Shell and Graph API skills; configuration drift detection and automation.
• Hands-on with Defender XDR (onboarding, policies, Advanced Hunting/KQL) and Purview (DLP, labels, retention).
• Understanding of network dependencies for Microsoft 365 (VPN egress, Named Locations, split tunnel, egress IP stability) and ability to collaborate with ASA/Meraki teams.
• Security-first mindset; familiarity with Zero Trust, CIS Benchmarks, NIST CSF, and audit-ready documentation.

Preferred

• Microsoft certifications: MS-100, MS-101, MD-102, SC-300, SC-200, AZ-104 (or equivalent experience).
• Experience…