Apply
Description
Client First Technologies currently is seeking a Senior Enterprise Security Engineer in support of our government customer. The Senior Enterprise Security Engineer will provide enterprise security engineering and operational support for a large enterprise’s Microsoft 365 environment and integrated identity, endpoint, and messaging services. This role focuses on designing, implementing, and sustaining security controls; supporting incident response and compliance activities; and partnering with Microsoft 365 engineering and service desk teams to reduce risk while maintaining mission operations.
This is a full-time, remote position. CFT offers a full benefits package, a collaborative work environment and a strong company culture. Veterans and military spouses are encouraged to apply.
Responsibilities
Engineer, implement, and maintain Microsoft 365 security configurations and governance across core workloads (Exchange Online, Teams, SharePoint Online, OneDrive) with an emphasis on risk reduction and compliance
Administer and tune security controls in Entra ID (Azure AD) including Conditional Access, MFA/Authentication Methods, Identity Protection, privileged access practices, and access reviews; coordinate with identity engineering teams when on-prem AD authority impacts changes
Design master Conditional Access rules to enforce Multi-Factor Authentication (MFA), block legacy authentication, and deny access from risky locations or unmanaged devices
Create dynamic membership rules to automatically add or remove users from security groups based on HR attributes
Maintain strict separation of duties between security groups used for application access and M365 groups used for collaboration
Support Microsoft Purview security and compliance features relevant to the environment, including auditing, retention/holds support, sensitivity labeling/AIP-related configurations, and assisting with eDiscovery and data collection security requirements (access controls, logging, defensible handling)
Support email and information protection troubleshooting for encrypted content scenarios (AIP/RMS/S/MIME), coordinating with messaging and eDiscovery staff for complex decryption, access, and review enablement needs
Operate and enhance security monitoring/alert response processes: validate alerts, conduct technical triage, analyze logs and audit records, recommend containment/remediation actions, and document findings for incident response workflows
Harden tenant security posture by applying secure configuration baselines, evaluating new M365 security capabilities, and recommending improvements to reduce attack surface and misconfiguration risk
Partner with endpoint and PKI security resources as needed to align M365 security controls with enterprise endpoint, certificate, and trust requirements; support cross-domain troubleshooting and remediation
Develop and maintain security runbooks, SOPs, and knowledge articles; provide technical mentoring to mid-level engineers and service desk staff on secure operational practices and common security issues
Support change/control processes by preparing technical implementation plans, risk assessments, validation steps, and rollback approaches for security-impacting changes; participate in change reviews as required
Provide clear, audit-ready documentation for security actions taken, including configuration changes, investigations, evidence collection, and control validation results; support periodic reporting and metrics as required
Requirements
Qualifications
Bachelor’s degree in Cybersecurity, Information Technology, or related field (or equivalent professional experience)
Minimum of eight (8) years of enterprise security engineering experience, including direct hands-on administration of Microsoft 365 / Entra ID security capabilities
Strong working knowledge of M365 security and compliance concepts (tenant hardening, identity security, group policy, information protection, auditing, retention, and defensible data handling)
Experience implementing and supporting identity security controls (Conditional Access, MFA, privileged access practices) in hybrid enterprise environments
Experience investigating security incidents and performing log/audit analysis; ability to document findings and recommend remediation actions
Proficiency with PowerShell (with Microsoft Graph) for administration, reporting, and troubleshooting in M365/Entra ID environments
Experience working in regulated environments with strict security, privacy, and change management requirements
Ability to communicate effectively with technical teams and non-technical stakeholders (operations, compliance, legal) and produce clear technical documentation
Experience with Microsoft Defender (for M365, Endpoint, Identity, and/or Cloud Apps) in an enterprise environment
Experience with Microsoft Purview (Information Protection, DLP, eDiscovery, Audit) and operational support of compliance workflows
Familiarity with PKI concepts and certificate-based authentication and troubleshooting in enterprise environments
Relevant certifications preferred (e.g., SC-200, SC-300, SC-400, AZ-500, CISSP, or equivalent)
Physical Demands
Must be able to sit and stand for extended periods of time
Occasional travel and overtime may be required
Required Clearances and Screenings
This position is subject to a government background investigation and must meet eligibility for a position designated with Moderate Risk sensitivity
Candidates with current Veterans Affairs (VA) Tier 2/Moderate Background Investigation or equivalent (e.g., DoD Tier 3/NACLC, Active Secret) are preferred