Senior Azure & M365 Platform Engineer (Hybrid)

Purpose
The Senior Azure & M365 Platform Engineer plans, designs, implements, and operates identity, access, and endpoint services across Teichert's hybrid Active Directory / Entra ID environment. This senior role leads SSO, MFA, and MDM initiatives, serves as the senior technical authority on Azure and Microsoft 365 platforms, and partners with security, networking, and end-user computing teams. The position combines hands-on architecture and administration with project delivery, automation, Tier 3 escalation, and mentorship of junior administrators.
Focus & Scope
Essential duties and responsibilities, i.e. those which are basic, necessary, and an integral part of the job, are indicated below:

1. Architects and administers on-premises Active Directory (forests, domains, replication, Group Policy, DNS, DHCP, DFS) integrated with Entra ID via Entra Connect, including password hash sync, pass-through authentication, and seamless SSO; maintains hybrid identity health and remediates replication, sync, and authentication issues across the estate.

1. Implements SSO and MFA across cloud and on-premises applications using Entra ID, AD FS, SAML, OAuth 2.0, and OpenID Connect including Conditional Access policies, authentication strengths, passwordless, and risk-based access controls.

1. Manages identity governance: RBAC, Privileged Identity Management (PIM), just-in-time access, access reviews, and tiered admin models; audits AD and Entra ID against security baselines and remediates findings.

1. Implements MDM with Microsoft Intune for Windows, iOS, Android, and macOS endpoints; enrollment, configuration profiles, compliance policies, app deployment, app protection policies, and endpoint compliance signals feeding Conditional Access; administers Windows Autopilot, co-management with Configuration Manager, Windows Update for Business, and BitLocker key escrow.

1. Administers Azure infrastructure (VMs, VNets, NSGs, storage, hybrid connectivity via ExpressRoute/VPN/Azure Arc) and governance (management groups, subscriptions, RBAC, Azure Policy, Key Vault, Azure Monitor/Log Analytics, cost and tagging); builds and maintains infrastructure as code with Bicep, ARM, or Terraform and CI/CD pipelines in Azure DevOps or GitHub Actions; maintains Windows Server roles (domain controllers, AD CS/PKI) and Windows endpoint baselines via Group Policy and Intune aligned to CIS Benchmarks and NIST 800-171.

1. Builds identity lifecycle automation across AD, Entra ID, Microsoft 365, and downstream apps; HRIS-driven joiner/mover/leaver (JML) workflows via PowerShell, Microsoft Graph, Entra ID lifecycle workflows, and SCIM; automates license assignment, group/Teams membership, mailbox and OneDrive provisioning, and role/department/location-based entitlements; executes secure offboarding (access revocation, session termination, MFA removal, mailbox conversion/retention, data preservation) and partners with HR, Security, and app owners on source-of-truth integrations and lifecycle audit readiness.

1. Develops PowerShell, Microsoft Graph, and Azure CLI automation across AD, Entra ID, Intune, Azure, and Microsoft 365; manages source control, code reviews, and pipeline-based release of configuration and policy artifacts; builds runbooks and self-service tooling that reduce toil and improve change quality.

1. Leads infrastructure projects including SSO rollouts, MFA deployments, MDM enrollments, tenant migrations, and SharePoint/Teams migrations (Sharegate preferred); produces architectural diagrams, design documents, runbooks, and standard operating procedures.

1. Acts as Tier 3 escalation for Azure, Microsoft 365, identity, and endpoint incidents and serves as subject matter expert on related change and problem records; mentors junior administrators and partners with the service desk to improve L1/L2 resolution.

1. Administers Microsoft 365 services (Exchange Online, SharePoint Online, OneDrive, Teams) for availability, performance, and adoption including Teams provisioning and lifecycle governance, meeting/messaging policies, third-party and LOB app management, and guest/external access; monitors M365 service health and usage analytics to drive adoption, optimize licensing, and communicate status to stakeholders, and manages Power Platform governance (environment management, DLP connector policies, and Power Automate oversight).

1. Manages the email security stack (Microsoft Defender for Office 365, Proofpoint, SPF/DKIM/DMARC, anti-phishing/anti-spoofing, safe attachments/links, and message encryption) and administers Microsoft Purview (DLP, sensitivity labels, retention, litigation hold, and eDiscovery) in support of CIS v8 and NIST 800-171; investigates and remediates email threats and user-reported phishing via Defender and Proofpoint workflows.

Relationships, Qualifications and Requirements, & Competencies
Key Relationships
Reports to:

• IT Director - Operations

Direct reports:

• None

External clients:

• Technology vendors, Microsoft support, third-party software and service providers

Internal clients:

• All business units and divisions of the Teichert Family of Companies and Executive Leadership

Role Qualifications & Requirements
Education:

• Bachelor's degree in Computer Science, Information Technology, or a related field, or an equivalent combination of training, education, and experience.
• Microsoft certifications such as Identity and Access Administrator Associate (SC-300), Endpoint Administrator Associate (MD-102), Microsoft 365 Administrator Expert (MS-102), Azure Administrator Associate (AZ-104), or Azure Solutions Architect Expert (AZ-305) preferred

Experience & Industry Expertise:

• Minimum 10 years of progressive experience administering Azure, Microsoft 365, and Active Directory environments in medium-to-large enterprises.
• Experience in construction, engineering, or industrial industry environment a plus.

Specific Job Requirements:

• Successful completion of pre-employment drug, alcohol, and background investigation.
• Hands-on hybrid AD / Entra ID expertise: Entra Connect, AD FS or modern federation, and hybrid join required.
• Demonstrated experience planning, designing, and implementing SSO, MFA, and Conditional Access in an Entra ID / Microsoft 365 environment required.
• Demonstrated experience planning, designing, and implementing MDM (Microsoft Intune preferred) across Windows and mobile platforms required.
• Strong PowerShell scripting skills for automation across AD, Entra ID, Intune, and Microsoft 365 required.
• Strong working knowledge of Microsoft 365 services (Exchange Online, SharePoint Online, OneDrive, Teams) and their administration in a hybrid environment required.
• Experience administering Microsoft Purview (DLP, sensitivity labels, retention, eDiscovery) and Microsoft Defender for Office 365 required.
• Working knowledge of Group Policy, DNS, DHCP, PKI, and Windows security hardening required.
• Hands-on experience with Azure infrastructure (VMs, networking, storage, hybrid connectivity) and Azure governance (management groups, subscriptions, RBAC, Azure Policy, Key Vault, Azure Monitor/Log Analytics) required.
• Infrastructure as code with Bicep, ARM, or Terraform and CI/CD via Azure DevOps or GitHub Actions required.
• Automation with Microsoft Graph and Azure CLI required.
• Familiarity with security frameworks such as CIS Benchmarks, NIST 800-171, and Zero Trust principles required.
• Experience designing identity lifecycle automation (onboarding, offboarding, role-based provisioning) via PowerShell, Microsoft Graph, and HRIS-driven workflows required.
• Working knowledge of ITIL (Incident, Service Request, Change) with enterprise ITSM tooling such as ServiceNow, Jira Service Management, Cherwell, or BMC Helix required.
• Sharegate experience for SharePoint, Teams, and OneDrive migrations and tenant management preferred.
• Experience with Privileged Access Management (PAM) / Privileged Identity Management (PIM) tooling, Microsoft Defender for Identity, Defender for Endpoint, and Microsoft Sentinel preferred.
• Experience with Proofpoint (PoD, SEG, CASB) and email threat response workflows, working knowledge of email authentication standards (SPF, DKIM, DMARC, BIMI), and networking fundamentals (TCP/IP, DNS, VPN, certificate-based authentication) preferred.
• Excellent troubleshooting and problem-solving skills with the ability to explain technical concepts to non-technical staff.
• Ability to preserve confidential and proprietary information and avoid conflicts of interest.
• Must be able to clearly communicate both verbally and in written form with internal and external customers.

Competencies

• Building Relationships
• Listening
• Planning/Prioritizing
• Initiative
• Dependability
• Judgement/Decision Making
• Learning/Development

Equipment Used, Physical Demands, and Work Environment
Equipment Used:

• General office equipment, telephone, automobile, personal protective equipment (i.e. safety glasses, hearing protection) when visiting plants.

Physical Demands & Work Environment: The physical demands and work environment characteristics are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

1. Physical: Sitting for long periods of time working on the computer or attending meetings. Job site visits require walking on uneven ground, steep slopes, and exposure to extreme temperature and/or humidity. Some lifting of materials and equipment up to 50 lbs.

1. Work Environment: Typical office environment with adequate temperatures and lighting, low levels of noise. Demands of meeting tight deadlines. Exposed to the conditions of job sites which can include loud noise, dust, fumes, and extreme weather conditions prevalent at the time. May work various hours, including early mornings, dusk or evenings.

BASE SALARY RANGE:
$137,500.00 - $192,500.00
The range displayed reflects the range the company reasonable expects to pay for the position. The actual base salary is subject to variation due to the role, level, geographic location, relevant education, training, or experience, among other factors.

Employer Disclosure Statement
The above statements and job description is intended to describe the nature and level of work being performed within this job. They are not intended to be an exhaustive list of all responsibilities, duties, and tasks. Other similar or additional duties are performed as assigned.

Equal Opportunity Employer
Teichert and its subsidiaries pride themselves on being an Equal Opportunity Employer. Individuals seeking employment at our company are considered without regards to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by federal, state or local laws.
Applicants with disabilities may be entitled to reasonable accommodation. A reasonable accommodation is a change in the way things are normally done that will ensure an equal employment opportunity without imposing an undue hardship on the company. If you are an applicant with a disability, please inform Robert Maxey (View email address on click.appcast.io) if you need assistance completing any forms or to otherwise participate in the application process.

Notice to Staffing Agencies
Teichert, Inc. and its subsidiaries ("Teichert") will not accept unsolicited resumes from any source other than directly from a candidate. Any unsolicited resumes sent to Teichert, including unsolicited resumes sent to a Teichert mailing address, fax machine or email address, directly to Teichert employees, or to Teichert's resume database will be considered Teichert property. Teichert will NOT pay a fee for any placement resulting from the receipt of an unsolicited resume. Teichert will consider any candidate for whom an Agency has submitted an unsolicited resume to have been referred by the Agency free of any charges or fees. Agencies must obtain advance written approval from Teichert's recruiting function to submit resumes, and then only in conjunction with a valid fully-executed contract for service and in response to a specific job opening. Teichert will not pay a fee to any Agency that does not have such agreement in place. Agency agreements will only be valid if in writing and signed by Teichert's Human Resources Representative or his/ her designee. No other Teichert employee is authorized to bind Teichert to any agreement regarding the placement of candidates by Agencies.