M365 Identity, Security & Compliance Architect

M365 Identity, Security & Compliance Architect (Architecture & Deployment)

The Microsoft 365 Security & Compliance Architect is a senior, hands-on technical role responsible for architecting, designing, and deploying Microsoft security and compliance solutions across customer environments. This role is accountable for taking engagements from discovery and presales through implementation and operational readiness, not just producing designs. The Architect serves as both:

• The technical authority during presales and solution definition, and
• The hands-on lead during deployment, configuration, and validation of Microsoft 365 security and compliance controls.

This role operates in a consulting environment and requires comfort switching between customer-facing advisory work and deep technical execution.

Core Responsibilities

Presales, Discovery & Solution Definition

• Lead security and compliance discovery workshops and technical assessments.
• Translate business drivers, risk tolerance, and regulatory requirements into deployable Microsoft architectures, not theoretical designs.
• Support Sales and Presales by:

• Defining scope and assumptions
• Identifying technical risks and dependencies
• Contributing directly to SOWs, implementation plans, and phased roadmaps

• Clearly articulate what will be configured, how, and why in customer-facing documentation.

Architecture & Design (Practical, Deployable Designs)

• Design end-to-end Microsoft 365 security and compliance solutions aligned to:

• Zero Trust principles
• Microsoft best practices
• Customer operational maturity

• Produce architecture and design artifacts that are intended to be implemented, including:
  • Identity and access models
  • Endpoint security baselines
  • Data protection and DLP strategies
  • Threat protection and incident response workflows
• Define phased deployment approaches that balance speed, risk, and organizational readiness.

Hands-On Deployment & Configuration

The Architect is expected to personally deploy and configure solutions:

Identity & Access

• Implement and tune Microsoft Entra ID configurations:

• Conditional Access policies
• MFA and passwordless authentication (WHfB, Passkey/FIDO2, TAP)
• Single Sign-On (OIDC/SAML)
• Identity Protection policies
• Privileged Identity Management (PIM)
• Lifecycle Workflows for joiner/mover/leaver scenarios

• Configure hybrid identity integrations where required.

Identity Governance

• Deploy and operationalize Microsoft Entra ID Governance capabilities:

• Entitlement Management – access packages, catalogs, and connected organizations for external/B2B access
• Access Reviews for groups, applications, and privileged roles
• Lifecycle Workflows automating joiner / mover / leaver processes
• Separation of duties and access certification controls
• Terms of Use policies and approval/governance workflows
• Experience migrating from SailPoint to Entra ID Governance is highly desirable.

Endpoint & Device Security

• Onboard and operationalize Microsoft Defender for Endpoint:

• Attack surface reduction rules
• Device groups and policy targeting
• Integration with Defender XDR

Threat Protection & XDR

• Deploy and configure Microsoft Defender XDR, including:

• Defender for Office 365
• Defender for Identity
• Defender for Cloud Apps

• Validate telemetry, alerts, and investigation workflows.
• Ensure integrations across Defender components function as designed.

Information Protection & Compliance

• Implement Microsoft Purview capabilities:

• Sensitivity labels and label policies
• Data Loss Prevention (Endpoint, M365, Cloud Apps)
• Data lifecycle and retention policies

Validation, Handoff & Enablement

• Validate deployed configurations against design intent.
• Perform policy testing and non-disruptive validation where required.
• Deliver operational handoff documentation and knowledge transfer.
• Advise customers on ongoing tuning, operational ownership, and future roadmap phases.

Required Technical Skills & Experience

Microsoft Security & Compliance (Hands-On)

• Microsoft Entra ID – advanced configuration experience
• Microsoft Entra ID Governance – hands-on experience with entitlement management, access reviews, and lifecycle workflows
• Microsoft Defender XDR – cross-solution deployment and integration
• Microsoft Purview – real-world labeling, DLP, and retention deployments

Architecture & Consulting Skills

• Ability to design solutions that are deployable in real customer tenants
• Strong documentation skills for:

• Architecture diagrams
• Design documents
• Implementation guides

• Comfortable leading customer discussions while also executing technical work.

Experience & Background

• 7+ years in security, identity, or Microsoft cloud roles
• 3+ years delivering Microsoft 365 security solutions end-to-end
• Experience in consulting, MSP, or professional services environments
• Proven ability to own projects from discovery through deployment
• Hands-on experience designing and deploying identity governance controls (access reviews, entitlement management, access certification)

Certifications (Preferred)

• Microsoft Certified: Security Solutions Architect Expert (SC‐100)
• Microsoft Certified: Identity and Access Administrator (SC‐300)
• Microsoft Certified: Information Protection Administrator (SC‐400)
• CISSP / CCSP (nice-to-have, not required)

What This Role Is Not

• Not a whiteboard-only or advisory-only architect
• Not a ticket-driven operations role
• Not a junior engineering position

What Success Looks Like

• Architected solutions are successfully deployed, not shelved
• SOWs accurately reflect technical reality
• Customers trust you to both design and build
• Security controls work as intended and survive real-world usage
• Engagements scale into repeatable service offerings