Responsibilities:

• Own a domain as the subject matter expert, staying up to date on new trends and capabilities within the supporting tools and incorporating relevant changes into our Corporate IT roadmap
• Collaborate with other Corporate IT senior engineers, solution architects, domain experts and Helpdesk staff to test, deploy, communicate and support end user impacting changes into our Corporate IT
• Coordinate medium to large scale corporate IT projects, defining business requirements, designing technical solutions and coordinating a squad of L2 Engineers for its implementation, testing, global deployment and maintenance
• Work in autonomy to translate business requirements into technical solutions, leveraging our existing ecosystem and licenses everywhere possible
• Automate tasks or empower end users with self-service capabilities, in respect of our security policies, to reduce maintenance and support overhead across the team
• Oversee the definition and maintenance of our documentation corpus, both technical and end-user oriented, to facilitate maintenance and troubleshooting tasks.
• Designing, implementing and maintaining Corporate IT services in the following areas: 
  • Identity & Access Management: Manage company identities within Microsoft Entra, encompassing employee identities and service accounts to ensure secure and efficient access control.
  • Conditional Access Policies: Develop and maintain Conditional Access Policies in accordance with Zero-Trust principles, such as enforcing phishing-resistant authentication mechanism, compliant device, blocking legacy protocols, etc.
  • Permissions Management: Discover and remediate and monitor permission risks for our corporate identity and resources, including in third party cloud environment
  • Privileged Access Management: Implement and maintain PAM and Secrets management solutions, such as providing just-in-time access to critical resources, secure remote access using secure gateways, automated secret rotation, monitoring of privileged sessions, etc.
  • IAM Solutions: Implement and manage the Identity and Access Management solutions within Microsoft Entra. Responsibilities include identity governance (joiner, mover, leaver processes), role mining, access recertification campaigns, and creating Access packages.
  • B2B Security: Define and maintain secure B2B trust relationships with partners, ensuring robust security protocols are in place and adhered to.
  • Workload Identities: Develop and secure Workload identities, tailoring security measures to meet specific operational needs.
  • Modern Authentication Technologies: Maintain modern authentication technologies, such as Windows Hello for Business, Certificate-Based Authentication, and Passwordless phone sign-in.
  • SSO and automated provisioning for Corporate Apps: Integrate and maintain corporate applications in Entra Single Sign-On (SSO) systems, setting-up SCIM, ensuring seamless access across platforms according to policies
  • Ensure that you adhere to the Governance, Risk & Compliance (GRC) obligations for your role.
  • Identify and raise any non-compliance incidents promptly to your line manager.
  • Challenge processes, policies and projects that will negatively impact compliance within the Group.
  • Complete all mandatory compliance training assigned to you.
  • Reach out to the Compliance Teams if unsure of any of your compliance obligations or the requirements are unclear.

Desired

• Extended knowledge in at least one of the following domains in order to support and backup other Senior IT engineers in those respective areas: Endpoint management, Application & Data Management, Infrastructure & Corporate Network.
• As an "Endpoint" specialist:
  • Endpoint Security Baselines: Define, implement, and maintain security baselines for all company endpoints, including Windows laptops, Macbooks, company iPhones, and Android phones, following industry best practices.
  • Modern Endpoint Login Capabilities: Deploy and maintain modern endpoint login capabilities, such as Windows Hello for Business and Certificate-Based Authentication, both locally and through remote login methods like RDP.
  • EDR Solution Management: Work with the internal SOC to fine-tune our Microsoft Defender EDR solution, leveraging all available hardening capabilities on each platform.
  • Browser Policy Management: Define and implement browser policies that balance usability and security.
  • Local Admin Policies: Implement policies ensuring that high privilege access is managed with just-in-time and just-enough access principles, using Microsoft LAPS and endpoint privilege management tools.
  • Device Management: Define, deploy, and maintain modern device management, configuration, and compliance policies using Microsoft Intune.
  • Patching Management: Define and maintain patching management capabilities for MacOS and Windows, focusing on automation wherever possible.
  • Corporate Apps Deployment: Deploy and maintain up-to-date corporate applications to our Mac and Windows endpoints.
  • Asset Inventory Maintenance: Maintain our asset inventory, recording all corporate IT assets from purchase to decommissioning.
  • Automatic Provisioning: Deploy and maintain automatic provisioning systems to provide an excellent Out of Box experience for employees, leveraging Zero touch and platform-specific capabilities such as Autopilot.
  • Maintaining expertise: Continuously stay up to date on new Intune capabilities and work on implementing Microsoft recommended practices to improve our Secure Score in the Endpoint area.
  • Remote Assistance: Deploy and maintain remote assistance capabilities across our fleet to support Helpdesk staff in assisting employees regardless of their location.
• As a "Applications & Data management" specialist:
  • Data Lifecycle and Retention Policies: Define, implement, and maintain data labelling and retention policies based on business requirements.
  • Data Protection Templates: Develop and maintain data protection templates aligned with the company's Information Classification policies, tailored to fit main business use cases around data sharing and processing.
  • Data Leakage Prevention (DLP) Policies: Define, implement, and maintain data leakage prevention policies through Microsoft Purview and Defender for Cloud Apps to protect against oversharing and insider risks, whether accidental or adversarial.
  • Email Policies: Maintain email flow rules and security policies to protect against phishing and spam, including maintaining SPF, DKIM, and DMARC rules.
  • Office365 Configuration: Configure Office365 to follow security best practices, embrace new productivity and collaboration features or assist employees in adequately labelling and protecting company data. Oversee the Office suite, Exchange Online and Outlook, Teams IM, collaboration and voice, Power Apps, Automate and Planner, AI, and security management within the Microsoft 365 ecosystem.
  • Automatic Labelling and DLP Remediation Policies: Deploy automatic labelling and DLP resolution policies to reduce the overhead on both employees and corporate IT staff.
• As an "Infrastructure" specialist:
  • VDI Infrastructure Management: Manage VDI infrastructure for hundreds of employees, ensuring high availability and optimal performance.
  • Security Hardening Policies: Define, deploy, and maintain security hardening policies for Windows and Linux servers, following industry's best practices.
  • Windows Server Administration: Deploy and maintain on-premise and azure-based Windows Server and, occasionally, Linux/Unix systems (CentOS).
  • Zero-Trust Network Access: Deploy zero-trust network access to corporate apps using technologies like Azure Application Proxy.
  • Corporate Services: Maintain corporate services including Radius, cloud, and on-premise Active Directory.
  • PKI: Maintain our Public Key Infrastructure (PKI), supporting user and device certificates for uses such as Certificate-Based Authentication and Network Access Control.
  • Secure Administration Workflows: Deploy and maintain secure administration workflows, leveraging privileged access workstation (PAW), secure protocols (SSH, RDP), and privileged access management (PAM) solutions.
  • Network Access Control (NAC): Maintain and support a Network Access Control setup leveraging Certificate Based Authentication to authenticate devices on the corporate network

Requirements

• Educational Background: Master degree in Computer Science, Information Technology, or a related field.
• Experience: Proven experience in Microsoft-heavy ecosystem, including Entra, Defender, Purview, Azure, Intune, Office365 product lines.
• Certification: Relevant Microsoft certifications such as SC-300 (most-desirable), SC-100 SC-400, MD-102, MS-102, MS-900, AZ-140, AZ-104, AZ-900 are highly regarded.
• MacOS Management: Experience handling MacOS devices in an Enterprise environment is a plus.
• Technical Skills: Proficiency in scripting and query languages like KQL, Python, Bash, and PowerShell is a plus.
• Cultural and Language Proficiency: Strong understanding of European work culture with excellent proficiency in English, both written and spoken.
• Project Management: Self-driven and autonomous, with a proven track record of successfully handling the design and coordination of end user impacting change across thousands of employees spread over multiple locations.
• Interpersonal Skills: Exceptional communication and interpersonal skills, capable of engaging directly with stakeholders at various levels within the organization.