Client First Technologies currently is seeking a Senior Enterprise Security Engineer in support of our government customer. The Senior Enterprise Security Engineer will provide enterprise security engineering and operational support for a large enterprise’s Microsoft 365 environment and integrated identity, endpoint, and messaging services. This role focuses on designing, implementing, and sustaining security controls; supporting incident response and compliance activities; and partnering with Microsoft 365 engineering and service desk teams to reduce risk while maintaining mission operations.

This is a full-time, remote position.  CFT offers a full benefits package, a collaborative work environment and a strong company culture.  Veterans and military spouses are encouraged to apply.

Responsibilities

• Engineer, implement, and maintain Microsoft 365 security configurations and governance across core workloads (Exchange Online, Teams, SharePoint Online, OneDrive) with an emphasis on risk reduction and compliance
• Administer and tune security controls in Entra ID (Azure AD) including Conditional Access, MFA/Authentication Methods, Identity Protection, privileged access practices, and access reviews; coordinate with identity engineering teams when on-prem AD authority impacts changes
• Design master Conditional Access rules to enforce Multi-Factor Authentication (MFA), block legacy authentication, and deny access from risky locations or unmanaged devices
• Create dynamic membership rules to automatically add or remove users from security groups based on HR attributes
• Maintain strict separation of duties between security groups used for application access and M365 groups used for collaboration
• Support Microsoft Purview security and compliance features relevant to the environment, including auditing, retention/holds support, sensitivity labeling/AIP-related configurations, and assisting with eDiscovery and data collection security requirements (access controls, logging, defensible handling)
• Support email and information protection troubleshooting for encrypted content scenarios (AIP/RMS/S/MIME), coordinating with messaging and eDiscovery staff for complex decryption, access, and review enablement needs
• Operate and enhance security monitoring/alert response processes: validate alerts, conduct technical triage, analyze logs and audit records, recommend containment/remediation actions, and document findings for incident response workflows
• Harden tenant security posture by applying secure configuration baselines, evaluating new M365 security capabilities, and recommending improvements to reduce attack surface and misconfiguration risk
• Partner with endpoint and PKI security resources as needed to align M365 security controls with enterprise endpoint, certificate, and trust requirements; support cross-domain troubleshooting and remediation
• Develop and maintain security runbooks, SOPs, and knowledge articles; provide technical mentoring to mid-level engineers and service desk staff on secure operational practices and common security issues
• Support change/control processes by preparing technical implementation plans, risk assessments, validation steps, and rollback approaches for security-impacting changes; participate in change reviews as required
• Provide clear, audit-ready documentation for security actions taken, including configuration changes, investigations, evidence collection, and control validation results; support periodic reporting and metrics as required

Qualifications

• Bachelor’s degree in Cybersecurity, Information Technology, or related field (or equivalent professional experience)
• Minimum of eight (8) years of enterprise security engineering experience, including direct hands-on administration of Microsoft 365 / Entra ID security capabilities
• Strong working knowledge of M365 security and compliance concepts (tenant hardening, identity security, group policy, information protection, auditing, retention, and defensible data handling)
• Experience implementing and supporting identity security controls (Conditional Access, MFA, privileged access practices) in hybrid enterprise environments
• Experience investigating security incidents and performing log/audit analysis; ability to document findings and recommend remediation actions
• Proficiency with PowerShell (with Microsoft Graph) for administration, reporting, and troubleshooting in M365/Entra ID environments
• Experience working in regulated environments with strict security, privacy, and change management requirements
• Ability to communicate effectively with technical teams and non-technical stakeholders (operations, compliance, legal) and produce clear technical documentation
• Experience with Microsoft Defender (for M365, Endpoint, Identity, and/or Cloud Apps) in an enterprise environment
• Experience with Microsoft Purview (Information Protection, DLP, eDiscovery, Audit) and operational support of compliance workflows
• Familiarity with PKI concepts and certificate-based authentication and troubleshooting in enterprise environments
• Relevant certifications preferred (e.g., SC-200, SC-300, SC-400, AZ-500, CISSP, or equivalent)

Physical Demands

• Must be able to sit and stand for extended periods of time
• Occasional travel and overtime may be required

Required Clearances and Screenings

• This position is subject to a government background investigation and must meet eligibility for a position designated with Moderate Risk sensitivity
• Candidates with current Veterans Affairs (VA) Tier 2/Moderate Background Investigation or equivalent (e.g., DoD Tier 3/NACLC, Active Secret) are preferred