P1-C2-TSTSYou will join the EDS team as a hands-on engineer focused on day-to-day operations and security hardening across Active Directory and Microsoft Entra ID (Azure AD). You will work with platform SMEs and the wider team to deliver BAU tickets, implement hardening baselines, and execute engineering changes. The emphasis is on collaboration and delivery contributing expert work under established standards and designs rather than owning product roadmaps or leading programs.Key responsibilitiesBAU delivery: Triage and resolve incidents, service requests, and standard changes across AD/Entra ID, PKI, AD FS, and Quest Active Roles in line with SLAs.Hardening and hygiene: Implement Tier-0/DC hardening, GPO governance, Kerberos/LDAP protections, Conditional Access/PIM controls, SPN/gMSA/service-account hygiene.Engineering execution: Build and ship changes from SME/architect designs (e.g., DC upgrades, federation tweaks, AAD Connect/Cloud Sync tasks, App Proxy integrations).Automation: Use PowerShell and Microsoft Graph to audit, enforce, and remediate configuration; contribute to policy/config-as-code practices.Security remediation: Run BloodHound/AzureHound and PingCastle collections, analyse findings, and implement agreed remediations with SMEs.Monitoring & ops quality: Contribute to health/capacity checks, dashboards, and runbooks; document work clearly and keep records up to date.Change & compliance: Raise change records, follow CAB processes, and align with platform standards and security product roadmaps.Collaboration: Partner with SMEs, Operations, Network, and Security teams; participate in major-incident support and post-incident actions when required.Knowledge sharing: Provide peer support and share practical know-how (acting as a subject-matter contributor for assigned tasks while SMEs retain ownership).
Experience & Qualifications
Must-have (merged)Microsoft identity stack: Deep experience with Active Directory and Entra ID (Azure AD), plus associated infrastructure such as AD FS and Azure AD Connect; excellent knowledge of AD 2016/2019 design, troubleshooting, and administration.Tiering & privileged access: Practical understanding of AD security concepts (Tier-0/Tier-1, PAWs) and lateral-movement risks; PAW/jump pattern design and rollout.Active Directory hardening: CIS-aligned DC baselines, host firewalls, and no-Internet DC patterns.Entra ID controls at scale: Conditional Access (MFA/device/risk), and PIM for roles and PIM for Groups.GPO & identity hygiene: Tier-0/Tier-1 GPO design/governance, SPN hygiene, gMSA adoption, and service-account policies (length/rotation).Automation-first: PowerShell and Microsoft Graph for audits, enforcement, and remediation; KQL, Terraform, Python; policy/config-as-code mindset in a DevOps environment.Exposure tooling: Hands-on with BloodHound/AzureHound and PingCastle (collection, analysis, and driving remediation).Quest ecosystem: Active Roles (ARS) and Change Auditor (or equivalent) for RBAC and change/drift tracking.Endpoint & access management: Experience with Microsoft Intune or strong understanding of MDM/MAM/Conditional Access.Standards & protocols: Strong understanding of OAuth2/OIDC and SAML; experience with PKI/AD CS and relevant Windows security standards.Security principles: Least privilege, separation of duties, auditability; confident engagement with InfoSec.
