Microsoft SSPR Expert / Identity Authentication Architect

About Company:

Our client is a global technology consulting and digital solutions company that enables enterprises to reimagine business models and accelerate innovation through digital technologies. Powered by more than 84,000 entrepreneurial professionals across more than 30 countries, it caters to over 700 clients with its extensive domain and technology expertise to help drive superior competitive differentiation, customer experiences, and business outcomes.

Job Title: Microsoft SSPR Expert / Identity Authentication Architect

Location: Bangalore (Global village Tech Park)

Experience: 5 to 10 Years

Employment Type: Contract to Hire

Work Mode: Hybrid

Notice Period: Immediate Joiners Only

Job Description:

We are seeking an expert-level Identity Authentication Architect specializing in Microsoft Self-Service Password Reset (SSPR) and hybrid identity solutions to lead the design, implementation, and optimization of enterprise-wide password reset capabilities. This role requires deep technical expertise in Azure Active Directory, on-premises Active Directory, Azure AD Connect, and identity security frameworks to deliver secure, scalable, and user-friendly authentication experiences across our global organization.

Key Responsibilities

Strategy & Architecture

• Design and architect enterprise SSPR solutions for multi-forest, multi-region hybrid Active Directory environments supporting 10,000+ users
• Develop comprehensive identity authentication roadmaps integrating SSPR with passwordless strategies, MFA, and zero-trust frameworks
• Create technical architecture documentation including data flows, security controls, disaster recovery procedures, and compliance mappings
• Lead architectural review boards for identity-related changes, ensuring SSPR integration with broader IAM initiatives
• Design group-based targeting strategies for phased SSPR rollouts balancing security requirements with user experience
• Architect SSPR monitoring, alerting, and reporting frameworks using Azure Monitor, Log Analytics, and Power BI

Implementation & Engineering

• Configure and deploy Azure AD SSPR policies including authentication methods, registration enforcement, and writeback capabilities
• Implement Azure AD Connect password writeback across multiple forests with high-availability and disaster recovery configurations
• Integrate SSPR with Azure AD Password Protection, banned password lists, and custom policy enforcement
• Configure Conditional Access policies for secure SSPR registration, including risk-based authentication and MFA enforcement
• Develop PowerShell scripts and Microsoft Graph API integrations for automated SSPR configuration management and reporting
• Implement combined security information registration experiences unifying SSPR and MFA registration workflows
• Configure and test account unlock capabilities without password reset for helpdesk ticket reduction

Security & Compliance

• Conduct security assessments of SSPR configurations identifying vulnerabilities in authentication methods, registration processes, and writeback mechanisms
• Design and implement controls preventing SSPR abuse including smart lockout configurations, rate limiting, and suspicious activity monitoring
• Ensure SSPR compliance with regulatory requirements (GDPR, HIPAA, SOC 2, ISO 27001) including data residency, audit logging, and retention policies
• Integrate SSPR with Azure AD Identity Protection for risk-based registration policies and anomaly detection
• Perform regular security reviews of registered authentication methods, identifying weak security questions and encouraging stronger alternatives
• Collaborate with security teams to investigate and remediate SSPR-related security incidents including compromised method registrations

Operations & Optimization

• Monitor SSPR health metrics including writeback success rates, registration completion, user adoption, and helpdesk ticket trends
• Troubleshoot complex SSPR writeback failures involving Azure AD Connect synchronization conflicts, password policy mismatches, and network connectivity issues
• Optimize SSPR user experience through customization of branding, helpdesk links, and instructional content
• Establish SSPR operational runbooks, escalation procedures, and knowledge base articles for support teams
• Conduct capacity planning for SSPR infrastructure ensuring scalability during peak usage periods
• Implement continuous improvement processes based on user feedback, adoption metrics, and security incidents

Required Qualifications

Technical Experience

• 7+ years

  of hands-on experience with Microsoft identity technologies (Active Directory, Azure AD, Azure AD Connect)

• 4+ years

  of expert-level experience implementing and managing Azure AD Self-Service Password Reset in enterprise environments (10,000+ users)

• 3+ years

  configuring Azure AD Connect password writeback, password hash synchronization, and hybrid identity scenarios

• Proven experience

  designing multi-forest Active Directory architectures with complex trust relationships and cross-forest authentication

• Deep expertise

  in Azure AD Conditional Access policies, MFA configuration, and identity protection frameworks

• Strong background

  in PowerShell scripting and Microsoft Graph API for identity automation and reporting

• Hands-on experience

  troubleshooting complex identity synchronization issues, password writeback failures, and authentication conflicts

Domain Expertise

• Comprehensive understanding of authentication protocols: Kerberos, NTLM, LDAP, SAML, OAuth, OpenID Connect
• Expert knowledge of password security principles including hashing algorithms, salt mechanisms, and password policy design
• Deep understanding of Azure AD licensing models (Free, P1, P2) and feature availability across tiers
• Expertise in identity lifecycle management, joiners-movers-leavers processes, and automated provisioning/deprovisioning
• Strong knowledge of compliance frameworks and their identity requirements (GDPR, HIPAA, PCI-DSS, NIST, CIS)
• Understanding of zero-trust architecture principles and passwordless authentication strategies

Preferred Qualifications

• Experience with Azure AD B2B/B2C guest user SSPR scenarios and cross-tenant collaboration
• Familiarity with privileged identity management (PIM) and its interaction with SSPR capabilities
• Experience integrating SSPR with third-party SIEM solutions (Splunk, Azure Sentinel, QRadar)
• Knowledge of federated identity providers (ADFS, Okta, Ping) and their SSPR integration patterns
• Experience with Microsoft Defender for Identity and its monitoring of password reset activities
• Background in large-scale identity migrations and directory consolidation projects
• Understanding of sovereign cloud environments (GCC, GCC High, Azure Government) and their SSPR differences
• Experience with Temporary Access Pass (TAP) and passwordless authentication methods (FIDO2, Windows Hello for Business)

Technical Skills

Microsoft Technologies (Expert Level)

• Azure Active Directory (Premium P1/P2)
• Azure AD Connect (sync engine, health monitoring, troubleshooting)
• Azure AD Password Protection
• Microsoft 365 Admin Center / Azure Portal
• Azure AD PowerShell / MSOnline module
• Microsoft Graph API / Graph Explorer
• Azure Monitor / Log Analytics
• Conditional Access policies

Scripting & Automation

• PowerShell (advanced scripting, modules, error handling)
• Microsoft Graph API (REST calls, authentication flows, pagination)
• Azure Automation / Runbooks
• Azure Logic Apps for workflow automation
• JSON/XML data manipulation
• Git version control for configuration as code

Infrastructure & Networking

• Active Directory Domain Services (GPO, Sites/Services, Replication)
• Windows Server (2012 R2 - 2022)
• DNS, DHCP, and name resolution troubleshooting
• Network security (firewalls, proxies, port requirements)
• Certificate infrastructure and PKI concepts
• High availability and disaster recovery architectures

Security & Compliance Tools

• Azure AD Identity Protection
• Azure AD Privileged Identity Management
• Azure Sentinel / SIEM integration
• Compliance Manager / Service Trust Portal
• Audit log analysis and retention management

Preferred

• Microsoft Certified: Security Operations Analyst Associate

  (SC-200)

• Microsoft Certified: Azure Security Engineer Associate

  (AZ-500)

• Microsoft 365 Certified: Enterprise Administrator Expert

  (MS-100, MS-101)
• CISSP, CISM, or other security certifications