VE3

Purpose of the Role The Active Directory/Entra Specialist is the technical authority for the customer's hybrid identity platform. The role owns the design, operation, security, and continuous improvement of on-premises Active Directory Domain Services, Group Policy, ADFS, Entra ID (P2), Azure AD Connect, B2B and B2C flows, Conditional Access, MFA, Intune, and identity life cycle automation across all in-scope business programmes. Identity is the foundation of every other workload in the estate. This role therefore underwrites the availability, security and compliance of M365, SharePoint, Power Platform, Dynamics 365, Fabric and Azure services. The post-holder is on the front line for any P1 authentication outage, Conditional Access misconfiguration, or directory replication failure. Requirements 2.3 Key Technical Responsibilities Hybrid Active Directory Operations Administer multi-forest on-premises Active Directory Domain Services (modern schema, WS2016+ functional level), including domain controllers, FSMO roles, sites and services, replication topology, DNS, DHCP, time service (NT5DS), and trust relationships. Maintain and harden Group Policy Objects across the estate, including baseline security GPOs, audit policies, AppLocker/WDAC, BitLocker, Windows Update for Business, and computer/user configuration drift detection. Operate and patch ADFS on Legacy Windows Server (where present), administer claims rules, relying party trusts, certificate rotation, and plan migration of relying parties to Entra ID where commercially appropriate. Manage Azure AD Connect (auto-updating) including sync rules, source anchor, password hash sync/pass-through authentication, seamless SSO, staging mode validation, and re-permission/re-baseline activities. Diagnose and remediate replication failures, lingering objects, USN rollback, tombstone issues, NTLM/Kerberos auth failures, SPN duplication, and time-skew problems using repadmin, dcdiag, klist, KDCDiag, ADReplStatus and Microsoft 365 Connectivity Analyzer. Entra ID and Identity Lifecycle Administer Entra ID P2 tenants including users, groups, dynamic groups, administrative units, application registrations, enterprise applications, service principals, managed identities, and consent workflows. Configure and operate Conditional Access (sign-in risk, user risk, named locations, device compliance, session controls), Multi-Factor Authentication, passwordless sign-in (Windows Hello for Business, FIDO2, Authenticator), and Temporary Access Pass for onboarding. Operate Privileged Identity Management (PIM) for just-in-time role activation, approval workflows, access reviews and break-glass account governance; work with the on-premises PAM solution for tier-0 administration. Manage Entra ID B2B (guest collaboration) and B2C (custom policies, user flows, identity providers, custom branding, application integrations) for both internal and external-facing tenants. Implement Identity Governance: Entitlement Management, Access Packages, Access Reviews, Lifecycle Workflows, and HR-driven inbound provisioning where in scope. Endpoint Management with Intune Administer Microsoft Intune including device enrolment (Autopilot, Apple ABM, Android Enterprise), configuration profiles, compliance policies, app protection policies (MAM), Conditional Access integration, and Endpoint Privilege Management. Define and maintain Windows update rings, feature update profiles, driver update profiles, and Defender for Endpoint baselines via Intune Security Baselines. Operate Win32/LOB/Microsoft Store app deployment, package authoring (intunewin), update rings, and supersedence chains. Co-manage devices with Configuration Manager where present, troubleshoot enrolment failures using IME logs, MDM Diagnostics Tool, and the Intune Troubleshooting portal. Identity Automation and Tooling Author and maintain PowerShell automation using Microsoft Graph PowerShell SDK, Az PowerShell, ExchangeOnlineManagement, MSOnline (Legacy), AzureAD (Legacy), and ActiveDirectory modules - including JML (Joiner-Mover-Leaver) workflows, group membership reconciliation, stale object cleanup, and licence assignment. Build and operate identity-related runbooks in Azure Automation, Logic Apps, or Power Automate where appropriate. Use Microsoft Graph (REST + SDK) for advanced reporting, bulk operations, and integration with HR/ITSM platforms. Service Operations Own L2/L3 incident, problem and change resolution for identity-related tickets, achieving the contractual SLAs: P1 1-hour response/4-hour resolution, P2 4-hour response/1 working day resolution, P3 1 working day response/3 working days resolution. Lead root cause analysis (RCA) for P1 identity incidents and produce post-incident review reports within five working days. Contribute to monthly service reports with identity KPIs (sign-in success rate, MFA coverage, Conditional Access policy hits, privileged role activations, sync health, AAD Connect latency, certificate expiry watchlist). Participate in CAB review, change scheduling, and change risk assessment for identity changes; produce rollback plans and pre/post implementation checks. Mandatory Technical Skills Active Directory Domain Services on Windows Server 2016+ including schema management, sites and services, GPO design, ADFS, AD CS, AD Recycle Bin, and DR/recovery procedures (authoritative restore). Entra ID P2 deep configuration: Conditional Access, MFA, PIM, Identity Protection (sign-in risk, user risk, risky users), Identity Governance, Application Proxy, External Identities (B2B, B2C custom policies), and Hybrid Identity (AAD Connect). Microsoft Intune end-to-end device and application management, including Autopilot pre-provisioning, compliance, configuration, and Endpoint Security baselines. PowerShell Scripting (intermediate-to-advanced) using Microsoft Graph SDK, Az, and ActiveDirectory modules; ability to read/debug/extend existing scripts under change control. Working knowledge of Microsoft Defender for Identity (formerly Azure ATP) signals and integration with Defender XDR. Networking fundamentals: DNS, Kerberos, NTLM, OAuth 2.0, OpenID Connect, SAML 2.0, WS-Federation, certificate-based authentication, TLS/SSL troubleshooting, and modern auth flows. Working knowledge of ITIL v4 incident, problem, change and configuration management, and ITSM ticketing (eg, ServiceNow, Jira Service Management). Desirable Technical Skills Entra Permissions Management (CIEM). Microsoft Entra ID Verified ID (decentralised identity) familiarity. Group Policy Analytics in Intune for cloud migration. Experience operating tier-0 PAM solutions (CyberArk, BeyondTrust, Delinea) on-premises. Familiarity with FIDO2 hardware tokens, Windows LAPS (cloud), and Authentication Methods migration. Exposure to Azure VPN Gateway, ExpressRoute, and hybrid connectivity for identity authentication paths. Required Certifications Microsoft Certified: Identity and Access Administrator Associate (SC-300) - mandatory. Microsoft Certified: Endpoint Administrator Associate (MD-102) - mandatory. Microsoft 365 Certified: Administrator Expert (MS-102) - preferred. Microsoft Certified: Cybersecurity Architect Expert (SC-100) - desirable. ITIL 4 Foundation - preferred.

Purpose of the Role: The M365/Entra Security & Governance Specialist owns the security posture, data governance, and compliance alignment of the customer's Microsoft estate. The role designs and operates Zero Trust controls, threat protection, information protection, insider risk management, and the audit/evidence machinery required to demonstrate alignment with ISO 27001, GDPR, NIST CSF and Microsoft's Secure Score baselines. The customer processes personal and special-category data on behalf of public-sector programmes. The role therefore carries direct accountability for protecting beneficiary data, ensuring lawful processing within the EEA, and providing evidence of control effectiveness to the customer's Cyber Security team and external auditors. This is a senior, hands-on technical role - not a paper-only governance position. Requirements Key Technical Responsibilities: Threat Protection - Microsoft Defender XDR Operate Microsoft Defender XDR across Defender for Endpoint, Defender for Office 365 (Plan 2), Defender for Identity, Defender for Cloud Apps, and Defender Vulnerability Management. Manage Defender for Endpoint deployment, onboarding (via Intune/GPO/script), attack surface reduction (ASR) rules, EDR in block mode, automated investigation and response (AIR), tamper protection, and live response. Tune Defender for Office 365 anti-phishing, Safe Links, Safe Attachments, anti-spoofing, impersonation protection, attack simulation training, and Threat Explorer queries. Operate Defender for Identity sensors on domain controllers and ADFS Servers; investigate identity-based attack paths (DCSync, Golden Ticket, Pass-the-Hash) and remediate exposures. Operate Defender for Cloud Apps for SaaS discovery, OAuth app governance, conditional access app control (reverse Proxy), session policies, and shadow IT reporting. Investigate alerts and incidents in the Defender XDR portal using KQL advanced hunting; build custom detections, suppression rules, and automated playbooks. SIEM and SOAR - Microsoft Sentinel Operate Microsoft Sentinel for the estate: data connectors (M365, Entra, Defender XDR, Azure Activity, Office 365, Threat Intelligence, Syslog/CEF), workspace architecture, retention, and cost optimisation. Author analytics rules (scheduled, NRT, Fusion, Microsoft Security), build watchlists, threat intelligence integrations (TAXII/MISP), and User Entity Behaviour Analytics (UEBA). Develop KQL detection content aligned to MITRE ATT&CK; operate hunting queries, bookmarks, and incident investigation graphs. Build SOAR automation using Azure Logic Apps playbooks for incident enrichment, containment (eg, disable user, force password reset, isolate device), and notification. Operate the 24/7 Sentinel-based monitoring stack in collaboration with the NOC analyst function. Information Protection and Data Governance - Microsoft Purview Design and operate Microsoft Purview Information Protection: sensitivity labels, label policies, auto-labelling (client and service-side), encryption with rights management, and co-authoring on encrypted documents. Build and tune Data Loss Prevention (DLP) policies for Exchange, SharePoint, OneDrive, Teams chat, Endpoint DLP and Power Platform; manage policy tips, overrides, and incident review. Operate Insider Risk Management policies, content Explorer, activity Explorer, and communication compliance where in scope. Design retention policies, retention labels, and records management aligned to the customer's records retention schedules and applicable public-sector records management frameworks. Operate eDiscovery (Standard and Premium): cases, holds, collections, reviews, custodian management, and chain-of-custody documentation. Operate Microsoft Purview Data Map, Data Catalog, and Data Estate Insights for the Microsoft Fabric/Power BI estate, including lineage, classification scans, and Data Loss Prevention for Fabric. Maintain audit and reporting using Purview Audit (Standard/Premium), Compliance Manager templates (ISO 27001, GDPR, NIS2), and customer-managed Compliance Manager assessments. Identity Security and Zero Trust Define and maintain the Conditional Access policy baseline using a documented policy framework (Persona-based or Microsoft Zero Trust deployment guidance), including emergency/break-glass access, named locations, and report-only validation. Operate Entra ID Protection - sign-in risk, user risk, risk policies, and risk investigation - including alignment with Defender XDR for unified incident view. Govern privileged access via PIM, role-assignable groups, access reviews, and Just-In-Time elevation; co-own break-glass account procedures with the AD/Entra Specialist. Operate Entra Permissions Management (CIEM) where licensed, providing visibility of multi-cloud permission risk. Compliance and Audit Maintain ISO 27001 control evidence and align with the customer's certification and surveillance audits; act as the technical lead for any audit observation related to the Microsoft estate. Maintain GDPR records of processing, support Data Protection Impact Assessments for new applications, and operate technical and organisational measures (TOMs). Map controls to NIST CSF, NIS2 (where applicable as an essential/important entity), and Microsoft Secure Score/Identity Secure Score; maintain a target posture and quarterly improvement plan. Produce monthly security KPIs for the SLA report - Secure Score trend, MFA coverage, DLP incidents, phishing simulation results, vulnerability remediation, patch compliance - and quarterly executive risk reports. Microsoft Copilot and AI Governance Operate the security envelope for Microsoft 365 Copilot and Copilot Studio including SharePoint sharing hygiene ("oversharing"), sensitivity-label-aware grounding, restricted SearchableContent, and Copilot interaction audit log review. Define and enforce a Responsible AI policy aligned with Microsoft's Responsible AI Standard - fairness, reliability, safety, privacy, security, inclusiveness, transparency, and accountability. Mandatory Technical Skills Microsoft Defender XDR (full stack) and Microsoft Sentinel - analytics, hunting (KQL), incident management, and SOAR playbook authoring. Microsoft Purview - Information Protection, DLP, Insider Risk, Records Management, eDiscovery, Audit, and Compliance Manager. Entra ID security: Conditional Access, MFA, PIM, Identity Protection, External Identities, and Permissions Management. Zero Trust architecture knowledge per Microsoft Zero Trust deployment guidance; ability to lead a Zero Trust roadmap discussion with senior stakeholders. ISO 27001:2022 control set; GDPR Articles 5, 6, 9, 25, 28, 30, 32-34; awareness of NIS2 and applicable national cyber-security guidance. KQL (Kusto Query Language) - fluent across Defender Advanced Hunting, Sentinel, and Log Analytics. PowerShell automation across Microsoft Graph Security, ExchangeOnlineManagement, and Compliance modules. Desirable Technical Skills Threat hunting using Sigma rules, MITRE ATT&CK navigator, and STIX/TAXII Intel feeds. SOC operations experience - shift handover, evidence preservation, incident life cycle (NIST SP 800-61). Familiarity with on-premises PAM (CyberArk, BeyondTrust) and hybrid SOC tooling beyond Microsoft. Microsoft Fabric/Purview Data Loss Prevention (Fabric DLP) and AI hub for Purview. Familiarity with Cyber Essentials Plus, NCSC Cyber Assessment Framework (CAF), and ENISA guidance. Required Certifications Microsoft Certified: Security Operations Analyst Associate (SC-200) - mandatory. Microsoft Certified: Information Protection and Compliance Administrator Associate (SC-400) - mandatory. Microsoft Certified: Identity and Access Administrator Associate (SC-300) - mandatory. Microsoft Certified: Cybersecurity Architect Expert (SC-100) - preferred. ISO/IEC 27001 Lead Implementer or Lead Auditor - preferred. CISSP, CISM, or equivalent - desirable.

VE3 is seeking an experienced Azure DevOps Engineer to join our UK team in Maidenhead. This role focuses on designing and maintaining Azure infrastructure, building CI/CD pipelines, and implementing DevOps practices. The ideal candidate will have over 3 years of experience in managing Azure cloud resources, proficiency in tools such as Azure DevOps and Terraform, and possess the AZ-400 certification. Join us to drive innovation and transformation for enterprise clients with a collaborative team culture.

Azure DevOps Engineer About the Role We are looking for an experienced Azure DevOps Engineer to join our UK Team. In this role you will design, deploy, and maintain Azure infrastructure, build and optimise CI/CD pipelines, and support our data platform on Azure data services and Storages. You will also be responsible to enforce DevOps and Security best practices in Azure Cloud Platform. Requirements What You'll Do Provision and manage Azure resources including Virtual Machines, AKS, App Services, Virtual Networks, Storage Accounts, and Key Vault Define and enforce infrastructure-as-code practices using ARM templates, Bicep, or Terraform Monitor environment health with Azure Monitor, Prometheus, Grafana, Log Analytics, and Application/Container Insights Manage identity, access, and security policies across the Azure tenant Build and maintain CI/CD pipelines in both Azure DevOps (Repos, Pipelines, Artifacts, Boards) and GitHub Actions Support database maintenance tasks including backup, restore, and disaster recovery Assist in data migration and extraction on Azure data services and storages What We're Looking for 3+ years of hands on experience managing Azure cloud infrastructure and deployment Proven experience building and maintaining CI/CD pipelines in both Azure DevOps and GitHub Actions Scripting ability in at least one of: PowerShell, Azure CLI, or Bash Understanding of networking fundamentals (DNS, VPN, NSGs, load balancing) Microsoft certification: AZ 400 Experience with Infrastructure-as-Code tools (Terraform, Bicep, ARM templates) Experience with monitoring and observability (Azure Monitor, Prometheus, Grafana) Experience with implementing DevOps and Security best practices in Azure Cloud Platform Interpersonal and communication skills, with the ability to collaborate effectively with development teams, architects and stakeholders Benefits Why Join VE3? Be a key player in driving innovation and transformation for enterprise clients. Enjoy a competitive salary, performance based incentives, and opportunities for professional growth. Join a collaborative, forward thinking team that values creativity, integrity, and excellence.