Active Directory and Entra Specialist

Purpose of the Role

The Active Directory/Entra Specialist is the technical authority for the customer's hybrid identity platform. The role owns the design, operation, security, and continuous improvement of on-premises Active Directory Domain Services, Group Policy, ADFS, Entra ID (P2), Azure AD Connect, B2B and B2C flows, Conditional Access, MFA, Intune, and identity life cycle automation across all in-scope business programmes.

Identity is the foundation of every other workload in the estate. This role therefore underwrites the availability, security and compliance of M365, SharePoint, Power Platform, Dynamics 365, Fabric and Azure services. The post-holder is on the front line for any P1 authentication outage, Conditional Access misconfiguration, or directory replication failure.

Requirements 2.3 Key Technical Responsibilities

Hybrid Active Directory Operations

• Administer multi-forest on-premises Active Directory Domain Services (modern schema, WS2016+ functional level), including domain controllers, FSMO roles, sites and services, replication topology, DNS, DHCP, time service (NT5DS), and trust relationships.
• Maintain and harden Group Policy Objects across the estate, including baseline security GPOs, audit policies, AppLocker/WDAC, BitLocker, Windows Update for Business, and computer/user configuration drift detection.
• Operate and patch ADFS on Legacy Windows Server (where present), administer claims rules, relying party trusts, certificate rotation, and plan migration of relying parties to Entra ID where commercially appropriate.
• Manage Azure AD Connect (auto-updating) including sync rules, source anchor, password hash sync/pass-through authentication, seamless SSO, staging mode validation, and re-permission/re-baseline activities.
• Diagnose and remediate replication failures, lingering objects, USN rollback, tombstone issues, NTLM/Kerberos auth failures, SPN duplication, and time-skew problems using repadmin, dcdiag, klist, KDCDiag, ADReplStatus and Microsoft 365 Connectivity Analyzer.

Entra ID and Identity Lifecycle

• Administer Entra ID P2 tenants including users, groups, dynamic groups, administrative units, application registrations, enterprise applications, service principals, managed identities, and consent workflows.
• Configure and operate Conditional Access (sign-in risk, user risk, named locations, device compliance, session controls), Multi-Factor Authentication, passwordless sign-in (Windows Hello for Business, FIDO2, Authenticator), and Temporary Access Pass for onboarding.
• Operate Privileged Identity Management (PIM) for just-in-time role activation, approval workflows, access reviews and break-glass account governance; work with the on-premises PAM solution for tier-0 administration.
• Manage Entra ID B2B (guest collaboration) and B2C (custom policies, user flows, identity providers, custom branding, application integrations) for both internal and external-facing tenants.
• Implement Identity Governance: Entitlement Management, Access Packages, Access Reviews, Lifecycle Workflows, and HR-driven inbound provisioning where in scope.

Endpoint Management with Intune

• Administer Microsoft Intune including device enrolment (Autopilot, Apple ABM, Android Enterprise), configuration profiles, compliance policies, app protection policies (MAM), Conditional Access integration, and Endpoint Privilege Management.
• Define and maintain Windows update rings, feature update profiles, driver update profiles, and Defender for Endpoint baselines via Intune Security Baselines.
• Operate Win32/LOB/Microsoft Store app deployment, package authoring (intunewin), update rings, and supersedence chains.
• Co-manage devices with Configuration Manager where present, troubleshoot enrolment failures using IME logs, MDM Diagnostics Tool, and the Intune Troubleshooting portal.

Identity Automation and Tooling

• Author and maintain PowerShell automation using Microsoft Graph PowerShell SDK, Az PowerShell, ExchangeOnlineManagement, MSOnline (Legacy), AzureAD (Legacy), and ActiveDirectory modules - including JML (Joiner-Mover-Leaver) workflows, group membership reconciliation, stale object cleanup, and licence assignment.
• Build and operate identity-related runbooks in Azure Automation, Logic Apps, or Power Automate where appropriate.
• Use Microsoft Graph (REST + SDK) for advanced reporting, bulk operations, and integration with HR/ITSM platforms.

Service Operations

• Own L2/L3 incident, problem and change resolution for identity-related tickets, achieving the contractual SLAs: P1 1-hour response/4-hour resolution, P2 4-hour response/1 working day resolution, P3 1 working day response/3 working days resolution.
• Lead root cause analysis (RCA) for P1 identity incidents and produce post-incident review reports within five working days.
• Contribute to monthly service reports with identity KPIs (sign-in success rate, MFA coverage, Conditional Access policy hits, privileged role activations, sync health, AAD Connect latency, certificate expiry watchlist).
• Participate in CAB review, change scheduling, and change risk assessment for identity changes; produce rollback plans and pre/post implementation checks.

Mandatory Technical Skills

• Active Directory Domain Services on Windows Server 2016+ including schema management, sites and services, GPO design, ADFS, AD CS, AD Recycle Bin, and DR/recovery procedures (authoritative restore).
• Entra ID P2 deep configuration: Conditional Access, MFA, PIM, Identity Protection (sign-in risk, user risk, risky users), Identity Governance, Application Proxy, External Identities (B2B, B2C custom policies), and Hybrid Identity (AAD Connect).
• Microsoft Intune end-to-end device and application management, including Autopilot pre-provisioning, compliance, configuration, and Endpoint Security baselines.
• PowerShell Scripting (intermediate-to-advanced) using Microsoft Graph SDK, Az, and ActiveDirectory modules; ability to read/debug/extend existing scripts under change control.
• Working knowledge of Microsoft Defender for Identity (formerly Azure ATP) signals and integration with Defender XDR.
• Networking fundamentals: DNS, Kerberos, NTLM, OAuth 2.0, OpenID Connect, SAML 2.0, WS-Federation, certificate-based authentication, TLS/SSL troubleshooting, and modern auth flows.
• Working knowledge of ITIL v4 incident, problem, change and configuration management, and ITSM ticketing (eg, ServiceNow, Jira Service Management).

Desirable Technical Skills

• Entra Permissions Management (CIEM).
• Microsoft Entra ID Verified ID (decentralised identity) familiarity.
• Group Policy Analytics in Intune for cloud migration.
• Experience operating tier-0 PAM solutions (CyberArk, BeyondTrust, Delinea) on-premises.
• Familiarity with FIDO2 hardware tokens, Windows LAPS (cloud), and Authentication Methods migration.
• Exposure to Azure VPN Gateway, ExpressRoute, and hybrid connectivity for identity authentication paths.

Required Certifications

• Microsoft Certified: Identity and Access Administrator Associate (SC-300) - mandatory.
• Microsoft Certified: Endpoint Administrator Associate (MD-102) - mandatory.
• Microsoft 365 Certified: Administrator Expert (MS-102) - preferred.
• Microsoft Certified: Cybersecurity Architect Expert (SC-100) - desirable.
• ITIL 4 Foundation - preferred.