Apply on Employer Site

APR Energy · 1 day ago

Microsoft 365 Engineer

Jacksonville, FL

Full-time

Onsite

Senior Level

$115K/yr - $130K/yr

7+ years exp

APR Energy is seeking a Microsoft 365 Engineer to serve as the primary administrator and service owner for their Microsoft cloud stack. The role involves designing, deploying, securing, and operating Microsoft 365 services while collaborating with various teams to ensure a resilient and compliant service.

Clean EnergyElectrical DistributionEnergyEnergy Efficiency

H1B Sponsor Likely

Responsibilities

Design and run the target Microsoft 365 tenant (greenfield or separated), including domain and DNS cutover, directory topology, and identity lifecycle

Implement Conditional Access (per‑user/per‑app/per‑device), MFA, Named Locations (including VPN egress IPs and HQ/DC public ranges), risk‑based policies, and break‑glass controls

Deploy and maintain Entra Connect (Cloud Sync/AAD Connect) as needed; plan for hybrid to cloud‑only identity transitions where appropriate

Stand up PIM (Privileged Identity Management), access reviews, entitlement management, and least‑privilege admin RBAC across workloads

Govern B2B/B2C/guest access and external collaboration settings with clear guardrails

Lead Intune architecture: device compliance, configuration profiles, security baselines, BitLocker escrow, WUfB/feature update rings, Autopatch (where applicable), and Autopilot provisioning

Build a scalable application packaging program (Win32, LOB, MSIX), pilot rings, rollback plans, and secure app protection policies (MAM)

Migrate GPOs to Intune policy equivalents; rationalize legacy builds and drive modern management adoption

Establish gold images/profiles, device naming, asset tagging, and lifecycle processes

Plan and execute cross‑tenant migrations (mailboxes, Teams, SharePoint sites, OneDrive) with coexistence strategies (free/busy, guest access, shared channels)

Implement Microsoft Purview: sensitivity labels, DLP, retention/records, insider risk (as needed), and eDiscovery (Standard/Premium) processes

Define Teams/SharePoint information architecture and governance (naming, lifecycle, external sharing, sprawl control)

Operate and tune Microsoft Defender XDR (Endpoint/Identity/Office/Cloud Apps) and leverage Advanced Hunting (KQL) for detection/response

Integrate with SIEM (Microsoft Sentinel or existing), define alert routing/runbooks, and lead incident response for Microsoft 365 scope

Build dashboards/SLOs for patch compliance, device posture, CA/MFA effectiveness, and threat metrics

Coordinate with network teams on VPN/IP allowlists, Named Locations, split‑tunnel considerations, and service endpoints impacting Conditional Access and Microsoft 365 reliability

Support secure connectivity models across HQ, Datacenter, and new racks; ensure cloud posture reflects changing ISP/public IPs and DMZ patterns

Align Autopilot/Intune content delivery with network design to avoid hairpinning and optimize end‑user experience

Automate admin at scale with PowerShell and Microsoft Graph API (configuration‑as‑code for Intune/M365 where feasible)

Optimize licensing (E3/E5 add‑ons), storage, and service plans for cost control and best value

Author SOPs/runbooks, DR/BCP playbooks, and admin guardrails; train IT and power users

Qualification

Microsoft 365Entra IDIntunePowerShellMicrosoft Defender XDRAzure ADConditional AccessMFACollaboration skillsProblem-solving skillsCommunication skillsTeamwork

Required

7+ years professional IT

5+ years hands‑on with Microsoft 365/Entra ID/Intune in enterprise settings