Azure Identity Management Expert

Job Description: Microsoft SSPR Expert / Identity Authentication Architect

Position Overview We are seeking an expert-level Identity Authentication Architect specializing in Microsoft Self-Service Password Reset (SSPR) and hybrid identity solutions to lead the design, implementation, and optimization of enterprise-wide password reset capabilities. This role requires deep technical expertise in Azure Active Directory, on-premises Active Directory, Azure AD Connect, and identity security frameworks to deliver secure, scalable, and user-friendly authentication experiences across our global organization.

Key Responsibilities Strategy & Architecture Design and architect enterprise SSPR solutions for multi-forest, multi-region hybrid Active Directory environments supporting 10,000+ users Develop comprehensive identity authentication roadmaps integrating SSPR with passwordless strategies, MFA, and zero-trust frameworks Create technical architecture documentation including data flows, security controls, disaster recovery procedures, and compliance mappings Lead architectural review boards for identity-related changes, ensuring SSPR integration with broader IAM initiatives Design group-based targeting strategies for phased SSPR rollouts balancing security requirements with user experience Architect SSPR monitoring, alerting, and reporting frameworks using Azure Monitor, Log Analytics, and Power BI Implementation & Engineering Configure and deploy Azure AD SSPR policies including authentication methods, registration enforcement, and writeback capabilities Implement Azure AD Connect password writeback across multiple forests with high-availability and disaster recovery configurations Integrate SSPR with Azure AD Password Protection, banned password lists, and custom policy enforcement Configure Conditional Access policies for secure SSPR registration, including risk-based authentication and MFA enforcement Develop PowerShell scripts and Microsoft Graph API integrations for automated SSPR configuration management and reporting Implement combined security information registration experiences unifying SSPR and MFA registration workflows Configure and test account unlock capabilities without password reset for helpdesk ticket reduction Security & Compliance Conduct security assessments of SSPR configurations identifying vulnerabilities in authentication methods, registration processes, and writeback mechanisms Design and implement controls preventing SSPR abuse including smart lockout configurations, rate limiting, and suspicious activity monitoring Ensure SSPR compliance with regulatory requirements (GDPR, HIPAA, SOC 2, ISO 27001) including data residency, audit logging, and retention policies Integrate SSPR with Azure AD Identity Protection for risk-based registration policies and anomaly detection Perform regular security reviews of registered authentication methods, identifying weak security questions and encouraging stronger alternatives Collaborate with security teams to investigate and remediate SSPR-related security incidents including compromised method registrations Operations & Optimization Monitor SSPR health metrics including writeback success rates, registration completion, user adoption, and helpdesk ticket trends Troubleshoot complex SSPR writeback failures involving Azure AD Connect synchronization conflicts, password policy mismatches, and network connectivity issues Optimize SSPR user experience through customization of branding, helpdesk links, and instructional content Establish SSPR operational runbooks, escalation procedures, and knowledge base articles for support teams Conduct capacity planning for SSPR infrastructure ensuring scalability during peak usage periods Implement continuous improvement processes based on user feedback, adoption metrics, and security incidents

Required Qualifications Technical Experience 7+ years of hands-on experience with Microsoft identity technologies (Active Directory, Azure AD, Azure AD Connect) 4+ years of expert-level experience implementing and managing Azure AD Self-Service Password Reset in enterprise environments (10,000+ users) 3+ years configuring Azure AD Connect password writeback, password hash synchronization, and hybrid identity scenarios Proven experience designing multi-forest Active Directory architectures with complex trust relationships and cross-forest authentication Deep expertise in Azure AD Conditional Access policies, MFA configuration, and identity protection frameworks Strong background in PowerShell scripting and Microsoft Graph API for identity automation and reporting Hands-on experience troubleshooting complex identity synchronization issues, password writeback failures, and authentication conflicts Domain Expertise Comprehensive understanding of authentication protocols: Kerberos, NTLM, LDAP, SAML, OAuth, OpenID Connect Expert knowledge of password security principles including hashing algorithms, salt mechanisms, and password policy design Deep understanding of Azure AD licensing models (Free, P1, P2) and feature availability across tiers Expertise in identity lifecycle management, joiners-movers-leavers processes, and automated provisioning/deprovisioning Strong knowledge of compliance frameworks and their identity requirements (GDPR, HIPAA, PCI-DSS, NIST, CIS) Understanding of zero-trust architecture principles and passwordless authentication strategies

Preferred Qualifications Experience with Azure AD B2B/B2C guest user SSPR scenarios and cross-tenant collaboration Familiarity with privileged identity management (PIM) and its interaction with SSPR capabilities Experience integrating SSPR with third-party SIEM solutions (Splunk, Azure Sentinel, QRadar) Knowledge of federated identity providers (ADFS, Okta, Ping) and their SSPR integration patterns Experience with Microsoft Defender for Identity and its monitoring of password reset activities Background in large-scale identity migrations and directory consolidation projects Understanding of sovereign cloud environments (GCC, GCC High, Azure Government) and their SSPR differences Experience with Temporary Access Pass (TAP) and passwordless authentication methods (FIDO2, Windows Hello for Business)

Technical Skills Microsoft Technologies (Expert Level) Azure Active Directory (Premium P1/P2) Azure AD Connect (sync engine, health monitoring, troubleshooting) Azure AD Password Protection Microsoft 365 Admin Center / Azure Portal Azure AD PowerShell / MSOnline module Microsoft Graph API / Graph Explorer Azure Monitor / Log Analytics Conditional Access policies Scripting & Automation PowerShell (advanced scripting, modules, error handling) Microsoft Graph API (REST calls, authentication flows, pagination) Azure Automation / Runbooks Azure Logic Apps for workflow automation JSON/XML data manipulation Git version control for configuration as code Infrastructure & Networking Active Directory Domain Services (GPO, Sites/Services, Replication) Windows Server (2012 R2 - 2022) DNS, DHCP, and name resolution troubleshooting Network security (firewalls, proxies, port requirements) Certificate infrastructure and PKI concepts High availability and disaster recovery architectures Security & Compliance Tools Azure AD Identity Protection Azure AD Privileged Identity Management Azure Sentinel / SIEM integration Compliance Manager / Service Trust Portal Audit log analysis and retention management Preferred Microsoft Certified: Security Operations Analyst Associate (SC-200) Microsoft Certified: Azure Security Engineer Associate (AZ-500) Microsoft 365 Certified: Enterprise Administrator Expert (MS-100, MS-101) CISSP, CISM, or other security certifications

Work Environment Location: Bangalore