Security Solution Architecture

Job description

Enterprise Identity Architect (Defence Sector)Location: UKClearance: Candidates who do not currently hold transferable UK DV clearance need not apply. Candidates must be willing to undergo additional customer specific vetting and adhere to personnel security obligations.Employment Type: Permanent / Long‑term Contract 
Travel: As required to UK sites in the South and West - averaging 3 days per week onsite

Role Purpose

We are seeking an Enterprise Identity Architect with proven deep, hands-on expertise in Identity & Access Management (IAM) across on-premises and cloud environments and, demonstrable experience shaping identity strategy for complex, multi-tenant, and multi-forest estates in regulated settings.This role is not a hands-on engineering-only role, a general architecture role, or an entry route into defence identity. We welcome candidates who meet the essential requirements and can evidence equivalent experience from regulated, national-security, critical infrastructure, or defence-adjacent environments.The role will lead and enable in a complex identity landscape, establish a single authoritative master identity model spanning classification domains, and shape and deliver a secure, standards aligned roadmap built on Zero Trust and defence policy frameworks (including ASP 240 and relevant JSPs). Candidates must be able to operate at enterprise architecture level while staying credible with engineering teams, security authorities, and operational stakeholders. 

Key Outcomes (12–18 months)

Master Identity Model Delivered: A formalised, documented and implemented authoritative identity data model with clear source of truth, lifecycle, and attribute governance across classification domains.

Consolidation & Simplification: Reduced identity duplication and drift across multiple AD forests/tenants, clear trust/segregation boundaries, and evidence based access models (RBAC/ABAC) aligned to business roles/missions.

Control Maturity Improvement: Measured uplift in identity controls (MFA, PIM/PAM, passwordless, privileged isolation, just-in-time access) validated through defence audits and JSP/ASP control evidence.Assured Inter Domain Patterns: Approved cross domain identity patterns (e.g., credential brokerage, guard-mediated flows, offline enclave procedures) with formal risk acceptance and assurance artefacts.

Legacy Decommission: Defined and executed migration/decommission plans for legacy IdPs, ADFS, and brittle sync pipelines with documented rollback and operational runbooks.

Before applying, candidates must have current transferable UK DV clearance and, be able to evidence: enterprise-scale IAM architecture leadership; delivery across hybrid Active Directory and Microsoft Entra environments; experience in regulated, defence, national-security, or similarly controlled environments; and the ability to produce assurance-ready architecture artefacts for senior technical, security, and governance audiences. If you meet the essential clearance and architecture requirements but do not match every technology listed, we still encourage you to apply and show how your experience maps to the outcomes we need. 

Enterprise Identity Architecture

• Define and own end to end IAM reference architectures for OFFICIAL and SECRET domains, including enclave segregation, trust models, and boundary controls.
• Design authoritative identity sources and golden record schemas (HR, ERP, clearance systems), lifecycle policies (joiner/mover/leaver), and attribute governance.
• Specify RBAC/ABAC models, entitlement catalogues, role mining, separation of duties (SoD) and privileged access patterns (PAW tiers, admin forest, bastion models).

Technical Strategy & Delivery

• Shape and enable consolidation/modernisation across on-premises Active Directory, Microsoft Entra ID, Microsoft Identity Manager/Entra ID Governance, and third-party IGA platforms including SailPoint and Saviynt.
• Architect MFA/password less (FIDO2/YubiKey, smartcard/PIV equivalents), Conditional Access, risk based access, device trust, PIM and PAM (CyberArk/Beyond Trust).
• Own identity integration for critical applications across cloud, on-premises, legacy, and air-gapped environments, including cross-domain access patterns through controlled brokers and guards.

Security, Compliance & Defence Governance

• Map designs and evidence to ASP 240 and applicable JSP guidelines (e.g., JSP 440 Security, JSP 604 Information/IA policies or successors), NCSC guidance, ISO/IEC 27001, and Zero Trust principles.
• Produce and maintain HLD/LLD, Control Matrices, Risk/Threat Models (STRIDE/ATT&CK), Security Cases, Transition Plans, and Operational Runbooks.
• Support audits, Design Reviews, IAO/SIRO approvals, security testing, and accreditation evidence.

Change & Stakeholder Leadership

• Run workshops to untangle legacy identity estates, discover shadow entitlements, and align business/mission owners to a single operating model.
• Coach engineering and operations teams; establish guardrails, patterns, and reference implementations; guide devsecops integration for identity.

You will work in a collaborative architecture environment where clear communication, stakeholder trust, structured decision-making, and coaching engineering teams are as important as technical depth.

Proven record of accomplishment leading large-scale Identity and Access Management transformations in complex regulated environments. Defence sector experience with mixed classification environments is preferred; candidates must demonstrate that their experience maps to defence assurance, governance, and accreditation expectations. 

Strong demonstrable experience with: 

• Microsoft Entra ID (Azure AD), Entra Connect/Cloud Sync, MIM/Entra ID Governance, Conditional Access, PIM, tenant to tenant and hybrid patterns.
• Active Directory (multi‑forest consolidation, trusts, tiered admin, admin forests), DNS/PKI (enterprise and offline PKI, CRL/OCSP, HSMs FIPS 140‑2/3)
• .PIM , PAW and PAM.
• MFA/password less (FIDO2, smartcards, CAC/PIVstyle credentials), credential hygiene, Kerberos/NTLM deprecation strategies.
• Zero Trust identity controls, RBAC/ABAC, and policy as code approaches.
• Aligning all Zero Trust / Master identity to Enterprise Service Model.
• Demonstrable success unravelling complex identity estates (e.g., multiple AD forests, conflicting schemas, brittle sync, overlapping personas) and delivering a master identity model with clean source of truth and lifecycle automation.
• Experience defining cross domain identity patterns for air gapped or highside environments, including guardmediated flows, brokers, one way trust, and offline credential issuance.
• Strong documentation: HLD/LLD, architecture decision records, control mappings (JSP/ASP/NCSC), test plans, migration & decommission plans.

Defence Policy & Standards (Experience Expected)

• Note: “ASP 240” nomenclature varies by organisation. Candidates must show experience aligning to ASP 240 (client/authority security policy 240) or equivalent Authority Security Policy requirements, plus:
• JSP 440 (security) and JSP 604 (information/IA) or successor policy frameworks.
• NCSC guidance (e.g., MFA, device identity, protective monitoring, cloud security), HMG SPF, ISO/IEC 27001, NIST SP 800‑63 (Digital Identity), NIST SP 800‑207 (Zero Trust).

Evidence generation for assurance/accreditation, including control narratives, test evidence, residual risk statements, and operational handover.

Additional differentiators; These differentiators strengthen an application but are not substitutes for the essential clearance, IAM architecture, and regulated-environment experience above.

• Cross domain solutions exposure, data diodes/guards integration with identity.
• Logging and threat detection integration across identity platforms, privileged access tooling, and security monitoring services.
• Experience migrating from ADFS and legacy IdPs to modern standards (OIDC/SAML).Familiarity with supply chain and partner access hardening (B2B, external identities).  

Solution Architecture IC5 - The typical base pay range for this role across United Kingdom is £ 77,600.00 - £ 132,500.00 per year. Certain roles may be eligible for benefits and other compensation.

Find additional benefits and pay information here:
https://careers.microsoft.com/v2/global/en/corporate-pay/united-kingdom-corporate-pay.html

This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.