Microsoft SSPR Expert / Identity Authentication Architect

Job Description: Microsoft SSPR Expert / Identity Authentication Architect

Position Overview

We are seeking an expert-level Identity Authentication Architect specializing in Microsoft Self-Service Password Reset (SSPR) and hybrid identity solutions to lead the design, implementation, and optimization of enterprise-wide password reset capabilities. This role requires deep technicalexpertisein Azure Active Directory, on-premises Active Directory, Azure AD Connect, and identity security frameworks to deliver secure, scalable, and user-friendly authentication experiences across our global organization.

Key Responsibilities

Strategy & Architecture

• Design and architect enterprise SSPR solutions for multi-forest, multi-region hybrid Active Directory environments supporting10,000+ users
• Develop comprehensive identity authentication roadmaps integrating SSPR withpasswordlessstrategies, MFA, and zero-trust frameworks
• Create technical architecture documentation including data flows, security controls, disaster recovery procedures, and compliance mappings
• Lead architectural review boards for identity-related changes, ensuring SSPR integration with broader IAM initiatives
• Design group-based targeting strategies for phased SSPR rollouts balancing security requirements with user experience
• Architect SSPR monitoring, alerting, and reporting frameworks using Azure Monitor, Log Analytics, and Power BI

Implementation & Engineering

• Configure and deploy Azure AD SSPR policies including authentication methods, registration enforcement, and writeback capabilities
• Implement Azure AD Connect password writeback across multiple forests with high-availability and disaster recovery configurations
• Integrate SSPR with Azure AD Password Protection, banned password lists, and custom policy enforcement
• Configure Conditional Access policies for secure SSPR registration, including risk-based authentication and MFA enforcement
• Develop PowerShell scripts and Microsoft Graph API integrations for automated SSPR configuration management and reporting
• Implement combined security information registration experiences unifying SSPR and MFA registration workflows
• Configure and test account unlock capabilities without password reset for helpdesk ticket reduction

Security & Compliance

• Conduct security assessments of SSPR configurationsidentifyingvulnerabilities in authentication methods, registration processes, and writeback mechanisms
• Design and implement controls preventing SSPR abuse including smart lockout configurations, rate limiting, and suspicious activity monitoring
• Ensure SSPR compliance with regulatory requirements (GDPR, HIPAA, SOC 2, ISO 27001) including data residency, audit logging, and retention policies
• Integrate SSPR with Azure AD Identity Protection for risk-based registration policies and anomaly detection
• Perform regular security reviews of registered authentication methods,identifyingweak security questions and encouraging stronger alternatives
• Collaborate with security teams to investigate and remediate SSPR-related security incidents including compromised method registrations

Operations & Optimization

• Monitor SSPR health metrics including writeback success rates, registration completion, user adoption, and helpdesk ticket trends
• Troubleshoot complex SSPR writeback failures involving Azure AD Connect synchronization conflicts, password policy mismatches, and network connectivity issues
• OptimizeSSPR user experience through customization of branding, helpdesk links, and instructional content
• Establish SSPR operational runbooks, escalation procedures, and knowledge base articles for support teams
• Conduct capacity planning for SSPR infrastructure ensuring scalability during peak usage periods
• Implement continuous improvement processes based on user feedback, adoption metrics, and security incidents

Required Qualifications

Technical Experience

• 7+ yearsof hands-on experience with Microsoft identity technologies (Active Directory, Azure AD, Azure AD Connect)
• 4+ yearsof expert-level experience implementing and managing Azure AD Self-Service Password Reset in enterprise environments (10,000+ users)
• 3+ yearsconfiguring Azure AD Connect password writeback, password hash synchronization, and hybrid identity scenarios
• Proven experiencedesigning multi-forest Active Directory architectures with complex trust relationships and cross-forest authentication
• Deepexpertisein Azure AD Conditional Access policies, MFA configuration, and identity protection frameworks
• Strong backgroundin PowerShell scripting and Microsoft Graph API for identity automation and reporting
• Hands-on experiencetroubleshooting complex identity synchronization issues, password writeback failures, and authentication conflicts

Domain Expertise

• Comprehensive understanding of authentication protocols: Kerberos, NTLM, LDAP, SAML, OAuth, OpenID Connect
• Expert knowledge of password security principles including hashing algorithms, salt mechanisms, and password policy design
• Deep understanding of Azure AD licensing models (Free, P1, P2) and feature availability across tiers
• Expertisein identity lifecycle management, joiners-movers-leavers processes, and automated provisioning/deprovisioning
• Strong knowledge of compliance frameworks and their identity requirements (GDPR, HIPAA, PCI-DSS, NIST, CIS)
• Understanding of zero-trust architecture principles andpasswordlessauthentication strategies

Preferred Qualifications

• Experience with Azure AD B2B/B2C guest user SSPR scenarios and cross-tenant collaboration
• Familiarity with privileged identity management (PIM) and its interaction with SSPR capabilities
• Experience integrating SSPR with third-party SIEM solutions (Splunk, Azure Sentinel,QRadar)
• Knowledge of federated identity providers (ADFS, Okta, Ping) and their SSPR integration patterns
• Experience with Microsoft Defender for Identity and its monitoring of password reset activities
• Background in large-scale identity migrations and directory consolidation projects
• Understanding of sovereign cloud environments (GCC, GCC High, Azure Government) and their SSPR differences
• Experience with Temporary Access Pass (TAP) andpasswordlessauthentication methods (FIDO2, Windows Hello for Business)

Technical Skills

Microsoft Technologies (Expert Level)

• Azure Active Directory (Premium P1/P2)
• Azure AD Connect (sync engine, health monitoring, troubleshooting)
• Azure AD Password Protection
• Microsoft 365 AdminCenter/ Azure Portal
• Azure AD PowerShell /MSOnlinemodule
• Microsoft Graph API / Graph Explorer
• Azure Monitor / Log Analytics
• Conditional Access policies

Scripting & Automation

• PowerShell (advanced scripting, modules, error handling)
• Microsoft Graph API (REST calls, authentication flows, pagination)
• Azure Automation / Runbooks
• Azure Logic Apps for workflow automation
• JSON/XML data manipulation
• Git version control for configuration as code

Infrastructure & Networking

• Active Directory Domain Services (GPO, Sites/Services, Replication)
• Windows Server (2012 R2 - 2022)
• DNS, DHCP, and name resolution troubleshooting
• Network security (firewalls, proxies, port requirements)
• Certificate infrastructure and PKI concepts
• High availability and disaster recovery architectures

Security & Compliance Tools

• Azure AD Identity Protection
• Azure AD Privileged Identity Management
• Azure Sentinel / SIEM integration
• Compliance Manager / Service Trust Portal
• Audit log analysis and retention management

Preferred

• Microsoft Certified: Security Operations Analyst Associate(SC-200)
• Microsoft Certified: Azure Security Engineer Associate(AZ-500)
• Microsoft 365 Certified: Enterprise Administrator Expert(MS-100, MS-101)
• CISSP, CISM, or other security certifications

Work Environment

• Location:Bangalore