Microsoft SSPR Expert / Identity Authentication Architect

Job Description: Microsoft SSPR Expert / Identity Authentication Architect 

Position Overview 

We are seeking an expert-level Identity Authentication Architect specializing in Microsoft Self-Service Password Reset (SSPR) and hybrid identity solutions to lead the design, implementation, and optimization of enterprise-wide password reset capabilities. This role requires deep technical expertise in Azure Active Directory, on-premises Active Directory, Azure AD Connect, and identity security frameworks to deliver secure, scalable, and user-friendly authentication experiences across our global organization. 

Key Responsibilities 

Strategy & Architecture  

• Design and architect enterprise SSPR solutions for multi-forest, multi-region hybrid Active Directory environments supporting 10,000+ users 
• Develop comprehensive identity authentication roadmaps integrating SSPR with passwordless strategies, MFA, and zero-trust frameworks 
• Create technical architecture documentation including data flows, security controls, disaster recovery procedures, and compliance mappings 
• Lead architectural review boards for identity-related changes, ensuring SSPR integration with broader IAM initiatives 
• Design group-based targeting strategies for phased SSPR rollouts balancing security requirements with user experience 
• Architect SSPR monitoring, alerting, and reporting frameworks using Azure Monitor, Log Analytics, and Power BI 

Implementation & Engineering  

• Configure and deploy Azure AD SSPR policies including authentication methods, registration enforcement, and writeback capabilities 
• Implement Azure AD Connect password writeback across multiple forests with high-availability and disaster recovery configurations 
• Integrate SSPR with Azure AD Password Protection, banned password lists, and custom policy enforcement 
• Configure Conditional Access policies for secure SSPR registration, including risk-based authentication and MFA enforcement 
• Develop PowerShell scripts and Microsoft Graph API integrations for automated SSPR configuration management and reporting 
• Implement combined security information registration experiences unifying SSPR and MFA registration workflows 
• Configure and test account unlock capabilities without password reset for helpdesk ticket reduction 

Security & Compliance  

• Conduct security assessments of SSPR configurations identifying vulnerabilities in authentication methods, registration processes, and writeback mechanisms 
• Design and implement controls preventing SSPR abuse including smart lockout configurations, rate limiting, and suspicious activity monitoring 
• Ensure SSPR compliance with regulatory requirements (GDPR, HIPAA, SOC 2, ISO 27001) including data residency, audit logging, and retention policies 
• Integrate SSPR with Azure AD Identity Protection for risk-based registration policies and anomaly detection 
• Perform regular security reviews of registered authentication methods, identifying weak security questions and encouraging stronger alternatives 
• Collaborate with security teams to investigate and remediate SSPR-related security incidents including compromised method registrations 

Operations & Optimization  

• Monitor SSPR health metrics including writeback success rates, registration completion, user adoption, and helpdesk ticket trends 
• Troubleshoot complex SSPR writeback failures involving Azure AD Connect synchronization conflicts, password policy mismatches, and network connectivity issues 
• Optimize SSPR user experience through customization of branding, helpdesk links, and instructional content 
• Establish SSPR operational runbooks, escalation procedures, and knowledge base articles for support teams 
• Conduct capacity planning for SSPR infrastructure ensuring scalability during peak usage periods 
• Implement continuous improvement processes based on user feedback, adoption metrics, and security incidents 

Required Qualifications 

Technical Experience 

• 7+ years of hands-on experience with Microsoft identity technologies (Active Directory, Azure AD, Azure AD Connect) 
• 4+ years of expert-level experience implementing and managing Azure AD Self-Service Password Reset in enterprise environments (10,000+ users) 
• 3+ years configuring Azure AD Connect password writeback, password hash synchronization, and hybrid identity scenarios 
• Proven experience designing multi-forest Active Directory architectures with complex trust relationships and cross-forest authentication 
• Deep expertise in Azure AD Conditional Access policies, MFA configuration, and identity protection frameworks 
• Strong background in PowerShell scripting and Microsoft Graph API for identity automation and reporting 
• Hands-on experience troubleshooting complex identity synchronization issues, password writeback failures, and authentication conflicts 

Domain Expertise 

• Comprehensive understanding of authentication protocols: Kerberos, NTLM, LDAP, SAML, OAuth, OpenID Connect 
• Expert knowledge of password security principles including hashing algorithms, salt mechanisms, and password policy design 
• Deep understanding of Azure AD licensing models (Free, P1, P2) and feature availability across tiers 
• Expertise in identity lifecycle management, joiners-movers-leavers processes, and automated provisioning/deprovisioning 
• Strong knowledge of compliance frameworks and their identity requirements (GDPR, HIPAA, PCI-DSS, NIST, CIS) 
• Understanding of zero-trust architecture principles and passwordless authentication strategies 

Preferred Qualifications 

• Experience with Azure AD B2B/B2C guest user SSPR scenarios and cross-tenant collaboration 
• Familiarity with privileged identity management (PIM) and its interaction with SSPR capabilities 
• Experience integrating SSPR with third-party SIEM solutions (Splunk, Azure Sentinel, QRadar) 
• Knowledge of federated identity providers (ADFS, Okta, Ping) and their SSPR integration patterns 
• Experience with Microsoft Defender for Identity and its monitoring of password reset activities 
• Background in large-scale identity migrations and directory consolidation projects 
• Understanding of sovereign cloud environments (GCC, GCC High, Azure Government) and their SSPR differences 
• Experience with Temporary Access Pass (TAP) and passwordless authentication methods (FIDO2, Windows Hello for Business) 

Technical Skills 

Microsoft Technologies (Expert Level) 

• Azure Active Directory (Premium P1/P2) 
• Azure AD Connect (sync engine, health monitoring, troubleshooting) 
• Azure AD Password Protection 
• Microsoft 365 Admin Center / Azure Portal 
• Azure AD PowerShell / MSOnline module 
• Microsoft Graph API / Graph Explorer 
• Azure Monitor / Log Analytics 
• Conditional Access policies 

Scripting & Automation 

• PowerShell (advanced scripting, modules, error handling) 
• Microsoft Graph API (REST calls, authentication flows, pagination) 
• Azure Automation / Runbooks 
• Azure Logic Apps for workflow automation 
• JSON/XML data manipulation 
• Git version control for configuration as code 

Infrastructure & Networking 

• Active Directory Domain Services (GPO, Sites/Services, Replication) 
• Windows Server (2012 R2 - 2022) 
• DNS, DHCP, and name resolution troubleshooting 
• Network security (firewalls, proxies, port requirements) 
• Certificate infrastructure and PKI concepts 
• High availability and disaster recovery architectures 

Security & Compliance Tools 

• Azure AD Identity Protection 
• Azure AD Privileged Identity Management 
• Azure Sentinel / SIEM integration 
• Compliance Manager / Service Trust Portal 
• Audit log analysis and retention management 

Preferred 

• Microsoft Certified: Security Operations Analyst Associate (SC-200) 
• Microsoft Certified: Azure Security Engineer Associate (AZ-500) 
• Microsoft 365 Certified: Enterprise Administrator Expert (MS-100, MS-101) 
• CISSP, CISM, or other security certifications 

Work Environment 

• Location: Bangalore