Senior Microsoft Cloud Engineer

Description

About Atom Security

Atom Security LLC is a specialized cybersecurity brand purpose-built on the foundation of Proven IT, a trusted managed services provider with a proven track record of delivering technology solutions to clients across the Midwest. Built to extend Proven IT’s continued success into a dedicated security practice, Atom Security delivers exceptional Managed Security Services (MSSP), professional security consulting, and fractional Chief Information Security Officer (vCISO) services to organizations that require specialized expertise beyond the scope of a generalist technology provider.

Atom Security’s launch focus is the Defense Industrial Base (DIB), serving defense contractors pursuing CMMC Level 2 certification through a purpose-built Microsoft GCC High sovereign platform. In parallel, Atom’s commercial practice serves clients in regulated industries including healthcare, finance, and manufacturing. This is a ground-floor opportunity to help build and define a specialized security brand from inception, with direct impact on the architecture, culture, and client experience of a growing practice.

About This Role

This role owns end-to-end engineering delivery of Atom Security’s GCC High and Azure Commercial operations infrastructure — from tenant provisioning through security toolchain deployment and legacy tool migration — against an active, near-term go-live target. The platform supports a dual-track service model: a Microsoft GCC High sovereign track for CMMC-scoped DIB clients, and an Azure Commercial track for the broader managed security practice.

This is a build role with a clear growth trajectory. The initial phase is a structured engineering sprint with defined deliverables and milestones. As the platform becomes operational and Atom Security scales, this position is designed to flex based on organizational needs and individual strengths — evolving toward either deep infrastructure ownership and ongoing platform administration, or toward client-facing technical roles including vCISO support, client onboarding, and technical advisory engagements with DIB and commercial clients. The right candidate will have both the technical depth to build the platform and the professional presence to engage with clients as the practice grows.

Candidates must have hands-on experience provisioning and administering Microsoft GCC High environments. Azure Commercial experience alone is insufficient — the build schedule has no capacity to absorb a GCC High learning curve.

 
Key Responsibilities
Infrastructure Build

• Provision Atom’s GCC High Operations Tenant through an AOS-G authorized partner and build the parallel Azure Commercial Operations Tenant as isolated sovereign tracks
• Establish Entra ID baseline across both tenants: admin account structure, security group naming conventions, and identity governance configuration
• Deploy Azure Virtual Desktop host pool in Azure Government for SOC analyst and vCISO secure access
• Configure Microsoft Lighthouse delegation framework across both tracks to support multi-client MSSP management
• Implement FIDO2/phish-resistant MFA and Conditional Access policies across all administrative accounts on both tenants

Identity and Access Governance

• Configure Privileged Identity Management (PIM) for all privileged roles across both tenants
• Enroll all analyst devices, vCISO devices, and AVD session hosts into GCC High and Commercial Intune respectively
• Document the separate Entra identity model (distinct UPNs per track) as a formal access control artifact

Security Toolchain Deployment

• Stand up Microsoft Sentinel MSSP workspaces on both tracks with baseline analytics rules, alert routing, and cross-workspace KQL queries
• Apply Defender XDR P2 baseline policy across the GCC High tenant
• Deploy CrowdStrike Gov endpoint agents to CMMC client environments; deploy CrowdStrike Commercial Falcon for non-CMMC clients
• Activate Azure Arc and Intune management on Atom operations devices
• Verify track separation end-to-end and reflect findings in finalized network diagrams

Legacy Tool Migration

• Build SharePoint GCC High site structure to receive runbooks, SOPs, and client documentation migrated from legacy documentation platforms
• Configure Azure DevOps Boards (GCC High) as the ticketing and work management replacement
• Provision Azure Key Vault and execute controlled credential migration with documented access policy review
• Update Atom’s System Security Plan (SSP) to remove transitional tool entries upon retirement confirmation

Go-Live and Growth

• Support compliance documentation sprints — provide infrastructure evidence artifacts for SSP completion
• Conduct end-to-end Lighthouse delegation testing for both anchor clients prior to go-live
• Complete final infrastructure verification pass against the go-live readiness checklist
• Support onboarding of client accounts to the Atom service delivery model post-launch
• As the practice scales, participate in client-facing technical work — including vCISO engagements, client onboarding, security architecture reviews, and direct advisory relationships with DIB and commercial clients

Requirements

Required Qualifications

Candidates without direct GCC High or M365 Government environment experience will require a ramp period this build cannot accommodate.

• M365 GCC High: hands-on tenant provisioning and administration; Azure Commercial equivalents do not qualify
• Microsoft Sentinel: MSSP workspace architecture, cross-workspace KQL, Lighthouse-delegated RBAC, analytics rule configuration
• Azure Virtual Desktop: deployment and administration in Azure Government (not commercial AVD)
• Microsoft Intune (GCC High): device enrollment, Compliance policies, Conditional Access integration
• Entra ID Governance: Privileged Identity Management (PIM), Conditional Access, Named Locations, Identity Protection
• Microsoft Lighthouse: multi-tenant delegation configuration and RBAC scoping for MSSP management
• Azure Arc: server and hybrid endpoint onboarding and management
• SharePoint GCC High: site architecture, permissions model, and document library structure
• Azure Key Vault: provisioning, access policy configuration, and secrets management

Preferred Qualifications

• CrowdStrike Falcon sensor deployment and policy baseline configuration — Falcon Gov and/or Falcon Commercial
• Azure DevOps Boards configuration and administration
• Prior experience building or operating within a CMMC Level 2 or FedRAMP High environment
• Client-facing technical experience — security advisory, vCISO support, client onboarding, or security architecture reviews
• Microsoft certifications: SC-200, SC-300, AZ-800/801, MS-102, or equivalent

Benefits

GROUP HEALTH INSURANCE:  After a 30-day waiting period, full-time employees (who work at least 30 hours per week) and their dependents, are eligible to enroll in health benefits utilizing the Cigna network. Health options include a choice of 2 PPO plans or a High Deductible Health Plan with employer contributions to a Health Savings Account (HSA). In addition, Dental benefits are available as well as a Vision PPO plan utilizing the EyeMed network. Proven also offers voluntary worksite benefits including critical illness, hospital indemnity, accident coverage, short-term disability insurance, supplemental life and pet insurance. Additional offerings include an employee discount program, home and auto insurance services and commuter/transit FSA.

EMPLOYER PROVIDED LIFE/AD&D INSURANCE:  After a 30-day waiting period, Proven IT provides a flat $25,000 Life Insurance benefit, administered by BlueCross BlueShield, to all full-time employees (who work at least 30 hours per week). Accidental Death & Dismemberment (AD&D) benefit payments are determined based on the type of loss incurred and are payable up to the full Life Insurance benefit amount. Life and AD&D Insurance coverage amounts are reduced at ages 65, 70 and 75.

EMPLOYER PROVIDED LTD: Long-Term Disability (LTD) insurance is an employer-provided benefit and provides protection from loss of income in the event that an employee is unable to work due to illness, injury, or accident for a long period of time.  The elimination period is 90-days, and the maximum benefit is 60% of covered payroll up to $6000/month. This benefit is paid entirely by Proven IT and has no cost to the employee.

EMPLOYEE ASSISTANCE PROGRAM: All employees may utilize the Disability Resource Services through BlueCross BlueShield of Illinois to assist themselves and their immediate family with convenient resources to help address emotional, legal and financial issues. Telephonic counseling and web-based services are available as well as a limited number of geographically accessible face-to-face sessions.

401K PLAN: All employees are eligible after 120 days of service to contribute on either a pre-tax or post-tax (Roth) basis to the 401K plan, administered by Principal Financial Services. Proven offers an employer match equal to 100% of the first 3% of deferrals plus 50% of the next 2% of deferrals. 

FINANCIAL ADVISORY SERVICES:  Proven IT partners with Merrill Lynch to offer financial advisement to all employees. Merrill Lynch financial advisors are available to assist employees at no cost, with their 401k and retirement questions.  

PERMISSIVE TIME OFF POLICY: Proven provides a competitive paid time off policy for all full-time regular employees after a 90-day waiting period. Proven IT empowers their employees to work with their managers and team to coordinate all time off. Managers may impose a limit to requests for time off based on performance and tenure.

PARENTAL LEAVE: Proven IT offers a generous parental leave policy for new parents. After 24-months of employment, Proven provides full-time regular employees with 90-days of paid Maternity leave and 10-days of paid Paternity leave. Employees with less than 24-months of service may take the same amount of unpaid time off.

FITNESS CENTER:  Proven IT offers a free on-site fitness center at the Tinley Park headquarters office location to all employees 24/7 Monday through Sunday. Employees utilize the gym equipment at their own risk.

Proven IT is an Equal Opportunity Employer. We are committed to creating a diverse and inclusive workplace and welcome applicants from all backgrounds. All employment decisions are based on qualifications, merit, and business needs. If you need assistance or accommodation during the hiring process, please contact us.

This job description reflects management’s assignment of essential functions; it does not prescribe or restrict the tasks that may be assigned.  

Salary : $125,000 - $140,000