SharePoint Security Architect

Description :

Discovery and Analysis :

- Inventory and map the entire SharePoint Online estate (sites, hubs, Teams-backed sites, channel sites, OneDrive interactions).

- Enumerate all external sharing links, classify by type (Anyone, Org-wide, Specific People), and review expiry posture.

- Catalog guest accounts and sponsorship status; identify stale or unmanaged guests.

- Review tenant and site-level settings affecting external collaboration.

- Assess adoption of sensitivity labels, DLP coverage, retention/records configuration, and conflicts.

- Evaluate monitoring and logging posture, Unified Audit Log retention, and SIEM routing.

- Inventory third-party applications, OAuth consents, and risky Power Automate flows.

Gap Register and Reporting :

- Build a Data Exposure Catalog for sensitive libraries and their exposure posture.

- Deliver an Architecture Map showing current hubs, sites, and high-risk clusters.

- Develop an Executive Heat Map of the top 10 risks.

Future State Recommendations :

- Site provisioning, ownership, and lifecycle controls.

- External collaboration model (guest lifecycle, expirations, access reviews).

- Baseline tenant and site settings for sharing, links, and unmanaged device sessions.

- Content protection model (sensitivity labels, auto-labeling, DLP tiers, retention standards).

- Monitoring and alerting strategy with dashboards and escalation paths.

- Outline a phased roadmap with quick wins, 90-day baselines, and a 6-month uplift.

Communication and Stakeholder Engagement :

- Lead technical workshops with admins, security engineering, and business data owners.

- Translate technical findings into business-focused risks and recommendations.

- Produce polished deliverables : Discovery Workbook, Gap Register, Recommendations Report, and executive presentation decks.

Required Skills and Experience :

- Proven track record leading at least two tenant-wide SharePoint security or architecture assessments.

- Strong understanding of Microsoft Entra ID (Azure AD) identity and access controls : Conditional Access, PIM, access reviews, cross-tenant access.

- Hands-on expertise with Microsoft Purview : sensitivity labels, DLP, retention, records management.

- Knowledge of Microsoft Defender for Cloud Apps and Defender for Office 365.

- Strong familiarity with Unified Audit Log, KQL queries, and SIEM integrations.

- Experience auditing app consents and Power Automate flows for data leakage risk.

- Proficiency with PnP.PowerShell, Microsoft Graph, and PowerShell scripting.

- Exceptional ability to produce clean, evidence-driven documentation and reports.

Preferred Certifications :

- Microsoft Certified : Identity and Access Administrator Associate (SC-300)

- Microsoft Certified : Information Protection Administrator Associate (SC-400)

- Microsoft Certified : Security Engineer Associate (AZ-500)

- CISSP or CCSP (optional, for broader security framing)

Core Attributes :

- Skilled at stakeholder communication and risk storytelling.

- Strong documentation and executive presentation skills.

- Comfortable with ambiguity; able to structure unorganized environments.