-
聽Define and maintain modern authentication standards for applications and APIs (OAuth2/OIDC/SAML), including reference architectures.
-
Support project teams in implementing and troubleshooting auth flows (Auth Code + PKCE, Device Code, Client Credentials, OBO), including edge cases and production incidents. 聽
-
Review and harden token/session configurations (lifetimes, refresh behaviour, session controls) and advise on mitigations for common auth threats (replay, token theft).
-
Design and standardize claims/attributes strategy (least-privilege claims, normalization across IdPs, group/role overage handling) for scalable integrations.
-
Define API access models and permission strategy (scopes vs roles, delegated vs app permissions) and govern consent patterns (admin/incremental) for least privilege and auditability.
-
Configure and operate federation integrations (IdP/SP), including metadata management, planned rollovers, and resolving common SSO issues.
-
Design risk-based access controls and step-up patterns aligned to application sensitivity, using Conditional Access and appropriate MFA/authentication strength.
-
Deliver Entra ID tenant-level configurations and operational posture improvements (baseline configuration, governance touchpoints, operational practices).
-
Design and guide external identity onboarding patterns (Entra External ID CIAM/B2B/B2C), balancing UX, security controls, and supportability.
-
Build, tune and safely roll out Conditional Access / Identity Protection policies (exclusions, break-glass, staged deployment, monitoring and rollback approach).
-
Implement and operate Entra ID Governance capabilities (access packages, entitlement management, access reviews, lifecycle workflows) in alignment with delivery timelines.
-
Provide application onboarding and integration support (Enterprise Apps, App Registrations, service principals, managed identities), including troubleshooting and configuration reviews.
-
Support hybrid identity dependencies involving AD DS (directory design impacts, group structures, delegation models) and advise on sustainable hybrid patterns.
-
Operate and troubleshoot AD FS where still required, and contribute to modernization roadmaps toward cloud-native federation patterns.
-
Develop and maintain PowerShell automation for identity operations (Graph PowerShell and relevant modules): reporting, bulk changes, baseline checks, and repeatable tasks with robust logging.
-
Provide scripted operational support for AD DS/AD FS (user/group lifecycle tasks, reporting, troubleshooting accelerators) within governance and access boundaries.
-
Participate in SailPoint-based IGA delivery (IdentityIQ/IdentityNow): requirements translation, design validation, and alignment of governance outcomes with Microsoft identity patterns.
-
聽Implement IGA processes end-to-end (JML, access requests/approvals, certifications/reviews, SoD, role/entitlement modeling) and integrate with delivery/operations.
-
Design and improve provisioning and lifecycle integrations (SCIM, authoritative sources, reconciliation, JIT vs managed provisioning), ensuring clean offboarding and access governance.