SharePoint Security Architect

Job Description: SharePoint Security Architect
Location: Remote (Denver CO ; occasional on-site workshops possible)

Role Summary
SharePoint Security Architect (Contract) focused on discovery and future state recommendations for a large enterprise SharePoint Online environment.
This role is heavily assessment-driven: you will map the tenant, identify architectural and
security gaps, and produce deliverables including a Gap Register, Data Exposure Catalog,
Architecture Map, and a Future State Recommendations Report. You will be hands-on with
discovery, confident in stakeholder engagement, and able to translate complex findings into
clear, actionable reports.

Responsibilities
Discovery and Analysis
Inventory and map the entire SharePoint Online estate (sites, hubs, Teams-backed
sites, channel sites, OneDrive interactions).
Extract and analyze site and library permissions, identify inheritance breaks, and
highlight excessive role assignments.
Enumerate all external sharing links, classify by type (Anyone, Org-wide, Specific
People), and review expiry posture.
Catalog guest accounts and sponsorship status; identify stale or unmanaged guests.
Review tenant and site-level settings affecting external collaboration.

Assess adoption of sensitivity labels, DLP coverage, retention/records configuration, and
conflicts.
Evaluate monitoring and logging posture, Unified Audit Log retention, and SIEM routing.
Inventory third-party applications, OAuth consents, and risky Power Automate flows.

Gap Register and Reporting
Produce a Gap Register: clear gap statements with evidence, risk scoring
(severity/likelihood), business impact, and suggested owners.
Build a Data Exposure Catalog for sensitive libraries and their exposure posture.
Deliver an Architecture Map showing current hubs, sites, and high-risk clusters.
Develop an Executive Heat Map of the top 10 risks.

Future State Recommendations
Define a target SharePoint security and governance model:
Site provisioning, ownership, and lifecycle controls.
External collaboration model (guest lifecycle, expirations, access reviews).
Baseline tenant and site settings for sharing, links, and unmanaged device
sessions.
Content protection model (sensitivity labels, auto-labeling, DLP tiers, retention
standards).
Monitoring and alerting strategy with dashboards and escalation paths.
Outline a phased roadmap with quick wins, 90-day baselines, and a 6-month uplift.

Communication and Stakeholder Engagement
Lead technical workshops with admins, security engineering, and business data owners.

Translate technical findings into business-focused risks and recommendations.
Produce polished deliverables: Discovery Workbook, Gap Register, Recommendations
Report, and executive presentation decks.

Required Skills and Experience
7+ years of experience with Microsoft 365 and SharePoint Online in large, enterprise
environments.
Proven track record leading at least two tenant-wide SharePoint security or architecture
assessments.
Strong understanding of Microsoft Entra ID (Azure AD) identity and access controls:
Conditional Access, PIM, access reviews, cross-tenant access.
Hands-on expertise with Microsoft Purview: sensitivity labels, DLP, retention, records
management.
Knowledge of Microsoft Defender for Cloud Apps and Defender for Office 365.
Strong familiarity with Unified Audit Log, KQL queries, and SIEM integrations.
Experience auditing app consents and Power Automate flows for data leakage risk.
Proficiency with PnP.PowerShell, Microsoft Graph, and PowerShell scripting.
Exceptional ability to produce clean, evidence-driven documentation and reports.

Preferred Certifications
Microsoft Certified: Identity and Access Administrator Associate (SC-300)
Microsoft Certified: Information Protection Administrator Associate (SC-400)
Microsoft Certified: Security Engineer Associate (AZ-500)

CISSP or CCSP (optional, for broader security framing)

Core Attributes
Analytical, detail-oriented, and evidence-driven.
Skilled at stakeholder communication and risk storytelling.
Strong documentation and executive presentation skills.
Comfortable with ambiguity; able to structure unorganized environments.