Rodeo
ResourcesPartnersSign in

Microsoft

Security Solution Architecture

£77.6k – £132.5k/yr
Posted 10 days ago
Sign up to applySee more jobs like this

How your CV stacks up

1Upload CV
2Analyse CV
3Improve CV

Upload your CV to see how well it fits this job role

?%

Overview

Enterprise Identity Architect (Defence Sector)
Location: UK
Clearance: Candidates who do not currently hold transferable UK DV clearance need not apply. Candidates must be willing to undergo additional customer specific vetting and adhere to personnel security obligations.

Employment Type: Permanent / Long-term Contract
Travel: As required to UK sites in the South and West - averaging 3 days per week onsite

Role Purpose

We are seeking an Enterprise Identity Architect with proven deep, hands-on expertise in Identity & Access Management (IAM) across on-premises and cloud environments and, demonstrable experience shaping identity strategy for complex, multi-tenant, and multi-forest estates in regulated settings. This role is not a hands-on engineering-only role, a general architecture role, or an entry route into defence identity. We welcome candidates who meet the essential requirements and can evidence equivalent experience from regulated, national-security, critical infrastructure, or defence-adjacent environments.

The role will lead and enable in a complex identity landscape, establish a single authoritative master identity model spanning classification domains, and shape and deliver a secure, standards aligned roadmap built on Zero Trust and defence policy frameworks (including ASP 240 and relevant JSPs). Candidates must be able to operate at enterprise architecture level while staying credible with engineering teams, security authorities, and operational stakeholders.

Key Outcomes (12–18 months)

  • Master Identity Model Delivered: A formalised, documented and implemented authoritative identity data model with clear source of truth, lifecycle, and attribute governance across classification domains.
  • Consolidation & Simplification: Reduced identity duplication and drift across multiple AD forests/tenants, clear trust/segregation boundaries, and evidence based access models (RBAC/ABAC) aligned to business roles/missions.
  • Control Maturity Improvement: Measured uplift in identity controls (MFA, PIM/PAM, passwordless, privileged isolation, just-in-time access) validated through defence audits and JSP/ASP control evidence.
  • Assured Inter Domain Patterns: Approved cross domain identity patterns (e.g., credential brokerage, guard-mediated flows, offline enclave procedures) with formal risk acceptance and assurance artefacts.
  • Legacy Decommission: Defined and executed migration/decommission plans for legacy IdPs, ADFS, and brittle sync pipelines with documented rollback and operational runbooks.

Before applying, candidates must have current transferable UK DV clearance and, be able to evidence: enterprise-scale IAM architecture leadership; delivery across hybrid Active Directory and Microsoft Entra environments; experience in regulated, defence, national-security, or similarly controlled environments; and the ability to produce assurance-ready architecture artefacts for senior technical, security, and governance audiences. If you meet the essential clearance and architecture requirements but do not match every technology listed, we still encourage you to apply and show how your experience maps to the outcomes we need.

Reasons to use Rodeo

I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?

Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.

Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.

Start with a chat, not a search bar

Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.

P

Graduate Consultant — 2026 Scheme

PwC·London, UK
£35,000/yr

Why you're a good match

Strong

Your economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.

See breakdown
Save jobNot relevant
View details

It searches the market for you

Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.

Why you're a good match

You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.

See breakdown
Strong

Experience fit

Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.

See breakdown
Strong

Only hits

No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.

Responsibilities

Enterprise Identity Architecture

  • Define and own end to end IAM reference architectures for OFFICIAL and SECRET domains, including enclave segregation, trust models, and boundary controls.
  • Design authoritative identity sources and golden record schemas (HR, ERP, clearance systems), lifecycle policies (joiner/mover/leaver), and attribute governance.
  • Specify RBAC/ABAC models, entitlement catalogues, role mining, separation of duties (SoD) and privileged access patterns (PAW tiers, admin forest, bastion models).

Technical Strategy & Delivery

  • Shape and enable consolidation/modernisation across on-premises Active Directory, Microsoft Entra ID, Microsoft Identity Manager/Entra ID Governance, and third-party IGA platforms including SailPoint and Saviynt.
  • Architect MFA/password less (FIDO2/YubiKey, smartcard/PIV equivalents), Conditional Access, risk based access, device trust, PIM and PAM (CyberArk/Beyond Trust).
  • Own identity integration for critical applications across cloud, on-premises, legacy, and air-gapped environments, including cross-domain access patterns through controlled brokers and guards.

Security, Compliance & Defence Governance

  • Map designs and evidence to ASP 240 and applicable JSP guidelines (e.g., JSP 440 Security, JSP 604 Information/IA policies or successors), NCSC guidance, ISO/IEC 27001, and Zero Trust principles.
  • Produce and maintain HLD/LLD, Control Matrices, Risk/Threat Models (STRIDE/ATT&CK), Security Cases, Transition Plans, and Operational Runbooks.
  • Support audits, Design Reviews, IAO/SIRO approvals, security testing, and accreditation evidence.

Change & Stakeholder Leadership

  • Run workshops to untangle legacy identity estates, discover shadow entitlements, and align business/mission owners to a single operating model.
  • Coach engineering and operations teams; establish guardrails, patterns, and reference implementations; guide devsecops integration for identity.
  • You will work in a collaborative architecture environment where clear communication, stakeholder trust, structured decision-making, and coaching engineering teams are as important as technical depth.

Qualifications

Proven record of accomplishment leading large-scale Identity and Access Management transformations in complex regulated environments. Defence sector experience with mixed classification environments is preferred; candidates must demonstrate that their experience maps to defence assurance, governance, and accreditation expectations.

Strong demonstrable experience with:

  • Microsoft Entra ID (Azure AD), Entra Connect/Cloud Sync, MIM/Entra ID Governance, Conditional Access, PIM, tenant to tenant and hybrid patterns.
  • Active Directory (multi-forest consolidation, trusts, tiered admin, admin forests), DNS/PKI (enterprise and offline PKI, CRL/OCSP, HSMs FIPS 140-2/3)
  • PIM, PAW and PAM.
  • MFA/password less (FIDO2, smartcards, CAC/PIVstyle credentials), credential hygiene, Kerberos/NTLM deprecation strategies.
  • Zero Trust identity controls, RBAC/ABAC, and policy as code approaches.
  • Aligning all Zero Trust / Master identity to Enterprise Service Model.
  • Demonstrable success unravelling complex identity estates (e.g., multiple AD forests, conflicting schemas, brittle sync, overlapping personas) and delivering a master identity model with clean source of truth and lifecycle automation.
  • Experience defining cross domain identity patterns for air gapped or highside environments, including guard-mediated flows, brokers, one way trust, and offline credential issuance.
  • Strong documentation: HLD/LLD, architecture decision records, control mappings (JSP/ASP/NCSC), test plans, migration & decommission plans.

Get help with your application

Your very own career expert that helps elevate your application to the next level.

Get help applying for this job

Defence Policy & Standards (Experience Expected)

Note: “ASP 240” nomenclature varies by organisation. Candidates must show experience aligning to ASP 240 (client/authority security policy 240) or equivalent Authority Security Policy requirements, plus:

  • JSP 440 (security) and JSP 604 (information/IA) or successor policy frameworks.
  • NCSC guidance (e.g., MFA, device identity, protective monitoring, cloud security), HMG SPF, ISO/IEC 27001, NIST SP 800-63 (Digital Identity), NIST SP 800-207 (Zero Trust).
  • Evidence generation for assurance/accreditation, including control narratives, test evidence, residual risk statements, and operational handover.

Additional differentiators

These differentiators strengthen an application but are not substitutes for the essential clearance, IAM architecture, and regulated-environment experience above.

  • Cross domain solutions exposure, data diodes/guards integration with identity.
  • Logging and threat detection integration across identity platforms, privileged access tooling, and security monitoring services.
  • Experience migrating from ADFS and legacy IdPs to modern standards (OIDC/SAML).
  • Familiarity with supply chain and partner access hardening (B2B, external identities).

Solution Architecture IC5 - The typical base pay range for this role across United Kingdom is £ 77,600.00 - £ 132,500.00 per year. Certain roles may be eligible for benefits and other compensation.

Find additional benefits and pay information here: https://careers.microsoft.com/v2/global/en/corporate-pay/united-kingdom-corporate-pay.html

This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.

Trusted by 25,000+ job seekers

“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”

Jessica, London

Get help applying for this job

Skills

Identity & Access Management
Microsoft Entra ID
Active Directory
Zero Trust Architecture
RBAC/ABAC
Privileged Access Management
Cross Domain Solutions
Security Governance
HLD/LLD Documentation
Cloud Security
Network Security
Identity Governance
Risk Modeling
Stakeholder Management
Security Accreditation
Infrastructure Architecture

Location

United Kingdom

Sign up to applySee more jobs like this