Executive Microsoft Entra ID / Intune / Windows Autopilot Specialist Engineer - 20 Working Day ContractAssistant

Microsoft Entra ID / Intune / Windows Autopilot Specialist Engineer — 20 Working Day Contract

AIC is seeking an experienced Microsoft Entra ID, Microsoft Intune and Windows Autopilot specialist to support the hardening, configuration and operationalisation of our corporate Microsoft 365 identity and endpoint management environment.

This is a fixed 20 working day contract engagement, focused on delivering a secure, documented and repeatable baseline for corporate device onboarding, endpoint management, identity access control and administrative governance.

The successful specialist will be expected to work independently, provide clear technical recommendations, configure the required Microsoft 365 services, validate the implementation through pilot devices, and leave AIC with a documented, supportable operating model.

Engagement Overview

Contract Type: Fixed-term specialist contract

Duration: 20 working days

Location: Remote / hybrid by agreement

Start Date: As soon as practicable

Client: AIC

Focus Area: Microsoft 365 security, endpoint management, identity hardening and device onboarding

Core Objective

The objective of this engagement is to design, configure, harden and document AIC’s Microsoft corporate device and identity management environment using Microsoft Entra ID, Microsoft Intune and Windows Autopilot.

The engagement should result in a secure and repeatable operating baseline that allows AIC to onboard, manage, monitor and secure corporate Windows devices in a consistent way.

Scope of Work

The specialist will be responsible for reviewing the existing Microsoft 365 environment and implementing a hardened baseline across identity, access, endpoint management and device provisioning.

The scope will include, but is not limited to:

1. Discovery and Current State Review

Review AIC’s current Microsoft 365, Entra ID and Intune configuration, including users, groups, roles, licensing, devices, domains, administrative access, security defaults, existing conditional access policies and endpoint management readiness.

Identify configuration gaps, risks, duplication, misalignment and priority remediation activities.

Produce a short current-state findings summary with practical recommendations.

2. Microsoft Entra ID Configuration and Hardening

Design and implement a controlled Entra ID group structure using a clear naming convention suitable for ongoing operational use.

Review and rationalise administrative roles and privileged access.

Configure or recommend appropriate role-based access controls.

Review multifactor authentication configuration and enforcement.

Configure conditional access policies aligned to corporate security requirements.

Review user access, guest access and external collaboration settings.

Advise on identity governance improvements where relevant.

3. Microsoft Intune Baseline Configuration

Configure Microsoft Intune to manage corporate Windows endpoints securely and consistently.

Create device compliance policies.

Create device configuration profiles.

Apply Microsoft security baseline policies where appropriate.

Configure endpoint protection settings.

Configure BitLocker enforcement and recovery key handling.

Configure Windows Hello for Business where appropriate.

Configure local administrator management approach, including recommendations for least privilege and administrative access control.

Configure update rings and Windows Update for Business policies.

Define device categories, assignment groups and deployment targeting logic.

4. Windows Autopilot Setup

Configure Windows Autopilot for corporate device provisioning.

Create and test Autopilot deployment profiles.

Define the user-driven enrolment experience.

Configure enrolment status page settings.

Validate device registration and enrolment flows.

Support the enrolment of pilot devices.

Document the Autopilot process for future internal use.

5. Application and Policy Deployment

Configure baseline application deployment where required.

Support deployment of core corporate applications, security tooling and standard productivity applications.

Validate policy assignment and application installation behaviour across pilot devices.

Identify any blockers, licensing constraints or endpoint compatibility issues.

6. Security and Governance Alignment

Ensure the environment is configured in a way that supports a secure corporate operating model.

Where applicable, align recommendations with recognised good practice, including Microsoft security guidance, Cyber Essentials expectations, NCSC-aligned principles and ISO 27001-style access control and asset management requirements.

Produce a prioritised security improvement backlog for any items that cannot reasonably be completed within the 20 working day engagement.

7. Testing, Validation and Handover

Test the configuration using one or more pilot devices.

Validate user onboarding, device enrolment, compliance evaluation, policy application and administrative management.

Provide clear handover documentation.

Provide a final walkthrough to AIC covering configuration, ongoing administration, known risks and recommended next steps.

Required Deliverables

By the end of the 20 working day engagement, the specialist will be expected to deliver:

1. Current-state review and findings summary.
2. Entra ID group and administrative role model.
3. Conditional access policy set.
4. Intune compliance policy baseline.
5. Intune configuration policy baseline.
6. Windows security baseline configuration.
7. BitLocker and endpoint protection configuration.
8. Windows Autopilot deployment profile and tested enrolment process.
9. Update ring and patching configuration.
10. Application deployment baseline, where agreed.
11. Successfully enrolled pilot device or devices.
12. Handover documentation and administrative runbook.
13. Known issues register.
14. Prioritised remediation and improvement backlog.

Required Experience

The successful specialist should have demonstrable hands-on experience with:

Microsoft Entra ID

Microsoft Intune

Windows Autopilot

Microsoft 365 administration

Windows 10 and Windows 11 endpoint management

Conditional Access

Multifactor authentication

Device compliance policies

Endpoint configuration profiles

Microsoft Defender for Endpoint

BitLocker

Windows Hello for Business

Role-based access control

PowerShell

Microsoft security baselines

Corporate device onboarding and lifecycle management

Desirable Experience

The following experience would be advantageous:

Cyber Essentials or Cyber Essentials Plus readiness

NCSC-aligned security configuration

ISO 27001-aligned access control and asset management

Microsoft Defender for Cloud Apps

Microsoft Purview sensitivity labels

SharePoint and OneDrive security hardening

Apple Business Manager and iOS/iPadOS device management

Azure infrastructure awareness

Secure administration in defence, government or high-assurance environments

Working Approach

We are looking for a practical, delivery-focused specialist who can balance good security practice with operational usability.

The successful contractor must be able to work with minimal supervision, explain technical decisions clearly, document their work properly and leave behind a supportable configuration rather than an undocumented one-off build.

This engagement is output-focused. The expectation is not simply to advise, but to configure, test, document and hand over a working baseline.

Acceptance Criteria

The engagement will be considered successfully delivered when:

AIC has a working Entra ID, Intune and Autopilot baseline.

Pilot Windows devices can be enrolled through Autopilot.

Corporate devices receive the agreed compliance, configuration, security and update policies.

Conditional access and multifactor authentication controls are configured and documented.

Administrative roles and group structures are documented.

AIC receives clear handover documentation and a practical operating runbook.

Known gaps, risks and future improvements are documented in a prioritised backlog.

Contract Structure

This is a fixed 20 working day engagement.

Applicants should provide:

Availability.

Day rate or fixed price for the 20 working day engagement.

Relevant Microsoft certifications, if held.

Summary of similar Intune, Entra ID or Autopilot projects delivered.

Confirmation of ability to work with sensitive corporate environments.

References or examples of previous delivery, where available.

How to Apply

Please email us with a short summary of your relevant experience, your availability, your proposed commercial terms and examples of similar Microsoft Entra ID, Intune or Windows Autopilot environments you have configured or hardened.

AIC is particularly interested in specialists who can demonstrate practical delivery experience, strong documentation discipline and a security-first approach to corporate endpoint management.