I am looking for an experienced security specialist to work alongside me to harden our Microsoft environment and build out our security program. We are in the middle of several concurrent initiatives and need someone who can think strategically while also getting hands-on in the tenant. What is happening right now: - Migrating from NAV 2017 to Business Central SaaS (go-live targeted for June 2026). BC security roles, permission sets, and tiered access controls are being configured now. - Microsoft Entra ID is our identity platform. We are rolling out MFA (tiered by role), Conditional Access policies, biometric login (Windows Hello), and cleaning up shared/orphaned accounts across all sites. - Intune enrollment is underway for endpoint compliance, BitLocker enforcement, USB blocking, and standard software load management. - We have an active Dynamics 365 CRM instance and are evaluating Dataverse exposure as we bring on external marketing tools and AI agents. - We recently attended RSAC 2026 and are evaluating enterprise browsers (Island, Seraphic Security, Prisma Access Browser), NHI/workload identity management and AI security platforms . - A non-human identity (NHI) discovery script has been scoped to audit all service principals, app registrations, SQL Agent jobs, Windows scheduled tasks, and IIS app pools across Azure/Entra, BC SaaS, CRM, M365, Power BI, our Azure data lakehouse, and on-prem AD. - Phase 1 Security Hardening Plan is in progress, aligned to CIS Controls v8 Implementation Group 1. ScubaGear baseline assessment is planned. - We have SentinelOne deployed across all endpoints and are building out our DLP foundations in Microsoft Purview. - Sensitivity labels, Information Barriers (US/China data separation), and insider risk management are scoped for Phase 2. - External parties (marketing consultants, dev agencies, ERP implementation partner, ISV extension vendors) all have various levels of access to our environments that need to be inventoried and governed. What I need from you: - Hands-on experience with Microsoft Entra ID (Conditional Access, PIM, app registrations, service principals, security groups). - Understanding of Business Central security model (permission sets, role centers, company-level access, segregation of duties). - Familiarity with non-human identity (NHI) concepts — service accounts, workload identities, API keys, secrets management, and the risks they pose. - Ability to help me build and execute against a security roadmap, not just point out problems. - Comfortable working in Intune, M365 admin, Exchange Online, SharePoint Online, and Power BI security. - Awareness of CIS Controls framework (v8 IG1/IG2) and how to measure compliance. - Understanding of AI-related security risks (Copilot data exposure, Dataverse access, agent permissions, ambient AI). - Must be able to communicate clearly and directly with a CTO who is technical but not a full-time security engineer. Nice to have: - Experience with Microsoft Purview (DLP, sensitivity labels, Content Explorer, insider risk). - Experience with enterprise browser platforms (Island, Seraphic, Prisma Access). - Familiarity with SentinelOne or similar EDR platforms. - Knowledge of data sovereignty requirements (China PIPL, CCPA). - Power BI row-level security implementation. Engagement details: - 8 - 10 hours per week, ongoing. - North America based. Individual contractors only, no agencies. - Must be available for occasional video calls during Pacific time business hours. - You will work directly with me (CTO). This is a strategic partnership, not a ticket queue. - Start with a security posture assessment and NHI discovery, then move into remediation and roadmap execution. If you have done this kind of work for a company in the 50-200 employee range running Microsoft 365, Dynamics, and Business Central, I want to hear from you. Please include a brief description of a similar engagement in your proposal.