Administered and optimized Public Key Infrastructure (PKI), managing certificate lifecycles and automation.
ACTIVE DIRECTORY
Administered and optimized Public Key Infrastructure (PKI), managing certificate lifecycles and automation.
They stood up a second subordinate Certificate Authority to enroll only the domain controllers. When we stood up aa domain controller, we start the console and add the certificate snap-in. then go to Personal store. Request a new certificate, walk it through. Right click and manage the private keys, set system and there was a NUID that needed permissions too balabit we needed to send logs. There was automating certificate using PowerShell. Optimizing: with certreg; certutil -setreg for strong encryption, reduce the CRL expiration time and logging
Logging: Get-WinEvent LogName "Microsoft-Windows-CertificateServicesClient-CertEnroll/Operational"
Certificates not issued Check certsrv.msc → Pending Requests
Clients not receiving auto-enrolled certs Run gpupdate /force and certutil -pulse
CRL is not updating Run certutil -CRL and check certsrv.msc
Expired CA certificate Renew CA cert using certutil -renewCert
Upgrading group policies for server instances and applications security settings
First needed to analyze existing policies (powershell GPOReport) to identify Obsollete policies, conflicting settings and redundant or duplicate policies. Replace old policies with Microsoft Security Baselines for Windows Server & Azure. Use the Microsoft Security Compliance Toolkit. I did most of the analyzing and planning. It would be a slow process but the FTE were going to take my recommendations and work the upgrades in Entra ID and Intune. Conditional Access can be replaced by Conditional Access. I don’t think CA has the granular policies as AD. Enable Microsoft Defender for Identity to detect GPO tampering. Use Azure Sentinel to Monitor Policy Changes
Designed, implemented, and managed multi-forest/multi-domain Active Directory environments
At Comerica we had several domains we had to manage and maintain there is/was Production, Dev, assurance, sandbox and the DMZ. Each was structured the same with all applications segmented in their own OU. Policies were applied to each aca with their own exceptions. Firewall rules and exceptions. I was designing group policies based on the applications needs and exceptions. Cleaning stale records, cleaning stale machines when decommissioned.
Comerica was doing a migration to a new data center one of my responsibilities was to update DNS records when needed. Since they were moving server the (A records) IP addresses had to change to the new subnet. If the server was being upgraded, we had to do an IP swap to the new record. If the old server we’d have to change the Alias to the new IP.
(A Record) maps to IP, (CName Record) Points a subdomain to another domain (alias), (MX Record) Mail Exchange, (PTR Record) IP address to domain (Reverse DNS), (SRV Record) Used for services like SIP, LDAP, Kerberos, (NS Record) Nameserver, (SOA Record) tores administrative details about the domain’s DNS zone
Identity management using Microsoft Active Directory Domain Services
AUTHETICATION AND AUTHORIZATION IN AD DS: Kerberos Secure ticket based authentication, NTLM: depreciated. LDAP Authentication :directory lookups and intergrations. AD Connect sync to Entra ID.
Auditing: Auditpol
Monitoring: Get-WinEvent: Detect Priviledge account usage Event ID 4672
Block: NTLM through policy
Guiding applications teams to configure Secure LDAP (LDAPS)
Once we defined what applications we had. Started contacting app teams. Gave the application teams the port number 636 and the load balancer name. Told them to enable TLS by installing certificate. Gave them the Load Balancer, port and gave them the certificate. Had them test using an LDAP query.
If the failed to connect. Had them get with network team, see if the port was open to them. Had them ensure the certificate was installed. Had them do a LDAP on their Linux box. Troubleshot.
Managed Active Directory replication & synchronization across multiple AD forests and domains.
We had six separate which the org used for various application development and Production. Only three of which had trust relationships. Dev, Testing and CIAM (Customer Identity Access Management). Managed replication on by utilizing tools like "repadmin" to monitor and troubleshoot replication issues, and carefully considering the site and replication topology to optimize data flow based on network connectivity; for complex scenarios, you might also need to explore dedicated identity management solutions or third-party synchronization tool
Designed and deployed Gal sync for multi-forest user synchronization within enterprise AD environments.
Before deploying GAL synchronization, plan the architecture and understand the requirements.
Identify Forests and Exchange Organizations: Production and Acceptance
Trust Relationships: One way from Production to Acceptance
Synchronization Method: Microsoft Identity Manager (MIM)
Attribute Mapping: Identify which attributes (e.g., display name, email address, phone number) need to be synchronized. Email address
Security and Permissions: Ensure that the accounts used for synchronization have the necessary permissions in both forests
Managed users, computers, groups, policies and resources in Active Directory Domain Services
Active Directory Users and Computers (ADUC): For managing users, groups, and OUs.
Group Policy Management Console (GPMC): For managing GPOs.
PowerShell: For automating AD management tasks.
Active Directory Administrative Center (ADAC): For advanced AD management. Migrated users and applications to Azure Active Directory (Entra ID)
Identity management using Microsoft Active Directory Domain Services
AUTHETICATION AND AUTHORIZATION IN AD DS: Kerberos Secure ticket based authentication, NTLM: depreciated. LDAP Authentication :directory lookups and intergrations. AD Connect sync to Entra ID. Monitoring and Auditing:
Auditing: Auditpol
Monitoring: Get-WinEvent: Detect Priviledge account usage Event ID 4672
Block: NTLM through policy
Managed the project implementation of Server and Domain Controller upgrades for Active Directory Services
Analyzed Domain Controller inventory, set objectives and success metrics. Defined roles. Clarify responsibility. Defines Scope. Define timeline. Define deliverables. Define milestones. Define communication. Define tasks. Tracking progress.
Created detailed technical documentation for IAM workflows, security policies, and infrastructure changes.
Wrote a lot of technical documents and created presentations. I used to teach, I’m good at writing documentation as I put down every single button, radial that needs to be selected and in the correct order.
Configured Group Policy Objects (GPOs) for security hardening and compliance across Active Directory.
Security Best Practices: Follow industry standards like NIST, CIS Benchmarks, and Microsoft Security Baselines.
Password Policies
GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
Account Lockout Policies
GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
Audit Policies
GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
User Rights Assignment
GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Security Options
GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Windows Firewall Policies
GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security
Software Restriction Policies
GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies
Device Control Policies
GPO Path: Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access
Conducted security assessments on directory services, identifying and mitigating potential vulnerabilities.
Microsoft RAP
Managed users, computers, groups, policies and resources in Active Directory Domain Services
Wrote script to disable inactive users and delete after 90 days, created clusters for SQL Server, created and deleted groups for application teams, created group policies, and managed resources.
Migrated users, computers, groups, policies and resources to an enhanced Active Directory security domain.
Planned and developed a strategy , backed up old domain, setup new domain, set trusts, used user state migration tool to migrate transferred user profiles, revised group policy if needed. Test and validate.
Designed and implemented Identity Federation solutions leveraging SAML, OAuth, and OIDC for enterprise applications.
For configuring Identity in Entra ID: App Registrations > New Registration, Enter Name, Supported Accounts Type, Redirect URL and click Register
For Oauth and ODIC go to App Registrations > Authentication. Enable: Oauth 2.0 for the web app. Expose API Scope, Generate a Client Secret, and configure Redirect URL. Test with Postman
Implanting Federation with External IdP Okta: Create Enterprise Application for Okta. Configure SAML SSO. Assign users. In Okta: Add Azure Ad as a external IdP, assign users to Okta application
SECURITY
Developed security baselines for Azure AD Conditional Access, MFA, and Identity Governance policies.
Go to: Entra ID → Security → Conditional Access go to New Policy. Test policy in report-only mode.
Conditional access: In conditional access: Require MFA, Block Legacy Authentication, required a Compliant device for admins, Enforce Location (US only), and Session control for high-risk users.
Multi-Factor Authentication: Enforce MFA for all users especially Admins, Secure High risk sign-ins and enabkle passordless auth (FIDO2, Authenticator)
Got to: Authentication Methods, > Options: passkey (FIDO2), Authenticator, SMS, Temp access pass,
Enable: Microsoft Authenticator, FIDO2 Security Keys.
Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirement.
Monitor MFA reports in Entra-ID sign-in logs.
Identity Governance Security baseline: Automate access reviews and lifecycle policies. Secure privilege access and guest user management.
Go to: Entra ID → Identity Governance, Enable Privilege Identity management (PIM), configure: Access reviews for admin roles. Monitor: Review logs for inactive users.
Enforce Logging and monitoring in Azure Monitor
Monitor MFA & Conditional Access logs in Azure Sentinel
Regularly review Identity Risk Reports in Microsoft Defender for Identity
Designed and implemented secure cloud infrastructure in Azure, reducing deployment time by 20%.
Used best practice for Azure, by disabling the Entra User accounts and keeping the DevOps User account active, this allowed the DevOps teams to continue querying work item history while using the Azure DevOps user ID. This helped support as we didn’t have to look history up as we could keep working and have to look up account job history.
Managed Azure AD Conditional Access policies, securing access to cloud-based applications and services.
Go to: Entra ID → Security → Conditional Access go to New Policy. Test policy in report-only mode.
Conditional access: secure user access based on device, location, risk and role and enforce MFA and device compliance. Some requirements, Require MFA, Block Legacy Authentication, Require Compliant device for admins, Enforce Location, and Session control for high-risk users.
Multi-Factor Authentication: Enforce MFA for all users especially Admins, Secure High-risk sign-ins and enable passordless auth (FIDO2, Authenticator)
Got to: Entra ID → Security → Authentication Methods, Enable: Microsoft Authenticator, FIDO2 Security Keys. Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirement.
Monitor MFA reports in Entra-ID sign-in logs.
Identity Governance Security baseline: Automate access reviews and lifecycle policies. Secure priviledge access and guest user management.
Go to: Entra ID → Identity Governance, enable Privilege Identity management (PIM), configure: Access reviews for admin roles. Monitor: Review logs for inactive users.
Enforce Logging and monitoring in Azure Monitor
Monitor MFA & Conditional Access logs in Azure Sentinel
Regularly review Identity Risk Reports in Microsoft Defender for Identity
Helped maintain the Hybrid ID infrastructure, allowing users to access all the applications in the cloud. I was updating the metadata for ADFS, using a script to update. Making sure AD Connect was syncing correctly and if it was not remedy the situation by using PowerShell, Start-ADSyncSyncCycle -PolicyType Delta” usually it was duplicate attribute vales in On-prem AD… conflicts or invalid values. With Entra ID we monitoered if Entra ID was getting correct authentication vales from ADFS.
Run a Get-ADFSGlobalAuthenticationPolicy | fl WindowsIntegratedFallbackEnabled if true forms-based authentication is expected and that’s a browser issue. If false then windows authentication is expected
ENTRAID
Conducted application server workload migrations from on-premises to Azure Entra.
Identify application servers to migrate. Determine identity and authentication methods. Access dependencies. Plan for minimal downtime and rollback
Enable SSO for the workloads, Password Hash (Cloud), Pass through (on-site), ADFS (Existing)
Collaborated with cross-functional teams to design hybrid architectures leveraging Azure AD Connect.
Understand the Hybrid Requirements: determine the needs and aspects of identity management (user sign-in groups, devices. Network team has port open for application. Sync scope, sync frequency, attribute sync.
Architected Hybrid Identity environment by deploying Azure AD Connect for seamless authentication.
Installing and configuring AD Connect.
Optimized cloud costs through monitoring and scaling policies, saving costs per application deployment.
Identifies underutilized VMs and thresholds using Azure Monitor.
Resized some VMs: go to VMs, select resize and Select Size. Use Spot/Preemptible instances when creating a VM. Suggested Azure KubernetesService and autoscaling.
Migrated users from on-premise Exchange 2013 to Office 365 (Entra ID)
Inventory on-prem exchange servers mailboxes and dependencies. Staged migration.
Set up Azure tenet. Verify domain name in M365. AD Connect is working properly and syncing. Assign licenses.
Create a migration endpoint and migrate mailboxes in batches.
Update DNS records for migrated users to point to Microsoft 365.
Repeat the process until all mailboxes are migrated.
Decommission the on-premises Exchange Server.
Integrated CI/CD pipelines using Jenkins and GitHub Actions, improving deployments by 30%.
Created Jenkins and UCD pipelines to deploy services to the assets in the AWS cloud
Installed Jenkins, Installed Github, Pipeline, Maven, Docker Pugins. Connect Jenkins to Github and added the Hithub credentials to Jenkins. Configure Github Webhook for Triggers. Createe a pipeline in Jenkins. Define a Jenkins File (Ci/CD Script). (Groovey File) Created Monitoring tasks for EC2 Instances in AWS.
Deployed servers and code to Directory Services assets using DevOps practices to AWS and Azure cloud
Same as above
Led Single Sign-On (SSO) integrations for enterprise applications using SAML, OAuth, and OIDC.
For SAML go to Enterprise applications > New Application > Select SAML (SAML, password Based, Linked) configure Entity ID, Reply URL and Sign-on. Download the XML and upload to Service Provider. Assign users to the application
For configuring Identity in Entra ID: App Registrations > New Registration, Enter Name, Supported Accounts Type, Redirect URL and click Register
For Oauth and ODIC go to App Registrations > Authentication. Enable: Oauth 2.0 for the web app. Expose API Scope, Generate a Client Secret, and configure Redirect URL. Test with Postman
IDENTITY
Integrated and automated IAM workflows to enforce zero-trust architecture across hybrid cloud environments.
Zero Trust enforces least privilege access, continuous verification, and real-time threat detection in a hybrid cloud. The following automation workflows secure identity access management (IAM) across Azure, Entra ID, and on-prem Active Directory (AD). IAM automation principles: Verify identity Continuously, least privilege access, continuously Monitoring and threat detection, and identity lifecycle automation.
Enforce Just-in-Time (JIT) Access for Privileged Roles (PIM): Ensures privileged roles are not permanently assigned and are only available on a JIT basis using PowerShell
Automate User Provisioning & Deprovisioning (HR-Driven Identity Lifecycle): for Each
Enforce Identity-Based Conditional Access Policies: Get-AzureADIdentityProtectionUserRiskPolicy
Auto-Expire and Revoke Access for Inactive Accounts: for each go through the directory and revoke access
Identity management (IAM) using Microsoft Azure Active Directory (Entra ID)
User & Group Management: organized users into Security and Dynamic groups for RBAC
Authentication & Access Management: Support for SAML, OAUTH, ODIC, Kerberos NTLM. Enforce MFA.
Role-Based Access Control (RBAC) & Privileged Identity Management (PIM): Grant least privileges using built-in and custom roles, Enable Just in Time access for Admins and monitor role activity with access reviews
Conditional Access & Identity Protection: Block risky sign-in using Microsoft Defender for Identity and automate remediation of Identity threats with Azure sentinel
Hybrid Identity & Federation: sync on-prem AD with Entra. Enable Federation with ADFS, PingFederate, Okta. Implement B2B & B2C solutions for guest and external user access
Led the implementation of Microsoft Identity Manager (MIM) to automate user provisioning and role-based access.
Started planning preparation of organizational requirements: We used the HR system to pull in the user data, defined the roles and permissions and analyzed the system requirements. Since this was POC and document, installed MIM, SQL and ensured AD was configured on the MIM server. Setup MIM Sync Service MIM service and the portal. Connected the data source, defined the sync rules and ran sync to make sure it was working. Configured policies, and workflows. Defined roles, configured Role-based policies and enabled self-service access request. Used MIM reporting service to monitor User Provisioning and monitor sync errors
Migrated identity services from on-prem AD to Hybrid Entra ID while maintaining security and compliance.
Automated directory cleanup and access audits using PowerShell and Azure Automation.
Designed and implemented role-based access control (RBAC) policies across the hybrid identity environments.
User & Group Management: organized uers into Security and Dynamic groups for RBAC
Authentication & Access Management: Support for SAML, OAUTH, ODIC, Kerberos NTLM. Enforce MFA.
Role-Based Access Control (RBAC) & Privileged Identity Management (PIM): Grant least privildges using built-in and custom roles, Enable Just in Time access for Admins and monitor role activitywith access reviews
Conditional Access & Identity Protection: Block risky sign-in using Microsoft Deender for Identity and automate remediation of Identity threats with Azure sentinel
Hybrid Identity & Federation: sync on-prem AD with Entra. Enable Federation with ADFS, PingFederate, Okta. Implement B2B & B2C solutions for guest and external user access
Identity management using Microsoft Azure Active Directory (Entra ID)
User & Group Management: organized users into Security and Dynamic groups for RBAC
Authentication & Access Management: Support for SAML, OAUTH, ODIC, Kerberos NTLM. Enforce MFA.
Role-Based Access Control (RBAC) & Privileged Identity Management (PIM): Grant least privildges using built-in and custom roles, Enable Just in Time access for Admins and monitor role activity with access reviews
Automated user and group management workflows using PowerShell and Microsoft Graph API.
Install Graph. Automate User Management. Update User Attributes. Disable or Delete Users. Bulk User Management. Create Groups. ADD/REMOVE users from groups. Automate Offboarding/Onboarding Workflow. Export User and Group Information. Audit Group Memberships