Escalation Lead

This is a remote position.

**PLEASE CAREFULLY READ ALL THE DETAILS BEFORE APPLYING***

Job Title: Escalation Lead

Work Type: 

• Remote/WFH
  

• Fulltime 
  

Working Hours: TBD (Usually US Hours/Night shift)

Start Date: TBD

JOB OVERVIEW:

The client’s  Escalation Lead is responsible for owning policy, risk, and scope decisions during high-impact client’s escalations. This role ensures that identity, access, and security-related incidents are resolved without introducing unnecessary security exposure, by validating root cause, defining safe remediation boundaries, and approving (or rejecting) configuration changes during live incidents.

This role represents the decision authority that currently exists informally in client’s escalations.

JOB ROLE & RESPONSIBILITIES: 

1. Conditional Access & Identity Policy Authority

• Serve as the escalation authority for:
  

• Conditional Access (CA) failures
  

• Token issuance errors
  

• Cloud PC / Windows App access scope questions
  

• Interpret Entra ID sign-in logs and CA outcomes to determine why access was blocked.
  

• Approve or deny:
  

• CA exclusions
  

• Access scope changes
  

• Authentication flow adjustments
  

• Prevent “blind” policy changes by enforcing root-cause validation first.
  

2. Security Alert Legitimacy & Incident Context

• Validate security alerts from Defender and Threat Locker to determine:
  

• True security incidents
  

• False positives
  

• Alerts tied to known remediation actions (e.g., decryption activity)
  

• Confirm whether escalation requires:
  

• Security response
  

• Documentation only
  

• No action
  

• Act as the final authority on whether an alert is safe to disregard.
  

3. Escalation Decision Governance

• Act as the policy gatekeeper during active escalations:
  

• “Is this the correct fix?”
  

• “Does this widen access beyond intent?”
  

• Ensure remediation steps are:
  

• Scoped
  

• Intentional
  

• Reversible
  

• Require confirmation that a change resolves the issue before approving additional modifications.
  

4. Cross-Functional Technical Direction

• Provide technical direction to:
  

• Identity engineers
  

• Security engineers
  

• Infrastructure teams
  

• Service desk leads
  

• Guide troubleshooting steps (e.g., reviewing sign-in logs, validating access targets).
  

• Escalate to senior engineers only when justified by evidence.
  

5. Escalation Flow Control

• Control the decision phase of client’s escalation flow: Intake → Validation → Approved Change → Confirmation → Closure
  

• Ensure escalation threads do not stall or expand without justification.
  

• Clearly signal when a remediation path is approved or blocked.
  

6. Other responsibilities

• Based on alert activity and volume, other responsibilities will be assigned
  

• Process design and documentation
  

• Flexibility - a key to success for this role
  

JOB REQUIREMENTS:

Technical Expertise

• Deep knowledge of:
  

• Microsoft Entra ID (Azure AD)
  

• Conditional Access policies
  

• MFA / SSPR authentication flows
  

• Cloud PC and Windows App access behavior
  

• Strong ability to interpret:
  

• Sign-in logs
  

• Token issuance failures
  

• Security alert context
  

Operational Judgment

• Experience acting as a technical authority during live incidents
  

• Ability to make risk-balanced decisions under time pressure
  

• Comfortable blocking changes that increase risk, even when resolution is urgent
  

Communication

• Clear, decisive communication in escalation threads and verbal communication
  

• Ability to explain why a change is or is not approved
  

• Confident interacting with senior engineers and leadership during incidents
  

Success Criteria

• The role is successful when:
  

• Escalations resolve without over-permissive policy changes
  

• Identity and access issues are fixed with confirmed cause
  

• Security alerts are correctly classified
  

• Repeat escalations decrease due to better guardrails and documentation
  

Role Boundaries

• Does not solely own day-to-day execution of fixes (that remains shared with the team)
  

• Does own:
  

• Approval of changes
  

• Risk acceptance
  

• Escalation direction