Principal Security Architect - Windows Server

Overview
The Windows Server Security Architect (L66) defines and drives security architecture for Windows Server across on-premises, hybrid, and cloud-connected deployments. As a Principal Security Architect - Windows Server, sets the technical direction for threat-resistant platform capabilities, partners across engineering teams to drive implementation, guides secure-by-design engineering practices, and coordinates with incident response and compliance teams. The architect is expected to lead through influence, make high-impact design and security decisions, and translate evolving threats, security requirements, and customer needs into actionable platform architecture.
Microsoft’s mission is to empower every person and every organization on the planet to achieve more. As employees we come together with a growth mindset, innovate to empower others, and collaborate to realize our shared goals. Each day we build on our values of respect, integrity, and accountability to create a culture of inclusion where everyone can thrive at work and beyond.
Responsibilities

• Own end-to-end security architecture for core Windows Server components (e.g., boot and firmware trust, kernel and virtualization security, identity and access, networking, storage, management plane), balancing security, reliability, performance, and compatibility.
• Partner with engineering teams to shape designs early (architecture “shift left”), secure appropriate resourcing, identify design risks, and unblock delivery with pragmatic, secure solutions.
• Develop and maintain reference architectures, security design patterns, and guardrails for Windows Server features and services used in on-premises and hybrid environments.
• Lead threat modeling and security reviews for new and existing capabilities; drive mitigations for high-severity threats and systemic classes of vulnerabilities.
• Define security requirements and non-functional constraints (e.g., secure defaults, hardening baselines, cryptographic standards, key management, auditability, logging, and telemetry) and ensure they are translated into engineering deliverables.
• Act as a technical leader during security incidents: assess impact, guide containment and remediation, and drive post-incident architectural improvements.
• Collaborate with product management, customer support, and field teams to understand real-world attack patterns and operational constraints; incorporate learnings into architecture.
• Represent Windows Server security architecture in cross-team reviews and executive/partner communications; articulate tradeoffs and recommendations clearly and persuasively.

Qualifications
Required Qualifications:

• Bachelor's Degree in Computer Science or related technical field AND 6+ years technical engineering experience with coding in languages including, but not limited to, C, C++, C#, Java, JavaScript, or Python

• OR equivalent experience.

Other Requirements:
Ability to meet Microsoft, customer and/or government security screening requirements are required for this role. These requirements include but are not limited to the following specialized security screenings:

• Microsoft Cloud Background Check: This position will be required to pass the Microsoft Cloud background check upon hire/transfer and every two years thereafter.

Preferred Qualification

• Demonstrated experience designing secure architectures and leading threat modeling, security reviews, and mitigation planning for complex, distributed systems.
• Ability to influence without authority across engineering teams, establish technical direction, and drive alignment through clear written and verbal communication.
• Expertise in security controls such as secure boot/TPM, virtualization-based security, identity and credential protection, code integrity, exploit mitigations, cryptography, and secure configuration.
• Experience partnering across disciplines (engineering, PM, incident response, privacy/compliance) to deliver measurable risk reduction.
• Experience with Windows Server security features and management (e.g., Active Directory/Entra integration patterns, Group Policy, Windows Defender, WDAC/App Control, Credential Guard, BitLocker, Secure Core).
• Solid understanding of modern attacker techniques (credential theft, lateral movement, persistence, privilege escalation, supply chain and build attacks) and corresponding defensive strategies.
• Deep knowledge of Windows OS fundamentals (kernel concepts, security boundaries, process and memory isolation, drivers, authentication and authorization, networking stack) and how enterprise environments deploy and manage Windows Server.
• Background in vulnerability research, exploit development/mitigation, reverse engineering, or advanced debugging of OS and low-level components.
• Experience securing supply chain and build/release systems, including code signing, artifact integrity, and secure servicing practices.
• Knowledge of compliance and assurance needs for enterprise and regulated industries (e.g., audit logging, FedRAMP/ISO/SOC expectations) and how to architect for evidence and controls.
• Familiarity with cloud and hybrid security architectures (e.g., Azure, Arc-enabled servers, managed identities, zero trust patterns).
• Contributions to security standards, open-source security projects, or published security research.

#W+DJOBS
Software Engineering IC5 - The typical base pay range for this role across the U.S. is USD $139,900 - $274,800 per year. There is a different range applicable to specific work locations, within the San Francisco Bay area and New York City metropolitan area, and the base pay range for this role in those locations is USD $188,000 - $304,200 per year.
Certain roles may be eligible for benefits and other compensation. Find additional benefits and pay information here:
https://careers.microsoft.com/us/en/us-corporate-pay
This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.
Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about
requesting accommodations.