At QIMA, we’re on a mission to help our clients make products consumers can trust.

Working with over 30,000 global brands, retailers, manufacturers and food growers, we are on the ground wherever products are made. We help businesses secure every step of their supply chain with quality inspections, supplier audits, certifications, and lab testing, all powered by our intelligent digital platform.

Our team of 5,000 QIMers (and counting) across 40 offices and laboratories, are united in our shared passion for innovation and integrity, and guided by our QIMA values in the decisions we make every day. We believe in the work we do, and in making a positive difference in the world. Does this sound like something you’d like to be a part of?

We are looking for a Senior System Engineer to own the end-to-end engineering and modernization of our IT Workplace environment. You will design, build, and operate, not just administer. You will be expected to bring strong opinions, make architectural decisions, and drive outcomes with minimal supervision. You will be working closely with the IT Infrastructure Operations, Security Engineering and Operations and IT Support.
You are someone who reaches for a script before reaching for a GUI, who gets genuinely excited about AI-assisted automation, and who has led or significantly contributed to workplace migrations in complex, fast-moving environments.
This role operates in two modes: steady-state engineering of QIMA's workplace platform and projects, and technical ownership of M&A integrations, which represent a significant share of the workload given QIMA's active acquisition pipeline. Both modes draw on the same engineering foundation; you will be expected to move fluently between them.

What you will own
Microsoft 365 & Workplace systems engineering
• Maintain deep working knowledge of the QIMA Microsoft 365 tenant: Exchange Online, Teams, SharePoint Online, OneDrive for Business, Viva and adjacent workplace technologies (e.g. digital signage) as the technical foundation for all integration, migration, and project work.
• Execute M365 workstream during integrations: tenant-to-tenant migrations, cross-platform migrations, and greenfield deployments — covering mailboxes, calendars, files, Teams, and shared resources with minimal disruption to end users.
• Manage domain transfers and DNS migrations for acquired entities: registrar transfer, DNS record replication and cutover, MX record migration, mail routing validation, and working knowledge of email authentication records (SPF, DKIM, DMARC) sufficient to execute and validate configurations during migrations.
• Build and maintain automation (PowerShell, Microsoft Graph API) and apply AI-assisted tooling (M365 Copilot, GitHub Copilot) to eliminate repetitive operational work and accelerate engineering tasks.
• Operate the workplace service layer with ITIL discipline (incident, problem, change, service request) using Freshdesk as the tool of record.

Identity & Access Management
• Own the identity platform end-to-end during project migrations and M&A integrations: Microsoft Entra ID (Azure AD), on-premises Active Directory, and their hybrid interconnection.
• Design and enforce Conditional Access policies, Privileged Identity Management (PIM), and role-based access control (RBAC) across the full application and service estate.
• Engineer Single Sign-On (SSO) integrations for internal and third-party applications (SaaS, ERP, CRM, HRIS) using SAML, OAuth 2.0, and OIDC, etc.
• Manage the identity lifecycle as part of M&A integrations: joiners, movers, leavers, and automated provisioning/deprovisioning via Entra ID governance and SCIM.
• Harden the identity posture: enforce MFA, password less authentication, and zero-trust access principles across all user populations.

Device Management & Zero-Touch Engineering
• Assess the acquired entity's device fleet during discovery: total count, OS versions, MDM/RMM coverage, patch status, encryption state, and software licensing compliance — producing a clear recommendation per device (enroll as-is, re-image, or flag for replacement by IT Operations).
• Execute device enrolment into QIMA's MDM and RMM platforms across all in-scope devices, using zero-touch provisioning workflows where possible (Windows Autopilot, Apple Automated Device Enrolment via Apple Business Manager).
• Engineer Intune device configuration profiles, compliance policies, app protection policies (MDM/MAM), and self-service application catalogues for Windows, macOS.
• Deploy and configure the RMM platform across the acquired fleet: monitoring, patch management, scripted remediation, and endpoint visibility — ensuring full coverage before handover to IT Operations.
• Integrate RMM, MDM, and identity platforms into a unified, policy-driven device posture, ensuring every device is known, compliant, and secured before accessing corporate resources.

Technical Project Management – Project Delivery and M&A Integration
• Lead the technical workstream for projects and integration: scoping, planning, execution, and post-cutover stabilization, while working with the solutions architect for deployment of applications within the QIMA infrastructure.
• Define and execute the integration strategy based on the source environment (tenant-to-tenant migration, cross-platform migration, on-premises lift-and-shift, or greenfield deployment): messaging, file services, identities, devices, and collaboration tools, with minimal disruption to end users.
• Assess acquired entities' environments: Identity infrastructure (AD/directory topology, admin accounts, service accounts), collaboration platform (mail, files, calendar, chat), device fleet (OS versions, MDM/RMM coverage, patch status, encryption), server estate, domain portfolio, DNS configuration, email records (MX, SPF, DKIM, DMARC), public-facing web assets, SaaS subscriptions, and software licensing compliance.
• Produce and own projects and integration playbooks, migration runbooks, project schedules, risk registers, and rollback procedures.
• Conduct post-migration reviews, document lessons learned and continuously improve the integration methodology.

Experience

• 5+ years of hands-on workplace and cloud engineering experience (Cloud platforms – Azure, AWS, GCP, Microsoft 365, Entra ID, Intune, Active Directory).
• Demonstrated experience leading at least one significant workplace migration or integration project end-to-end.
• Proven track record of building automation, not just using it.
• Has experience working on APIs, MCPs, and can work on the creation of AI connectors as needed.

Technical Skills

• Deep expertise in Microsoft 365 tenant architecture and Exchange Online / Teams hybrid scenarios.
• Expertise on managing cloud infrastructure (AWS/Azure/GCP).
• Strong identity engineering skills: Entra ID, Active Directory, SSO federation (SAML / OIDC / OAuth 2.0), and lifecycle automation.
• Strong Intune engineering skills: Autopilot, ADE, compliance policies, app protection, and cross-platform device management.
• Hands-on experience with Apple Business Manager and automated device enrollment.
• Practical experience with Datto RMM or an equivalent platform (NinjaRMM, ConnectWise Automate, etc.).
• Hands-on experience operating endpoint AV / EDR at scale — Bitdefender, CrowdStrike, or equivalent.
• Hands-on experience with domain transfers, DNS migrations, and email infrastructure cutovers — including MX records, mail routing validation, and working knowledge of SPF, DKIM, and DMARC sufficient to execute and validate configurations during migrations.
• Strong proficiency in PowerShell and Microsoft Graph API; comfort with REST APIs and scripted automation.
• Active interest in AI-assisted tooling and willingness to integrate it into daily engineering work.
• Working knowledge of ITIL / ITSM practice; experience operating in a Freshdesk or comparable service management platform.
• Fluent in English (written and spoken) - required for cross-region collaboration across QIMA's global teams.