Bestkaam Logo
Back to Jobs
CrimsonLogic

Microsoft 365 L2 Support Engineer

Actively Reviewing

CrimsonLogic

Bengaluru Full-Time 1–2 yrs exp Posted 8 hours ago  · Apply by Sep 14, 2026

JOB DESCRIPTION

Job Title

NOC – Microsoft 365 L2 Support Engineer

Job Purpose

The purpose of the role is to provide Level 2 technical support for Microsoft 365 and Azure cloud services within a global enterprise managed-services environment. The engineer resolves escalated incidents and service requests that exceed Level 1 capability, executes standard operating procedures for high-volume identity and mailbox administration tasks, and supports the 24×7 service desk by covering rotational night and weekend shifts from India as part of a 24x7 delivery model.

Key Accountabilities

The L2 Support Engineer is the primary technical responder for Microsoft 365 and Azure incidents and service requests escalated from Level 1 or raised directly by end users and business units. The role is responsible for resolving the full range of standard SOP-driven tasks — mailbox administration, MFA management, identity and group provisioning, and licence operations — as well as performing first-level technical troubleshooting for more complex Exchange Online, Entra ID, and Azure issues before escalating to SMEs. The role operates within agreed SLAs in a structured ServiceNow environment and is accountable for ticket quality, resolution accuracy, and shift-handover completeness.

Job Responsibilities & Duties

  • Mailbox & Exchange Online Administration
  • Create, configure, and manage shared mailboxes, user mailboxes, room/resource mailboxes, and distribution lists in Exchange Online Admin Centre.
  • Grant and revoke mailbox delegation (Full Access, Send As, Send on Behalf); manage non-owner mailbox access per approved requests.
  • Perform basic mail-flow troubleshooting using Message Trace; interpret delivery reports, NDRs, and quarantine notifications.
  • Manage mail-enabled groups, dynamic distribution groups, and contact objects in Exchange Online.
  • Identity, MFA & Access Management
  • Perform MFA re-registration and reset for users locked out of the Microsoft Authenticator app or SSPR; manage MFA methods per approved procedures.
  • Administer user lifecycle in Entra ID: account creation, attribute updates, licence assignment/removal, account enable/disable, and offboarding.
  • Manage security group and Microsoft 365 group membership; execute client-specific group provisioning workflows per documented SOPs.
  • Process guest/external identity access requests and removals per the approved guest-access policy.
  • Incident & Service Request Handling
  • Respond to and own all assigned ServiceNow issue and SR tickets within contractual SLA response windows
  • Triage and prioritise inbound requests; validate caller identity and authorisation; apply correct priority based on user-impact assessment.
  • Troubleshoot Microsoft 365 service issues across Exchange Online, Teams, SharePoint Online, OneDrive, and Entra ID; resolve or escalate with a complete diagnostic context.
  • Write clear, accurate closure notes on every resolved ticket; maintain the standard required for closure.
  • Escalation & Major Incident Support
  • Escalate complex issues to L2.5 SMEs or L3 with a structured problem statement (symptoms, steps taken, user impact, reproduction steps) — no bare escalations.
  • Assist on P1/P2 major-incident bridges during the night shift: execute SME-directed remediation steps, post stakeholder updates at the agreed cadence, and document actions taken.
  • Escalate confirmed cybersecurity incidents immediately to the Lead and follow the designated SOC containment/remediation instructions precisely.
  • Queue Health & Shift Handover
  • Monitor queue ageing throughout the shift; proactively chase pending-customer tickets to prevent SLA breach.
  • Produce a written shift-handover note before every logout: open P1/P2 items, tickets at risk of breaching SLA, pending changes, and anything the incoming shift must know.
  • Knowledge, SOPs & Continuous Improvement
  • Follow approved SOPs and runbooks; raise SOP amendment requests to the Shift Lead when a runbook is incomplete or has undocumented edge cases.
  • Contribute to the knowledge base by documenting novel resolutions and client-specific workflows discovered during ticket handling.
  • Identify repetitive manual steps (e.g. MFA resets, group provisioning patterns) as candidates for Power Automate or scripted automation; flag to the Shift Lead.
  • Security Incident Remediation (SOP-based)
  • Execute approved security remediation SOPs for common threat scenarios - compromised accounts, suspicious sign-in activity, phishing reports, and malware alerts — strictly following the steps defined in the runbook without deviation.
  • Respond to compromised-account alerts: disable the account in Entra ID, revoke all active sessions and refresh tokens, reset credentials and MFA methods, and document every action taken with timestamps in the incident ticket.
  • Process end-user phishing reports: submit the reported message to Microsoft Defender for Office 365 for analysis, release or purge quarantined messages per policy, block sender domains/addresses as directed, and notify the user of the outcome.
  • Act on Defender for Office 365 alerts (safe-links detonation, anti-phishing policy hits, malware detections) by following the corresponding runbook step-by-step; escalate immediately to L2.5/SOC if the runbook does not cover the observed behaviour.
  • Carry out Entra ID risky-user and risky-sign-in remediation as directed by the SOC or Shift Lead: confirm risk, dismiss false positives, or force password reset and re-registration per the approved procedure.
  • Execute basic Microsoft Purview / Compliance Centre actions per SOP: place a mailbox on litigation hold, run a content search, or export results when instructed by the SOC or compliance team — no independent judgement on scope.
  • Contain email-based threats by creating or modifying Exchange Online transport rules, blocked-sender lists, or anti-spam policies as specified in the remediation instruction; revert changes once the threat is cleared.
  • Log all remediation actions in the security incident ticket with exact timestamps, commands/UI steps executed, and outcome; hand over open security incidents at shift end with a full action trail.
  • Never exceed the approved remediation scope: if an instruction requires admin rights beyond the L2 GDAP (Granular Delegated Admin Privilege) role, pause and escalate rather than request elevation independently.
  • Compliance & Security
  • Operate strictly within the GDAP delegated-admin scope granted for L2; never perform actions outside the authorised role set.
  • Adhere to client data-handling, acceptable-use, and confidentiality requirements for all tenant data accessed during support.
  • Complete mandatory security and compliance training within deadlines set by the Service Delivery Manager.
  • Support periodic compliance-review activities (as directed): extract admin login trails, access reports, and audit evidence for upload to designated SharePoint repositories.

Minimum Education / Qualifications

Diploma or Bachelor's degree in Information Technology, Computer Science, Engineering, or a related field; or equivalent hands-on experience.

Minimum Years of Experience

  • At least 2 to 4 years of hands-on IT support experience in a Microsoft 365, cloud-support, or managed-service environment.
  • Demonstrated experience handling a structured ticket queue (ServiceNow or equivalent) with defined SLA targets.
  • Prior exposure to night-shift or rotational 24×7 support operations is an advantage.

Skills Required

  • Microsoft 365 — core administration: Exchange Online Admin Centre, Entra ID (user/group/MFA/licence), Microsoft 365 Admin Centre, Exchange message trace, shared-mailbox and distribution-group management.
  • Identity & access: Entra ID user lifecycle, MFA re-registration and reset (Authenticator app, SSPR), security group and M365 group membership, guest/external identity management, basic Conditional Access awareness.
  • ITSM & ticket discipline: ServiceNow or equivalent — priority classification, SLA-clock awareness, escalation protocols, and closure-note standards.
  • Troubleshooting: Mail-flow (NDR reading, message trace, basic EOP), Teams sign-in and meeting issues, OneDrive/SharePoint access, Entra ID sign-in logs, basic Azure portal navigation.
  • Written communication: Professional, clear written English for client-facing ticket updates, closure notes, and shift-handover notes — tone and accuracy are CSAT drivers.
  • Shift readiness: Able and willing to work a rotational schedule including night shifts (approx. 17:30–05:30 IST) and weekends as part of a 24×7 delivery model.


  • Certifications:
  • Microsoft 365 Administrator (MS-102) —desirable;
  • ITIL 4 Foundation — desirable; internal training available.
  • Microsoft 365 Fundamentals (MS-900) – good to have.


  • Security remediation (SOP execution): Ability to follow security runbooks precisely and completely — compromised account containment (disable, revoke sessions, reset credentials/MFA in Entra ID), phishing report submission and quarantine management in Microsoft Defender for Office 365, risky-user/sign-in remediation, basic Exchange Online transport-rule and blocked-sender management, and Purview content-search execution. No prior security-specialist background required — discipline in following SOPs and accurate incident documentation are the critical skills.
  • Security tool awareness: Familiarity with the Microsoft Defender portal (Defender for Office 365 alerts, quarantine, submissions), Entra ID Identity Protection (risky users / risky sign-ins), and Microsoft Purview Compliance portal at a basic operational level — sufficient to execute documented remediation steps under SOC or Shift Lead direction.


  • Good to have:
  • Basic PowerShell or Power Automate scripting for M365 tasks (licence exports, group reports).
  • Exposure to Microsoft Intune / Endpoint Manager for device compliance queries.
  • SharePoint Online or OneDrive administration.