CIPP Expert Needed - MSP Policy Standardization (Intune, Conditional Access, SharePoint)
Worldwide
LET ME BE CLEAR - IF YOU REACH OUT VIA ANY METHOD OTHER THAN UPWORK (EMAIL, TEXT, WEBSITE FORM, ETC), YOU WILL BE IMMEDIATELY DISQUALIFIED. OVERVIEW I run a managed IT services provider supporting small businesses on Microsoft 365. CIPP is up and running in our environment - GDAP is configured, we're actively using it - but we're not leveraging it anywhere near its full potential. I'm looking for an experienced CIPP specialist with real MSP background to help us get there. This is a hands-on engagement. The goal is to move away from one-off, client-by-client configurations toward a consistent, scalable framework we can deploy to new clients and retrofit onto existing ones. That includes policy standardization, tiered access controls, drift management, and documentation that a technician can actually follow. ================================================== WHAT WE'RE BUILDING TIERED POLICY FRAMEWORK We want a structured, group-driven policy model across Intune, Conditional Access, SharePoint/OneDrive, and Entra ID - built around user type rather than individual client quirks. The tiers we have in mind: -- Owners / Management - Broader access, less restrictive controls -- Standard Employees - Baseline policy, company device required where appropriate -- Restricted Users - Compliant/company-owned devices only, tighter controls -- Offshore Cloud PC Users - Setup for all work to be completed via Win365 Cloud PC - no direct access to Microsoft services from host machines, mobile devices, etc. Policy assignment should follow group membership. Adding or removing someone from an Entra ID security group should drive their entire access profile automatically. We want the group structure designed thoughtfully so it scales across all clients without becoming a management nightmare. ================================================== STANDARDS AND DRIFT MANAGEMENT This is a core deliverable, not an afterthought. We want CIPP Standards fully configured and enforced across all clients, including: -- A defined baseline standard set that applies to every client by default -- A clear process for documenting client-specific exceptions and the reason they exist -- Drift detection configured so we're alerted when a tenant falls out of compliance -- A remediation workflow - who acts on drift alerts, how quickly, and what the steps are The goal is that when something changes in a client tenant - intentionally or not - we know about it and have a clear path to fix it. ================================================== CIPP FEATURE AUDIT We know we're leaving value on the table with features we haven't configured or aren't using well. As part of this engagement, we want an honest assessment of what's worth setting up versus what sounds good but adds noise. Areas we're curious about include alerting rules, scheduled tasks, automation, tenant reporting, and Standards templates - but we're open to whatever you think actually moves the needle for an MSP at our stage. ================================================== MIGRATION SCOPE Many existing clients were configured individually and don't follow any consistent structure. Part of this engagement is defining and documenting the migration path - how do we move them into the new framework cleanly? We expect this to involve disabling legacy policies, assigning users to the new security groups, and validating nothing breaks. We need a runbook that a technician can follow without needing to reinvent the process for each client. ================================================== DOCUMENTATION DELIVERABLES -- CIPP best practices reference guide tailored to our MSP environment -- New client onboarding checklist using the standardized framework -- Migration runbook for existing clients - legacy policy removal, group assignment, validation -- Group structure map - what groups exist, what policies they drive, when to use each -- Standards exception log template and process ================================================== WHAT I'M LOOKING FOR -- Extensive CIPP experience - you should be able to speak specifically to how you've structured multi-tenant environments, GDAP permissions, and template deployment at scale -- Hands-on M365 experience across Intune, Conditional Access, Entra ID, and SharePoint -- Real MSP background - you understand the difference between managing one tenant and managing twenty -- Not currently employed by another US Based or US functioning MSP -- Strong documentation skills - deliverables need to be usable by a technician, not just another expert ================================================== LOCATION AND COMPLIANCE BACKGROUND This project is open to freelancers worldwide - location is not a disqualifier. That said, there is a strong preference for candidates with direct experience in the US market. Many of our clients operate in industries with specific compliance requirements, including HIPAA, and we want our policy framework built with those obligations in mind from the start - not retrofitted later. If you're based outside the US, please speak to your experience working with US-based MSPs or clients, and specifically your familiarity with: -- HIPAA technical safeguard requirements as they apply to M365 configuration -- US-centric compliance frameworks and how they've shaped the way you configure Conditional Access, Intune, and data governance policies -- Any relevant certifications or hands-on compliance work you've done in this space We're not looking for a compliance attorney - we need someone who understands how these requirements translate into real M365 and CIPP configuration decisions. ================================================== WHAT I'LL PROVIDE -- CIPP access at an appropriate permission level based on your stated requirements -- GDAP access scoped to what's needed -- Context on our current client base, existing configurations, and known pain points -- Availability for regular check-ins throughout the engagement ================================================== ENGAGEMENT STRUCTURE I prefer milestone-based billing tied to clear deliverables rather than open-ended hourly. Please include a breakdown by milestone in your proposal - not just a total. The natural milestones for this engagement are: 1) Framework design approved - group structure, policy tiers, and Standards baseline documented and signed off before anything is deployed 2) Pilot client deployed - full framework live on one client, drift detection running, validated and working 3) Migration runbook delivered - documented and tested process ready for the team to execute 4) Feature audit and all documentation complete - all deliverables handed over and CIPP recommendations implemented Include your estimated cost per milestone and total project cost in your proposal. If the listed estimate budget is totally off, please let me know your thoughts and reasoning.
$750.00
Fixed-price- ExpertExperience Level
- Remote Job
- Ongoing projectProject Type
Skills and Expertise
Activity on this job
- Proposals:Less than 5
- Last viewed by client:6 days ago
- Interviewing:4
- Invites sent:6
- Unanswered invites:3
About the client
- United StatesChicago7:04 AM
- $32K total spent42 hires, 0 active
- 1,899 hours
Explore similar jobs on Upwork
How it works
Create your free profileHighlight your skills and experience, show your portfolio, and set your ideal pay rate.
Work the way you wantApply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
Get paid securelyFrom contract to payment, we help you work safely and get paid securely.
About Upwork
- 4.9/5(Average rating of clients by professionals)
- G2 2021#1 freelance platform
- 49,000+Signed contract every week
- $2.3BFreelancers earned on Upwork in 2020
Find the best freelance jobs
Growing your career is as easy as creating a free profile and finding work like this that fits your skills.
Trusted by