Skip to main content

Terms of Reference for Azure Cloud Infrastructure & Device Management Consultancy

VIA Foundation

VIA Foundation is a recently founded financial intermediary organization dedicated to supporting the acceleration and scale-up of ecosystem restoration efforts across member countries of the African Forest Landscape Restoration Initiative (AFR100). The mission of VIA Foundation is to provide innovative financial solutions and strategic support to restoration champions, the local organizations that mobilize communities to revitalize degraded land.

Rate this employer
Average: 4.7 (17 votes)

VUMBUZI IMPACT AFRICA (VIA)

Terms of Reference

Azure Cloud Infrastructure & Device Management Consultancy

Microsoft Intune Implementation & Security Hardening

June 2026

1. Objectives

The primary objectives of this consultancy are to:

  • Audit and document the current Azure/M365 configuration and identify gaps.
  • Design and implement a secure, scalable Azure environment aligned with best practices.
  • Deploy and configure Microsoft Intune for unified endpoint and device management.
  • Harden security using Microsoft Defender for Cloud and related tools.
  • Establish governance frameworks including Identity & Access Management (IAM) and Conditional Access Policies.
  • Provide training to VIA's internal IT staff and produce comprehensive documentation.
  • Deliver a roadmap for ongoing maintenance and future growth.

2. Scope of Work

The consultant shall undertake the following activities across four defined phases. Each phase has specific deliverables and acceptance criteria as outlined in Section 3.

2.1 Phase 1: Discovery, Audit & Design (Weeks 1–3)

  • Conduct a comprehensive audit of the existing M365 tenant, Azure subscriptions, and Defender for Cloud configuration.
  1. Review current user accounts, licences, groups, and roles
  2. Assess existing security policies and compliance posture
  3. Inventory all enrolled and unmanaged devices
  4. Document current network topology and integration points
  • Identify security gaps, misconfigurations, and areas of non-compliance.
  • Develop a detailed Target Architecture Design Document covering:
  1. Azure Active Directory (Entra ID) structure and governance model
  2. Intune device management architecture
  3. Security baseline and Conditional Access framework
  4. Network segmentation and identity boundaries
  • Present findings and proposed architecture to VIA leadership for approval.

2.2 Phase 2: Identity, Access & Security Foundation (Weeks 4–7)

  • Configure and harden Azure Active Directory / Microsoft Entra ID:
  1. Implement Multi-Factor Authentication (MFA) for all users
  2. Configure Privileged Identity Management (PIM) for admin accounts
  3. Set up Self-Service Password Reset (SSPR)
  • Deploy and configure Conditional Access Policies:
  1. Risk-based access controls and sign-in policies
  2. Device compliance requirements as access gate
  3. Named location and trusted IP configurations
  • Optimise Microsoft Defender for Cloud:
  1. Enable Defender for Endpoint plans
  2. Configure threat protection and alert rules
  3. Establish a Security Information baseline and Secure Score targets
  • Implement Azure Policy and role-based access control (RBAC) governance.

2.3 Phase 3: Microsoft Intune & Device Management (Weeks 8–12)

  • Deploy and configure Microsoft Intune:
  1. Enrol Windows and macOS devices as applicable
  2. Design and deploy Device Configuration Profiles
  3. Establish Device Compliance Policies.
  4. Configure Autopilot for zero-touch device provisioning.
  • Configure App Management:
  1. Deploy required organisational apps through Intune Company Portal
  2. Configure Microsoft 365 Apps deployment and update rings
  3. Implement app protection policies for BYOD scenarios
  • Integrate Intune with Defender for Endpoint for unified device compliance signals.
  • Set up Windows Update for Business and patch management rings.
  • Configure remote device management capabilities (wipe, lock, reset).

2.4 Phase 4: Optimisation, Documentation & Handover (Weeks 13–16)

  • Conduct end-to-end security review and penetration-readiness assessment.
  • Tune and optimise all deployed configurations based on operational experience.
  • Develop and deliver comprehensive documentation:
  1. System Administration Guide
  2. Intune Device Enrolment Guide (end-user facing)
  3. Incident Response Runbook
  4. Azure Architecture Diagram (as-built)
  • Deliver training to VIA IT staff covering day-to-day administration tasks.
  • Produce a 12-month IT Roadmap with prioritised recommendations.
  • Formal knowledge transfer and handover session.

3. Phased Implementation Plan

The table below summarises the four phases, their key activities and timelines. The total engagement is estimated at 16 weeks.

Phase Key Activities Duration
Phase 1 Discovery & Design Environment audit · Gap analysis · Architecture design · Stakeholder sign-off Weeks 1–3 (3 weeks)
Phase 2 Identity & Security Entra ID hardening · MFA · PIM · Conditional Access · Defender for Cloud optimisation · RBAC & Azure Policy Weeks 4–7 (4 weeks)
Phase 3 Intune & Devices Intune deployment · Device enrolment · Compliance & config profiles · Autopilot · MAM · App management · Patch rings Weeks 8–12 (5 weeks)
Phase 4 Handover & Docs Security review · Configuration tuning · Full documentation suite · IT staff training · 12-month roadmap · Knowledge transfer Weeks 13–16 (4 weeks)
TOTAL Full Azure Environment Maturity + Intune + Security + Docs + Training 16 Weeks

4. Deliverables & Acceptance Criteria

# Deliverable Acceptance Criteria Phase
D1 Audit & Gap Analysis Report Complete inventory of current state; all gaps documented with risk ratings Phase 1
D2 Target Architecture Design Document Approved by VIA leadership; includes Entra ID, Intune, and security architecture diagrams Phase 1
D3 Entra ID & MFA Configuration 100% of user accounts enrolled in MFA; PIM active for all admin roles Phase 2
D4 Conditional Access Policies All access policies active and tested; no user lockouts in production Phase 2
D5 Defender for Cloud Configuration Secure Score ≥ 75%; all high-severity alerts remediated Phase 2
D6 Intune Tenant Configuration Intune policies deployed and validated; all enrolled devices compliant Phase 3
D7 Device Enrolment (all platforms) All organisational devices enrolled; enrolment guide tested with end users Phase 3
D8 App Management & MAM Policies All required apps deployed; BYOD MAM policies active Phase 3
D9 Full Documentation Suite All docs reviewed and accepted by VIA IT lead Phase 4
D10 IT Staff Training Training delivered; sign-off from VIA IT team Phase 4
D11 12-Month IT Roadmap Prioritised backlog of recommendations with effort/cost estimates Phase 4

5. Consultant Qualifications & Requirements

Requirements

  • Minimum 5 years of hands-on experience with Microsoft Azure and Microsoft 365 administration.
  • Demonstrated experience deploying Microsoft Intune in organisations of similar size and complexity.
  • Proven experience configuring Microsoft Entra ID, Conditional Access, and Defender for Cloud.
  • Fluency in English; ability to communicate technical concepts clearly to non-technical stakeholders.

Desirable Requirements

  • Microsoft Certified: Security Operations Analyst Associate (SC-200).

  • Microsoft 365 Certified: Endpoint Administrator Associate (MD-102) — current and valid.
  • Microsoft Certified: Azure Administrator Associate (AZ-104) — current and valid.
  • Familiarity with data protection regulations applicable within the East African region.
  • Experience with Microsoft Sentinel or similar SIEM tools.
  • Track record of delivering remote engagements with limited on-site presence.

6. Working Arrangements

  • The consultant will report to VIA's designated IT Lead and will provide weekly progress updates in writing.
  • A dedicated Slack or Teams channel will be maintained for day-to-day communication.
  • All work must be conducted in VIA's own Microsoft tenant and subscriptions; no third-party systems are to be used for configuration or data storage.
  • Change management: all changes to the production environment must be scheduled, communicated to VIA in advance, and rolled back if unsuccessful.
  • VIA will assign an internal IT point-of-contact who will participate actively in all phases.

7. Evaluation Criteria

Evaluation Criterion Weight
Technical expertise and Microsoft certifications 25%
Demonstrated experience with comparable Intune/Azure projects 30%
Quality and feasibility of technical proposal / work plan 20%
References and track record 15%
Financial proposal (value for money) 10%

8. Application

Interested firm consultants should submit the following documents to  info@via-foundation.org and include subject “Application for IT service provision” before 30 June 2026.   
Evaluation and contract award will be conducted strictly based on capacity, compliance with requirements, and value for money.  

Vumbuzi Impact Africa (VIA) Foundation is an equal opportunity organization and ensures fair competition in all procurement processes. All eligible and qualified firms are invited to apply, and only shortlisted applicants will be contacted.

— End of Terms of Reference —

Click on the APPLY button to send your application documents:
  • Your application will be sent to the employer immediately (Allowed formats: .doc .pdf .txt .docx)
  • A confirmation email will be sent to you few minutes afterwards
  • You can request any documents archived from our website (ex: a job description, a CV, a cover letter...)
Please bear in mind that you should never be requested to pay to get interviews, or to pass extra certifications etc...