Principal IAM/AD Engineer

Do you enjoy building secure, scalable identity platforms and using automation to improve how identity services are delivered and managed? Join our Identity and Access Management team responsible for enterprise identity foundations across on-premises Active Directory, Microsoft Entra ID, hybrid identity, privileged access, and workload identities. We partner closely with Security Engineering, IT, Cloud, Compliance, SOC/XDR, and AI Governance teams to deliver hardened directory services, modern authentication, non-human identity governance, ITDR capabilities, and Zero Trust controls that enable the business.

Responsibilities

• Operate, secure, and mature on-premises Active Directory, including domain controller lifecycle management, replication, sites/subnets, SYSVOL/GPO health, delegation models, privileged access boundaries, recovery readiness, patch compliance validation, and security baselines.

• Design, implement, and manage Microsoft Entra ID capabilities, including Conditional Access, Identity Protection, PIM, enterprise applications, app registrations, service principals, managed identities, authentication controls, and authorization policies.

• Govern non-human and workload identities, including service principals, managed identities, automation accounts, machine identities, certificates, secrets, federated credentials, and application permissions.

• Monitor, troubleshoot, and optimize hybrid identity flows, including Azure AD Connect or Cloud Sync, provisioning, authentication, authorization, SailPoint-integrated lifecycle processes, and identity data dependencies.

• Partner with SOC/XDR, Security Engineering, and Incident Response teams to strengthen identity threat detection and response across Active Directory, Entra ID, privileged accounts, application identities, and workload identities.

• Harden AD and Entra ID through secure baselines, admin tiering, privileged access controls, secure delegation, workload identity controls, and proactive identity threat detection and response.

• Automate identity operations using PowerShell, Python, Microsoft Graph, Entra APIs, Git workflows, CI/CD pipelines, and configuration-as-code or policy-as-code practices.

• Mature DevOps and SecDevOps practices around IAM platform management, including source control, peer review, automated validation, drift detection, secure deployment workflows, logging, secrets handling, and rollback planning.

• Help define and operationalize IAM patterns for AI-enabled systems and agentic workflows, including identity ownership, access boundaries, auditability, lifecycle governance.

• Lead complex troubleshooting and incident response for identity-related issues, including Kerberos/NTLM, LDAP/LDAPS, replication, Conditional Access failures, service principal risk, workload identity incidents, and suspicious sign-in activity.

• Produce runbooks, standards, design patterns, change records, and operational procedures; mentor team members and collaborate with stakeholders to align IAM operations with business needs.

• A bachelor's degree and 10 years of professional work experience (or equivalent experience) is required.

• Mastery of active directory

Additional Qualifications

A successful candidate for this role will have a combination of some or all the following skills/experience:

• 7+ years in enterprise Active Directory operations and hardening, including DC lifecycle management, sites/services, replication, GPO, delegation, BCDR, and observability.

• 7+ years of experience with Microsoft Entra ID capabilities such as Conditional Access, MFA, Identity Protection, PIM, enterprise applications, app registrations, service principals, managed identities, and access reviews.

• Experience operating Azure AD Connect or Cloud Sync in hybrid identity environments.

• Experience governing workload and non-human identities, including service principals, managed identities, certificates, secrets, automation accounts, CI/CD identities, and federated credentials.

• Experience reviewing application permissions and consent models, including delegated permissions, application permissions, admin consent, Graph API permissions, and least privilege access.

• Identity Governance and Administration experience, preferably with SailPoint, including provisioning, entitlement models, access certifications, role modeling, and joiner/mover/leaver processes.

• Experience with IAM automation and engineering practices, including scripting, API integration, configuration-as-code, and CI/CD pipelines using Git-based workflows.

• Experience with privileged access models, administrative tiering, PAWs, break-glass accounts, just-in-time access, and privileged workflow controls.

• Experience supporting identity threat detection and response, including AD attack patterns, token abuse, risky sign-ins, suspicious service principal activity, and workload identity risk.

• Familiarity with AI-enabled identity patterns, including AI agents, Copilot-style integrations, plugins, connectors, agentic workflows, and API permission governance.

• SSO/Federation experience with SAML, OIDC, OAuth, SCIM provisioning, certificate-based authentication, and token-based access patterns.

• AD security experience with trusts, LDAP/LDAPS, LDAP signing/channel binding, constrained delegation, Kerberos, NTLM, GPO hardening, and privileged groups.

• PKI and certificate experience, including AD CS, CRL/OCSP, auto-enrollment, renewal automation, workload certificates, and service principal credentials.

• Backup/recovery experience, including authoritative restore, forest recovery planning, recovery drills, and operational readiness exercises.

• Compliance familiarity with CMMC, NIST CSF, NIST 800-53, NIST 800-171, ISO 27001.