Jobs · Information Technology · Massachusetts

Principal IAM/AD Engineer

MathWorks · Natick, MA · 2 wk ago
HybridInformation TechnologyFull-time

Responsibilities

  • Operate, secure, and mature on-premises Active Directory, including domain controller lifecycle management, replication, sites/subnets, SYSVOL/GPO health, delegation models, privileged access boundaries, recovery readiness, patch compliance validation, and security baselines.
  • Design, implement, and manage Microsoft Entra ID capabilities, including Conditional Access, Identity Protection, PIM, enterprise applications, app registrations, service principals, managed identities, authentication controls, and authorization policies.
  • Govern non-human and workload identities, including service principals, managed identities, automation accounts, machine identities, certificates, secrets, federated credentials, and application permissions.
  • Monitor, troubleshoot, and optimize hybrid identity flows, including Azure AD Connect or Cloud Sync, provisioning, authentication, authorization, SailPoint-integrated lifecycle processes, and identity data dependencies.
  • Partner with SOC/XDR, Security Engineering, and Incident Response teams to strengthen identity threat detection and response across Active Directory, Entra ID, privileged accounts, application identities, and workload identities.
  • Harden AD and Entra ID through secure baselines, admin tiering, privileged access controls, secure delegation, workload identity controls, and proactive identity threat detection and response.
  • Automate identity operations using PowerShell, Python, Microsoft Graph, Entra APIs, Git workflows, CI/CD pipelines, and configuration-as-code or policy-as-code practices.
  • Mature DevOps and SecDevOps practices around IAM platform management, including source control, peer review, automated validation, drift detection, secure deployment workflows, logging, secrets handling, and rollback planning.
  • Help define and operationalize IAM patterns for AI-enabled systems and agentic workflows, including identity ownership, access boundaries, auditability, lifecycle governance.
  • Lead complex troubleshooting and incident response for identity-related issues, including Kerberos/NTLM, LDAP/LDAPS, replication, Conditional Access failures, service principal risk, workload identity incidents, and suspicious sign-in activity.
  • Produce runbooks, standards, design patterns, change records, and operational procedures; mentor team members and collaborate with stakeholders to align IAM operations with business needs.

Qualifications

  • A bachelor's degree and 10 years of professional work experience (or equivalent experience) is required.
  • Mastery of active directory.
  • Candidates for this position must be authorized to work in the United States on a full-time basis for any employer without restriction.
  • Experience with Microsoft Entra ID capabilities such as Conditional Access, MFA, Identity Protection, PIM, enterprise applications, app registrations, service principals, managed identities, and access reviews.
  • Experience operating Azure AD Connect or Cloud Sync in hybrid identity environments.
  • Experience governing workload and non-human identities, including service principals, managed identities, certificates, secrets, automation accounts, CI/CD identities, and federated credentials.
  • Experience reviewing application permissions and consent models, including delegated permissions, application permissions, admin consent, Graph API permissions, and least privilege access.
  • Identity Governance and Administration experience, preferably with SailPoint, including provisioning, entitlement models, access certifications, role modeling, and joiner/mover/leaver processes.
  • Experience with IAM automation and engineering practices, including scripting, API integration, configuration-as-code, and CI/CD pipelines using Git-based workflows.
  • Experience with privileged access models, administrative tiering, PAWs, break-glass accounts, just-in-time access, and privileged workflow controls.
  • Experience supporting identity threat detection and response, including AD attack patterns, token abuse, risky sign-ins, suspicious service principal activity, and workload identity risk.
  • Familiarity with AI-enabled identity patterns, including AI agents, Copilot-style integrations, plugins, connectors, agentic workflows, and API permission governance.
  • SSO/Federation experience with SAML, OIDC, OAuth, SCIM provisioning, certificate-based authentication, and token-based access patterns.
  • AD security experience with trusts, LDAP/LDAPS, LDAP signing/channel binding, constrained delegation, Kerberos, NTLM, GPO hardening, and privileged groups.
  • PKI and certificate experience, including AD CS, CRL/OCSP, auto-enrollment, renewal automation, workload certificates, and service principal credentials.
  • Backup/recovery experience, including authoritative restore, forest recovery planning, recovery drills, and operational readiness exercises.
  • Compliance familiarity with CMMC, NIST CSF, NIST 800-53, NIST 800-171, ISO 27001.

Similar jobs

Principal IAM Engineer

Siemens Digital Industries SoftwareCharlotte, NC· 2 wk ago
Researchapply on jobs.siemens.com

IAM Engineer

Vaco by HighspringBirmingham, AL· 1 wk ago
Information Technologyapply on aplitrak.com

IAM Engineer

KrakenUnited States· 5 days ago
RemoteEngineering$96k–$192k/yrapply on jobs.ashbyhq.com