Senior IAM Engineer - Entra ID
Charles Schwab · Phoenix, AZ · 2 days ago
HybridFull-time
Key Responsibilities
- Design, implement, and maintain end-to-end Identity & Access Management architectures using Microsoft Entra ID and Active Directory.
- Establish a long-term identity strategy aligned with business, security, and regulatory requirements.
- Architect secure hybrid identity models including Entra Connect, cloud sync strategies, and identity lifecycle automation.
- Drive adoption of Zero Trust identity principles, including continuous evaluation and least-privilege access.
- Lead design and optimization of Conditional Access policies, authentication flows, MFA, passwordless strategies (FIDO2, Windows Hello Business), and identity protection.
- Architect, standardize, and provide oversight for Entra ID Governance capabilities—PIM, access reviews, entitlement management, custom roles, and segregation of duties.
- Oversee configuration of Entra applications, service principals, federations, SCIM provisioning, and SSO integrations (SAML/OIDC/OAuth2).
- Design secure, resilient, and scalable Active Directory forests, domains, GPO structures, and privileged access boundaries.
- Lead initiatives to modernize AD security posture (tiered administration models, privileged access isolation, delegated administration, and secure baselines).
- Implement AD hardening, lifecycle management, group governance, and remediation of legacy dependencies.
- Develop identity standards, patterns, security baselines, and governance frameworks.
- Ensure compliance with regulatory requirements such as SOX, HIPAA, GDPR, ISO 27001, and internal audit controls.
- Provide guidance for RBAC/ABAC models, identity lifecycle management, privileged access governance, and application onboarding.
- Integrate identity controls into cloud landing zones, CI/CD pipelines, and enterprise architectures.
- Partner with security operations to integrate identity telemetry, threat detection, and incident response workflows.
- Collaborate with Security Engineering, Application Owners, Cloud Platform Engineering & Architecture, and Infrastructure teams.
- Deliver architectural direction during acquisition integration, cloud migrations, and modernization projects.
- Provide architectural direction during acquisition integration, cloud migrations, and modernization projects.
- Deliver architecture diagrams, roadmaps, threat models, and solution documentation.
Required Qualifications
- 8+ years of experience in Identity & Access Management, architecture or engineering.
- Deep expertise in: Microsoft Entra ID (Azure AD), Conditional Access, Identity Protection, Entra Governance, Active Directory design, replication, DNS, GPO, PKI, delegation models, SSO protocols: OAuth2, OIDC, SAML, WS-Fed, identity lifecycle automation and provisioning, Zero Trust architecture principles, MFA, passwordless, risk-based policies, and authentication flows.
- Experience securing hybrid identity using Entra Connect, federation services, and cloud-only patterns.
- Expertise building Terraform IaC resources and guardrails for identity services through reusable modules and automated CI/CD pipelines.
- Proficiency with PowerShell or automation frameworks.
- Strong understanding of IAM risk management, audit requirements, and regulatory standards.
Preferred Qualifications
- Microsoft certifications: SC-300, SC-100, AZ-305, or equivalent.
- Experience with: Privileged Access Workstations (PAW), Microsoft Identity Manager (MIM) or other ILM solutions, Conditional Access advanced configurations and automation, Enterprise-scale identity consolidation and domain migration projects, Modern IAM stacks (SailPoint, CyberArk, Okta).
- Background security architecture, threat modeling, or penetration testing related to identity systems.