Identity and Access Management Engineer

Role Summary:

Serves as the subject matter expert (SME) for identity, privileged access, and authentication ecosystem, including Microsoft Entra ID, IAM, PAM, and MFA platforms. This role is responsible for designing and maintaining secure, scalable identity architectures, implementing complex access management workflows, and ensuring that identity controls meet regulatory and business requirements. The L3 IAM Engineer leads advanced troubleshooting, root cause analysis, vendor escalations, and integration projects. The role also supports audits, develops automation for identity operations, mentors L2 teams, and drives continuous improvements.

Responsibilities:

• Manage and maintain the identity architecture (Entra ID, IAM, PAM, MFA, SSO) to meet business, security and compliance requirements.
• Lead complex SAML/OIDC/SAML federation, SCIM and custom API integrations for SSO and provisioning across SaaS, on-prem and legacy apps.
• Manage and maintain Conditional Access policies including location/device risk, session controls, and risk-based access policies.
• Design and implement role models, entitlement and role mining exercises and ensure least-privilege and SoD controls are enforced.
• Manage and maintain PAM vault architecture, credential rotation policies, session brokering, and session recording configurations.
• Define and implement advanced MFA scenarios (adaptive MFA, step-up auth, bypass rules) and app / soft token lifecycle and integrations.
• Develop, validate and own cross-system workflows: provisioning approvals, delegated admin models, JIT privileged access and emergency access processes.
• Produce runbooks and operational playbooks for identity compromise, brute-force, token theft and privileged access incidents, lead escalations.
• Perform root-cause analysis for complex identity incidents, coordinate remediation across IAM, PAM, AD/Entra, application owners and vendors.
• Manage and maintain IAM SIT/UAT environments to ensure they mirror production architecture, policies, and integrations as closely as possible.
• Test authentication and authorization scenarios for new applications in SIT/UAT, ensuring policies behave as expected without business disruption.
• Collaborate with application owners, security architects, and QA teams to support testing of IAM-dependent applications in SIT/UAT environments before promoting to Production.
• Validate that new IAM configurations, patches or updates in SIT/UAT before promoting to Production.
• Define health KPIs, capacity plans, patch/upgrade windows, and perform platform upgrades with rollback plans.
• Own vendor/L4 escalations for product issues and coordinate vendor fixes, hotfix testing and validation.
• Mentor and train L2 team — review L2 change requests, code/scripts and handle knowledge-transfer sessions.
• Support audit, compliance and certification activities: provide evidence, design control mappings to compliance standards and respond to auditor queries.
• Automate repetitive tasks via PowerShell/APIs, create automation playbooks for onboarding/offboarding and connectors.

Experience & Skills
:

• 10+ years of experience in cybersecurity with 5 – 8 years in IAM/PAM/MFA technologies.
• Deep expertise in Entra ID, IAM, PAM, MFA, SSO within complex enterprise environments.
• Deep understanding of IAM architecture, hybrid identity (on-prem AD + cloud), federation (SAML/OIDC), SCIM provisioning, RBAC/ABAC models, and SoD enforcement.
• Strong integration experience using APIs, connectors, and identity middleware, including troubleshooting and performance tuning.
• Proficiency in scripting languages such as PowerShell or Python for automation.
• Excellent troubleshooting, analytical thinking, and root cause analysis skills.
• Strong understanding of Zero Trust, identity governance, and regulatory frameworks (ISO