We are looking for an IAM Engineer to lead the design and implementation of our Enterprise Credential Tiering Model. In this role, you will be the technical owner responsible for securing privileged identities, isolating high-impact administrative assets within Active Directory Domain Services (AD DS), and extending these security boundaries into Microsoft Entra ID.
Your mission is to strengthen the organisation’s identity security posture by eliminating lateral movement opportunities, protecting the identity control plane, and ensuring that identity architecture aligns with a strict Zero Trust security framework.
You will work at the intersection of Identity & Access Management, cybersecurity, and infrastructure, partnering closely with Security Operations and IT teams to build a secure and future-proof identity environment.
Microsoft Entra ID Control Plane Hardening
- Translate traditional Active Directory tiering concepts into Microsoft Entra ID.
- Secure high-impact roles including Global Administrators, Privileged Role Administrators, and other privileged directory roles.
- Implement governance controls to protect the Entra ID control plane.
Access Control & Privileged Access Management
- Configure Active Directory Organizational Units (OUs), Group Policy Objects (GPOs), Authentication Policies, and Authentication Silos.
- Prevent privileged credentials from being exposed on lower-tier systems.
- Implement modern privileged access solutions, including:
- Microsoft Entra Privileged Identity Management (PIM)
- Conditional Access Policies (CAPs)
- Secure Administrative Workstations (SAWs/PAWs)
- Tier-specific administrative access models
Identity Security Improvement & Legacy Cleansing
- Identify and remediate identity security risks, including:
- Unmanaged service accounts
- Excessive permissions
- Over-privileged groups
- Cross-tier group nesting
- Legacy configurations that bypass security boundaries
- Improve overall identity hygiene and reduce attack paths.
Security Collaboration & Governance
- Work closely with Security Operations (SecOps) teams to align identity controls with SIEM monitoring and security detection capabilities.
- Support detection and response processes for anomalous authentication behaviour and privileged access risks.
- Contribute to identity governance standards and security improvements.
Technical Qualifications
Core Identity Expertise
- Strong hands-on experience with Active Directory Domain Services (AD DS), including:
- Forests, domains, and trusts
- Kerberos and NTLM security concepts
- Group Policy engineering
- Active Directory Administrative Center
- Authentication security controls
- Extensive knowledge of Microsoft Entra ID, including:
- Directory roles
- Administrative Units
- Conditional Access policies
- Authentication strengths
- Token protection
- Privileged Identity Management (PIM)
- Proven experience implementing:
- Microsoft Legacy 3-Tier Model
- Enterprise Access Model (EAM)
- Privileged Identity Management strategies
Security & Automation Skills
- Experience designing and deploying:
- Privileged Access Workstations (PAWs)
- Secure jump servers
- Tier-specific administrative environments
- Strong PowerShell scripting skills for:
- Identity audits
- Automation of security controls
- Compliance reporting
- Experience with Microsoft Graph API for Entra ID automation and reporting.
- Familiarity with identity security assessment tools such as:
- BloodHound
- PingCastle
- Microsoft Defender for Identity
What We Offer
- Competitive salary up to €6,000 gross per month, depending on experience.
- Lease car as part of your employment package.
- Attractive bonus scheme based on performance.
- The opportunity to work on strategic identity security projects with a strong focus on Zero Trust.
- A challenging role where you can directly influence enterprise security architecture.