Principal IAM​/AD Engineer

Job Summary

Math Works has a hybrid work model that enables staff members to split their time between office and home. The hybrid model provides the advantage of having both in-person time with colleagues and flexible at-home life optimizations. Learn More:

Do you enjoy building secure, scalable identity platforms and using automation to improve how identity services are delivered and managed? Join our Identity and Access Management team responsible for enterprise identity foundations across on-premises Active Directory, Microsoft Entra , hybrid identity, privileged access, and workload identities. We partner closely with Security Engineering, IT, Cloud, Compliance, SOC/XDR, and AI Governance teams to deliver hardened directory services, modern authentication, non-human identity governance, ITDR capabilities, and Zero Trust controls that enable the business.

Math Works nurtures growth, appreciates inclusivity, encourages initiative, values teamwork, shares success, and rewards excellence.

• Operate, secure, and mature on-premises Active Directory, including domain controller lifecycle management, replication, sites/subnets, SYSVOL/GPO health, delegation models, privileged access boundaries, recovery readiness, patch compliance validation, and security baselines.
• Design, implement, and manage Microsoft Entra , including Conditional Access, Identity Protection, PIM, enterprise applications, app registrations, service principals, managed identities, authentication controls, and authorization policies.
• Govern non-human and workload identities, including service principals, managed identities, automation accounts, machine identities, certificates, secrets, federated credentials, and application permissions.
• Monitor, troubleshoot, and optimize hybrid identity flows, including Azure AD Connect or Cloud Sync, provisioning, authentication, authorization, SailPoint-integrated lifecycle processes, and identity data dependencies.
• Partner with SOC/XDR, Security Engineering, and Incident Response teams to strengthen identity threat detection and response across Active Directory, Entra , privileged accounts, application identities, and workload identities.
• Harden AD and Entra  secure baselines, admin tiering, privileged access controls, secure delegation, workload identity controls, and proactive identity threat detection and response.
• Automate identity operations using Power Shell, Python, Microsoft Graph, Entra APIs, Git workflows, CI/CD pipelines, and configuration-as-code or policy-as-code practices.
• Mature Dev Ops and Sec Dev Ops  practices around IAM platform management, including source control, peer review, automated validation, drift detection, secure deployment workflows, logging, secrets handling, and rollback planning.
• Help define and operationalize IAM patterns for AI-enabled systems and agentic workflows, including identity ownership, access boundaries, auditability, lifecycle governance.
• Lead complex troubleshooting and incident response for identity-related issues, including Kerberos/NTLM, LDAP/LDAPS, replication, Conditional Access failures, service principal risk, workload identity incidents, and suspicious sign-in activity.
• Produce runbooks, standards, design patterns, change records, and operational procedures; mentor team members and collaborate with stakeholders to align IAM operations with business needs.

• A bachelor's degree and 10 years of professional work experience (or equivalent experience) is required.
• Mastery of active directory

A successful candidate for this role will have a combination of some or all the following skills/experience:

• 7+ years in enterprise Active Directory operations and hardening, including DC lifecycle management, sites/services, replication, GPO, delegation, BCDR, and observability.
• 7+ years of experience with Microsoft Entra  such as Conditional Access, MFA, Identity Protection, PIM, enterprise applications, app registrations, service principals, managed identities, and access reviews.
• Experience operating Azure AD Connect or Cloud Sync in hybrid identity environments.
• Experience governing workload and non-human identities, including service principals, managed identities, certificates, secrets, automation accounts, CI/CD identities, and federated credentials.
• Experience reviewing application permissions and consent models, including delegated permissions, application permissions, admin consent, Graph API permissions, and least privilege access.
• Identity Governance and Administration experience, preferably with SailPoint, including provisioning, entitlement models, access certifications, role modeling, and joiner/mover/leaver processes.
• Experience with IAM automation and engineering practices, including scripting, API integration, configuration-as-code, and CI/CD pipelines using Git-based workflows.
• Experience with privileged access models, administrative tiering, PAWs, break-glass accounts, just-in-time access, and privileged workflow…