Security Engineer Architect - IAM

Job Title: Security Engineer/Architect - IAM

Duration: 12+ Months (Possible extension)

Location: New York, NY 10286

Onsite Role (4 days a week)

Responsibilities:

• Seeking a hands-on Security Engineer/Architect to design, implement, and govern identity and access management for a FedRAMP-compliant Azure environment using native Microsoft security tooling.
• Will own the IAM architecture and control lifecycle—policy design, privileged access, identity threat protection, lifecycle governance, and evidence generation—ensuring NIST SP 800-53 control coverage and audit readiness.
• Define and maintain Azure IAM architecture and guardrails: tenant segmentation, RBAC strategy, least privilege, managed identities, Conditional Access, and Just-In-Time access via PIM.
• Establish standardized access patterns for workloads, service principals, Managed Identities, and human identities across multi-tenant/multi-subscription Azure footprints.
• Design and enforce secure key/secret management using Azure Key Vault (FIPS 140-2 validated modules), including rotation, access policies, and monitoring.
• Integrate identity threat protection signals (Entra ID Protection, Defender for Identity) into detection and response workflows; ensure coverage for high-risk scenarios (privilege escalation, token theft, MFA fatigue, legacy protocols). Implementation and Control Enforcement
• Build and maintain Azure Policy/Blueprints to enforce IAM baselines (e.g., MFA requirements, disallow legacy auth, privileged role constraints, Key Vault access policies, managed identity usage).
• Configure Conditional Access, Authentication Strengths, and token controls; manage role assignments, custom roles, and privileged workflows consistent with FedRAMP requirements.
• Drive onboarding of identities and applications to native controls; integrate with CI/CD pipelines for pre-deployment checks and policy-as-code control inheritance.

Operations, Continuous Monitoring, and Evidence

• Partner with SecOps to ensure logging/telemetry completeness (Audit logs, Sign-In logs, Entra ID Risk events, Azure Activity logs) and Sentinel ingestion; author KQL-based detections/playbooks for IAM threats.
• Maintain IAM control narratives, SSP sections, and evidence packages; support POA&M lifecycle for IAM-related findings and corrective actions.
• Produce monthly/quarterly Continuous Monitoring artifacts for IAM controls (AC, IA, AU, CM, SC), including access reviews, break-glass account attestations, PIM usage audits, and privilege minimization metrics.

Risk, Access Reviews, and Compliance

• Lead periodic access certification campaigns for privileged roles and sensitive applications; implement automated recertification workflows and exception governance.
• Quantify residual risk and document compensating controls; partner with risk/compliance and 3PAOs on assessments, interviews, and artifact reviews.
• Ensure material changes in IAM configurations are reflected in SSP/control narratives and communicated via change management.

Azure Native Tooling (Primary)

• Identity & Access: Microsoft Entra ID (Azure AD), PIM, Conditional Access, Authentication Strengths, RBAC, Managed Identities
• Threat Protection: Entra ID Protection, Microsoft Defender for Identity, Microsoft Defender XDR signals
• SIEM/SOAR: Microsoft Sentinel (Log Analytics, Workbooks, Playbooks/Logic Apps)
• Posture & Policy: Azure Policy, Azure Blueprints, Azure Automation
• Secrets & Crypto: Azure Key Vault (FIPS 140-2), Key Vault HSM (as applicable)
• Monitoring/Telemetry: Azure Monitor, Sign-In/Audit Logs, Diagnostic Settings, Activity Logs

Education/Experience:

• Bachelor’s degree in Information Security, Computer Science, Information Systems, or related field; equivalent experience considered.
• 7+ years in security engineering/architecture, with 3+ years focused on IAM in Azure using native tooling.
• Deep hands-on experience with Entra ID (Azure AD), RBAC, PIM, Conditional Access, Managed Identities, and Key Vault—including policy design and enforcement at scale.
• Practical knowledge of FedRAMP baselines (Moderate/High), NIST SP 800-53 control families, and audit/assessment processes; experience contributing to SSP/ConMon evidence.
• Strong proficiency in Azure Policy/Blueprints and policy-as-code approaches; experience embedding controls into CI/CD.
• Ability to design high-fidelity detections and automate incident response for identity threats using Sentinel and Logic Apps.
• Excellent documentation and communication skills for control narratives, runbooks, access governance procedures, and executive status reporting.

Preferred:

• Experience operating in Azure Government C High tenants and understanding telemetry/control nuances in those environments.
• Background in Zero Trust principles, privileged identity strategy, and secure service-to-service authentication patterns.
• Familiarity with Microsoft Purview and data access governance for sensitive workloads.
• Scripting/automation skills (KQL, PowerShell, Bicep/Terraform basics) to manage identities, enforce policies, and generate evidence.
• Certifications: AZ-500 (Azure Security Engineer Associate), SC-300 (Identity and Access Administrator), SC-200 (Security Operations Analyst), CISSP/CCSP, or equivalent.