Identity Fabric Principal in support of IAM Services (Warsaw)

About Cronos Europa:

Cronos Europa is a leading IT and digital transformation partner dedicated exclusively to European Institutions and agencies delivering missioncritical solutions that shape Europes digital future. As part of the Cronos Group one of the most innovative and fastestgrowing tech ecosystems in Europe we benefit from a vast pool of expertise and cuttingedge capabilities. With over 1000 specialists across Belgium Luxembourg and the Netherlands we combine deep institutional knowledge with strong engineering excellence to support longterm highimpact EU programmes requiring reliability scalability and innovation.

About the job

We are currently looking for an Identity Fabric Principal in support of IAM Services to strengthen our Cronos Europa team and contribute to largescale IT programmes within the European Institutions.

The place of the delivery will be in Poland (Warsaw).

Responsibilities

• Define and maintain modern authentication standards for applications and APIs (OAuth2/OIDC/SAML) including reference architectures.
• Support project teams in implementing and troubleshooting auth flows (Auth Code PKCE Device Code Client Credentials OBO) including edge cases and production incidents.
• Review and harden token/session configurations (lifetimes refresh behaviour session controls) and advise on mitigations for common auth threats (replay token theft).
• Design and standardize claims/attributes strategy (least-privilege claims normalization across IdPs group/role overage handling) for scalable integrations.
• Define API access models and permission strategy (scopes vs roles delegated vs app permissions) and govern consent patterns (admin/incremental) for least privilege and auditability.
• Configure and operate federation integrations (IdP/SP) including metadata management planned rollovers and resolving common SSO issues.
• Design risk-based access controls and step-up patterns aligned to application sensitivity using Conditional Access and appropriate MFA/authentication strength.
• Deliver Entra ID tenant-level configurations and operational posture improvements (baseline configuration governance touchpoints operational practices).
• Design and guide external identity onboarding patterns (Entra External ID CIAM/B2B/B2C) balancing UX security controls and supportability.
• Build tune and safely roll out Conditional Access / Identity Protection policies (exclusions break-glass staged deployment monitoring and rollback approach).
• Implement and operate Entra ID Governance capabilities (access packages entitlement management access reviews lifecycle workflows) in alignment with delivery timelines.
• Provide application onboarding and integration support (Enterprise Apps App Registrations service principals managed identities) including troubleshooting and configuration reviews.
• Support hybrid identity dependencies involving AD DS (directory design impacts group structures delegation models) and advise on sustainable hybrid patterns.
• Operate and troubleshoot AD FS where still required and contribute to modernization roadmaps toward cloud-native federation patterns.
• Develop and maintain PowerShell automation for identity operations (Graph PowerShell and relevant modules): reporting bulk changes baseline checks and repeatable tasks with robust logging.
• Provide scripted operational support for AD DS/AD FS (user/group lifecycle tasks reporting troubleshooting accelerators) within governance and access boundaries.
• Participate in SailPoint-based IGA delivery (IdentityIQ/IdentityNow): requirements translation design validation and alignment of governance outcomes with Microsoft identity patterns.
• Implement IGA processes end-to-end (JML access requests/approvals certifications/reviews SoD role/entitlement modeling) and integrate with delivery/operations.
• Design and improve provisioning and lifecycle integrations (SCIM authoritative sources reconciliation JIT vs managed provisioning) ensuring clean offboarding and access hygiene.
• Embed GDPR/EUDPR requirements into IAM delivery (minimization purpose retention auditability token/claim hygiene) and extend governance to AI/agent access where applicable.

Your Profile

• You have a bachelor or Master degree in IT.
• You are fluent in English (minimum level B2).
• You have minimum 10 years of relevant professional IT experience.
• You have minimum 8 years of experience in a similar role.
• Modern auth standards: solid understanding of OAuth 2.0 OpenID Connect and SAML including typical enterprise use cases (apps APIs federation).
• Token & session security: knowledge of token/session lifecycles (issuance validation lifetimes refresh tokens) plus common risks and mitigations.
• API permissions & consent: understanding and practical application of scopes vs roles delegated vs application permissions and admin/incremental consent models.
• Entra External ID patterns: practical knowledge of CIAM/B2B/B2C onboarding patterns and UX vs security trade-offs.
• Hybrid identity foundations (AD DS): solid understanding of domains/forests trusts OU/GPO delegation and how AD DS impacts hybrid identity.
• SailPoint IGA exposure: practical experience with SailPoint IdentityIQ and/or IdentityNow concepts delivery model and outcomes.
• Provisioning & lifecycle integrations: experience with SCIM authoritative sources reconciliation and JIT vs managed provisioning trade-offs.
• GDPR/EUDPR AI readiness: ability to apply privacy-by-design in IAM (minimisation purpose retention token/claim hygiene auditability) and extend governance to AI/agent access where required.
• Flow implementation & troubleshooting: ability to implement and debug Auth Code PKCE Device Code Client Credentials and OBO flows in real applications.
• Claims & identity context: ability to design claim sets mapping/normalization across IdPs least-privilege claims and handle group/role overage patterns.
• Federation operations: experience configuring IdP/SP integrations metadata management rollover planning and resolving common SSO failures.
• Assurance & risk-based access: capability to apply step-up patterns MFA trust models phishing-resistant readiness and Conditional Access alignment to sensitivity.
• Microsoft Entra ID delivery: hands-on experience with Entra ID tenant configuration authentication posture and operational governance.
• Conditional Access & Identity Protection: experience designing/tuning CA policies MFA enforcement risk signals exclusions/break-glass and safe rollout practices.
• Entra ID Governance: working capability with access packages entitlement management access reviews and lifecycle workflows in delivery contexts.
• App integration engineering: strong experience with Enterprise Apps App Registrations service principals managed identities and integration support.
• Federation legacy (AD FS): ability to operate/troubleshoot AD FS (claims rules relying parties) and contribute to modernization planning.
• PowerShell automation (Entra/M365): ability to automate reporting and bulk ops using Microsoft Graph PowerShell and relevant modules with reliable logging.
• PowerShell (AD DS/AD FS): capability to script user/group operations and operational reporting/troubleshooting within governance constraints.
• IGA process delivery: ability to implement JML access requests/approvals certifications/reviews SoD concepts and role/entitlement modeling.

Specific Requirements

• Microsoft-first delivery: primary focus on Entra ID / Entra External ID with consistent integration patterns for enterprise apps and APIs.
• Hybrid environment readiness: ability to operate with AD DS/AD FS dependencies and modernize pragmatically without disrupting services.
• Automation-by-default: preference for repeatable delivery via PowerShell and controlled processes (CI/CD and/or ITSM where applicable).
• Compliance-oriented design: ability to design/operate IAM controls aligned with GDPR/EUDPR and internal audit expectations (traceability and evidence).
• IGA alignment: capability to deliver governance outcomes with SailPoint and align them with Microsoft identity patterns.
• Future-proofing: readiness to cover AI/agent identities and access controls using least privilege and clear governance.

If you wish to integrate a dynamic structure on a human scale while working with the latest technologies dont wait anymore and join Cronos!