Identity Fabric Principal

•  Define and maintain modern authentication standards for applications and APIs (OAuth2/OIDC/SAML) including reference architectures.
• Support project teams in implementing and troubleshooting auth flows (Auth Code PKCE Device Code Client Credentials OBO) including edge cases and production incidents.  
• Review and harden token/session configurations (lifetimes refresh behaviour session controls) and advise on mitigations for common auth threats (replay token theft).
• Design and standardize claims/attributes strategy (least-privilege claims normalization across IdPs group/role overage handling) for scalable integrations.
• Define API access models and permission strategy (scopes vs roles delegated vs app permissions) and govern consent patterns (admin/incremental) for least privilege and auditability.
• Configure and operate federation integrations (IdP/SP) including metadata management planned rollovers and resolving common SSO issues.
• Design risk-based access controls and step-up patterns aligned to application sensitivity using Conditional Access and appropriate MFA/authentication strength.
• Deliver Entra ID tenant-level configurations and operational posture improvements (baseline configuration governance touchpoints operational practices).
• Design and guide external identity onboarding patterns (Entra External ID CIAM/B2B/B2C) balancing UX security controls and supportability.
• Build tune and safely roll out Conditional Access / Identity Protection policies (exclusions break-glass staged deployment monitoring and rollback approach).
• Implement and operate Entra ID Governance capabilities (access packages entitlement management access reviews lifecycle workflows) in alignment with delivery timelines.
• Provide application onboarding and integration support (Enterprise Apps App Registrations service principals managed identities) including troubleshooting and configuration reviews.
• Support hybrid identity dependencies involving AD DS (directory design impacts group structures delegation models) and advise on sustainable hybrid patterns.
• Operate and troubleshoot AD FS where still required and contribute to modernization roadmaps toward cloud-native federation patterns.
• Develop and maintain PowerShell automation for identity operations (Graph PowerShell and relevant modules): reporting bulk changes baseline checks and repeatable tasks with robust logging.
• Provide scripted operational support for AD DS/AD FS (user/group lifecycle tasks reporting troubleshooting accelerators) within governance and access boundaries.
• Participate in SailPoint-based IGA delivery (IdentityIQ/IdentityNow): requirements translation design validation and alignment of governance outcomes with Microsoft identity patterns.
•  Implement IGA processes end-to-end (JML access requests/approvals certifications/reviews SoD role/entitlement modeling) and integrate with delivery/operations.
• Design and improve provisioning and lifecycle integrations (SCIM authoritative sources reconciliation JIT vs managed provisioning) ensuring clean offboarding and access governance.

Qualifications :

• Bachelors degree plus 10 years of IT experience.
• Good knowledge of English equal to B2 according to CERF levels.
• Modern auth standards: solid understanding of OAuth 2.0 OpenID Connect and SAML including typical enterprise use cases (apps APIs federation).
• Token & session security: knowledge of token/session lifecycles (issuance validation lifetimes refresh tokens) plus common risks and mitigations.
• API permissions & consent: understanding and practical application of scopes vs roles delegated vs application permissions and admin/incremental consent models.
• Entra External ID patterns: practical knowledge of CIAM/B2B/B2C onboarding patterns and UX vs security trade-offs.
• Hybrid identity foundations (AD DS): solid understanding of domains/forests trusts OU/GPO delegation and how AD DS impacts hybrid identity.
• SailPoint IGA exposure: practical experience with SailPoint IdentityIQ and/or IdentityNow concepts delivery model and outcomes.
• Provisioning & lifecycle integrations: experience with SCIM authoritative sources reconciliation and JIT vs managed provisioning trade-offs.
• GDPR/EUDPR AI readiness: ability to apply privacy-by-design in IAM (minimisation purpose retention token/claim hygiene auditability) and extend governance to AI/agent access where required.
• Flow implementation & troubleshooting: ability to implement and debug Auth Code PKCE Device Code Client Credentials and OBO flows in real applications.
• Claims & identity context: ability to design claim sets mapping/normalization across IdPs least-privilege claims and handle group/role overage patterns.
• Federation operations: experience configuring IdP/SP integrations metadata management rollover planning and resolving common SSO failures.
• Assurance & risk-based access: capability to apply step-up patterns MFA trust models phishing-resistant readiness and Conditional Access alignment to sensitivity.
• Microsoft Entra ID delivery: hands-on experience with Entra ID tenant configuration authentication posture and operational governance.
• Conditional Access & Identity Protection: experience designing/tuning CA policies MFA enforcement risk signals exclusions/break glass and safe rollout practices.
• Entra ID Governance: working capability with access packages entitlement management access reviews and lifecycle workflows in delivery contexts.
• App integration engineering: strong experience with Enterprise Apps App Registrations service principals managed identities and integration support.
• Federation legacy (AD FS): ability to operate/troubleshoot AD FS (claims rules relying parties) and contribute to modernization planning.
• PowerShell automation (Entra/M365): ability to automate reporting and bulk ops using Microsoft Graph PowerShell and relevant modules with reliable logging.
• PowerShell (AD DS/AD FS): capability to script user/group operations and operational reporting/troubleshooting within governance constraints.
• IGA process delivery: ability to implement JML access requests/approvals certifications/reviews SoD concepts and role/entitlement

Remote Work :

No

Employment Type :

Full-time