IAM Engineer

As our IAM Engineer - Modern Authentication specialist you will own / maintain the technical configuration of our Entra ID tenant with a primary focus on modernizing our authentication systems as part of a wider Identity & Access Management strategy / project roadmap. Join our growing IAM team to have a hands-on key role on Authentication/Authorization topics securing application onboarding & systems configuration hardening (ex: conditional access / adaptative MFA) designing implementing & maintaining a robust scalable framework to ensure a frictionless end-user experience.

• Access Management & Governance: Define implement and maintain Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) models across Vitol identity platforms including on-prem AD Entra ID and AWS. Partner with Security Infrastructure Cloud and Development teams to establish consistent access control standards across platforms and applications. Support the design and management of access models for applications APIs service accounts cloud platforms and workload identities.
• System and Application Integration: Integrate external and internal applications with Vitols identity providers for Single Sign-On (SSO) using SAML OAuth and OIDC protocols. Lead engagement and workshops with application development teams to support integration. Advise developers on secure authentication and authorization flows including tokens claims scopes roles secrets certificates and redirect URIs.
• Development Team Enablement: Work with Development teams to embed IAM best practices into shared libraries frameworks SDKs templates and reference architectures. Help define reusable authentication and authorization components for Vitol applications. Ensure internal libraries support least privilege secure token validation secure session management claims-based authorization secretless authentication and modern federation patterns. Act as an IAM subject matter expert helping teams choose the right protocol and identity architecture.
• Identity Lifecycle Management: Ensure secure provisioning and de-provisioning of user accounts within the joiner mover leaver (JML) process.
• Policy Enforcement: Implement maintain and enforce identity security policies including Multi-Factor Authentication (MFA) Conditional Access and least privileges. Help ensure policies are consistently applied across users applications and platforms while balancing security requirements with business usability.
• Troubleshooting & Support: Provide Tier 3 support for identity-related incidents including authentication authorization SSO federation and access issues. Work with infrastructure security cloud and application teams to diagnose root causes and implement effective resolutions.
• Automation: Utilize scripting (e.g. PowerShell Python) and APIs/SCIM to automate identity lifecycle and access management workflows. Improve operational efficiency by reducing manual tasks standardising processes and supporting scalable IAM operations.
• IAM as a service: Create and own the documentation of IAM as a service; Define onboarding processes integration patterns and standard operating procedures for IAM services; Provide clear guidance to application teams on how to consume IAM services securely and efficiently.

Qualifications :

• Bachelors degree in Information Security Computer Science or a related field - equivalent professional experience will also be considered.
• 4/5 years in IAM / Authentication / Security engineering
• Deep knowledge of IAM standards and protocols: SAML OIDC OAuth2 SCIM LDAP PKI basics and modern auth patterns
• Experience onboarding and supporting SaaS web mobile and API applications & systems with standards/protocols mentioned above into IAM solutions
• Strong understanding of cloud identity patterns (esp. AWS & Azure) hybrid identity and Zero Trust
• Ability to communicate architecture decisions clearly to technical and non-technical stakeholders

• Hands-on experiences / proven expertise as an Identity Security Engineer (& administrative experience with privileged roles) of following tools/modules/platforms:
  • Microsoft Cloud environment:
    • Core Microsoft Identity: deep expertise in Entra ID Entra Connect / Cloud Sync and Graph API
    • Identity Governance: deployment and management of PIM Access Reviews and Entitlement Management
    • Advanced configuration of Identity Protection (user/sign-in risk) Risk-based Conditional Access and Microsoft Defender for Identity (MDI)
    • EntraID Workload Identities
    • Collaboration cross-tenant / multi-tenant organizations
    • ADFS / PTA / PHS
    • Intune & endpoint integration
    • Azure Key Vault & other Azure managed services
  • AWS Cloud Environment
    • AWS IAM Users Groups Roles & Policies Management
    • AWS Organizations & Service Control Policies (SCPs)
    • AWS IAM Identity Center (SSO) & Federation
    • Least-Privilege Enforcement & Access Analysis
    • Secrets Management & Temporary Credentials
    • AWS KMS for secure credential and key management.
  • Modern Authentication Deployment:
    • Methods / Passwordless technologies: Windows Hello for Business FIDO2 security keys Microsoft Authenticator Certificate-based Auth
    • Protocols: OAuth 2.0 OpenID Connect SAML 2.0
    • Hardware: YubiKeys TPM-based biometrics Passkeys
    • SSPR / self-service tools AAD Password Protection
    • Application management: app registration Entreprise App managed identity ServicePrincipal
    • Dashboard creation: PowerBI / Workbook Azure
  • Scripting: Powershell / Python / etc
    • Develop custom scripts from scratch and optimize existing codebase to automate identity workflows and system administration
  • Directories: Active Directory
    • ADDS & AD authentication services (NTLM / Kerberos)
    • 3-tier model & delegation model for AD services
    • FSMO roles GPO management AD backup/restore
• Certifications: one or more of the following would be held by the candidate: SC-300 AZ-500 MS-500
• Good knowledge of:
  • Principles & technical mechanisms of identity & access management Privileged Access Management
  • Cloud/IaC: AWS/Azure/GCP IAM Terraform CI/CD
  • Observability/Security: SIEM EDR integrations centralized logging

Additional Information :

Personal Characteristics

• A self-motivated individual who thrives on seeing the results of their work make an impact
• Strong communication skills both verbally and in writing
• Proven ability to be flexible work hard and a sense for the art of the possible
• Methodical organized and with an attention to detail - in general in experimental design and in code!
• Willingness to share their knowledge and learn from others
• An interest in learning about the commodities space
• Resourceful able to think creatively and adapt in a dynamic environment
• Team player with an open non-political style and a high level of integrity

What we offer

• Competitive salary and benefits package
• Real-world impacts on a truly global scale
• Entrepreneurial environment within a flat hierarchy where great ideas come to life quickly
• Close collaboration with various teams and stakeholders across our key regions (eg. London Singapore Houston Geneva)
• A highly motivated MIS organization comprised of experienced individuals with a supportive attitude and great team spirit

Remote Work :

No

Employment Type :

Full-time