Security Engineer/Architect - IAM

Job Title: Security Engineer/Architect - IAMDuration: 12+ Months (Possible extension)Location: New York, NY 10286Onsite Role (4 days a week)Responsibilities:Seeking a hands-on Security Engineer/Architect to design, implement, and govern identity and access management for a FedRAMP-compliant Azure environment using native Microsoft security tooling.Will own the IAM architecture and control lifecycle—policy design, privileged access, identity threat protection, lifecycle governance, and evidence generation—ensuring NIST SP 800-53 control coverage and audit readiness.Define and maintain Azure IAM architecture and guardrails: tenant segmentation, RBAC strategy, least privilege, managed identities, Conditional Access, and Just-In-Time access via PIM.Establish standardized access patterns for workloads, service principals, Managed Identities, and human identities across multi-tenant/multi-subscription Azure footprints.Design and enforce secure key/secret management using Azure Key Vault (FIPS 140-2 validated modules), including rotation, access policies, and monitoring.Integrate identity threat protection signals (Entra ID Protection, Defender for Identity) into detection and response workflows; ensure coverage for high-risk scenarios (privilege escalation, token theft, MFA fatigue, legacy protocols). Implementation and Control EnforcementBuild and maintain Azure Policy/Blueprints to enforce IAM baselines (e.g., MFA requirements, disallow legacy auth, privileged role constraints, Key Vault access policies, managed identity usage).Configure Conditional Access, Authentication Strengths, and token controls; manage role assignments, custom roles, and privileged workflows consistent with FedRAMP requirements.Drive onboarding of identities and applications to native controls; integrate with CI/CD pipelines for pre-deployment checks and policy-as-code control inheritance.Operations, Continuous Monitoring, and EvidencePartner with SecOps to ensure logging/telemetry completeness (Audit logs, Sign-In logs, Entra ID Risk events, Azure Activity logs) and Sentinel ingestion; author KQL-based detections/playbooks for IAM threats.Maintain IAM control narratives, SSP sections, and evidence packages; support POA&M lifecycle for IAM-related findings and corrective actions.Produce monthly/quarterly Continuous Monitoring artifacts for IAM controls (AC, IA, AU, CM, SC), including access reviews, break-glass account attestations, PIM usage audits, and privilege minimization metrics.Risk, Access Reviews, and ComplianceLead periodic access certification campaigns for privileged roles and sensitive applications; implement automated recertification workflows and exception governance.Quantify residual risk and document compensating controls; partner with risk/compliance and 3PAOs on assessments, interviews, and artifact reviews.Ensure material changes in IAM configurations are reflected in SSP/control narratives and communicated via change management.Azure Native Tooling (Primary)Identity & Access: Microsoft Entra ID (Azure AD), PIM, Conditional Access, Authentication Strengths, RBAC, Managed IdentitiesThreat Protection: Entra ID Protection, Microsoft Defender for Identity, Microsoft Defender XDR signalsSIEM/SOAR: Microsoft Sentinel (Log Analytics, Workbooks, Playbooks/Logic Apps)Posture & Policy: Azure Policy, Azure Blueprints, Azure AutomationSecrets & Crypto: Azure Key Vault (FIPS 140-2), Key Vault HSM (as applicable)Monitoring/Telemetry: Azure Monitor, Sign-In/Audit Logs, Diagnostic Settings, Activity LogsEducation/Experience:Bachelor's degree in Information Security, Computer Science, Information Systems, or related field; equivalent experience considered.7+ years in security engineering/architecture, with 3+ years focused on IAM in Azure using native tooling.Deep hands-on experience with Entra ID (Azure AD), RBAC, PIM, Conditional Access, Managed Identities, and Key Vault—including policy design and enforcement at scale.Practical knowledge of FedRAMP baselines (Moderate/High), NIST SP 800-53 control families, and audit/assessment processes; experience contributing to SSP/ConMon evidence.Strong proficiency in Azure Policy/Blueprints and policy-as-code approaches; experience embedding controls into CI/CD.Ability to design high-fidelity detections and automate incident response for identity threats using Sentinel and Logic Apps.Excellent documentation and communication skills for control narratives, runbooks, access governance procedures, and executive status reporting.Preferred:Experience operating in Azure Government or GCC High tenants and understanding telemetry/control nuances in those environments.Background in Zero Trust principles, privileged identity strategy, and secure service-to-service authentication patterns.Familiarity with Microsoft Purview and data access governance for sensitive workloads.Scripting/automation skills (KQL, PowerShell, Bicep/Terraform basics) to manage identities, enforce policies, and generate evidence.Certifications: AZ-500 (Azure Security Engineer Associate), SC-300 (Identity and Access Administrator), SC-200 (Security Operations Analyst), CISSP/CCSP, or equivalent.