Identity Fabric Principal

Job Description

•  Define and maintain modern authentication standards for applications and APIs (OAuth2/OIDC/SAML), including reference architectures.
• Support project teams in implementing and troubleshooting auth flows (Auth Code + PKCE, Device Code, Client Credentials, OBO), including edge cases and production incidents.  
• Review and harden token/session configurations (lifetimes, refresh behaviour, session controls) and advise on mitigations for common auth threats (replay, token theft).
• Design and standardize claims/attributes strategy (least-privilege claims, normalization across IdPs, group/role overage handling) for scalable integrations.
• Define API access models and permission strategy (scopes vs roles, delegated vs app permissions) and govern consent patterns (admin/incremental) for least privilege and auditability.
• Configure and operate federation integrations (IdP/SP), including metadata management, planned rollovers, and resolving common SSO issues.
• Design risk-based access controls and step-up patterns aligned to application sensitivity, using Conditional Access and appropriate MFA/authentication strength.
• Deliver Entra ID tenant-level configurations and operational posture improvements (baseline configuration, governance touchpoints, operational practices).
• Design and guide external identity onboarding patterns (Entra External ID CIAM/B2B/B2C), balancing UX, security controls, and supportability.
• Build, tune and safely roll out Conditional Access / Identity Protection policies (exclusions, break-glass, staged deployment, monitoring and rollback approach).
• Implement and operate Entra ID Governance capabilities (access packages, entitlement management, access reviews, lifecycle workflows) in alignment with delivery timelines.
• Provide application onboarding and integration support (Enterprise Apps, App Registrations, service principals, managed identities), including troubleshooting and configuration reviews.
• Support hybrid identity dependencies involving AD DS (directory design impacts, group structures, delegation models) and advise on sustainable hybrid patterns.
• Operate and troubleshoot AD FS where still required, and contribute to modernization roadmaps toward cloud-native federation patterns.
• Develop and maintain PowerShell automation for identity operations (Graph PowerShell and relevant modules): reporting, bulk changes, baseline checks, and repeatable tasks with robust logging.
• Provide scripted operational support for AD DS/AD FS (user/group lifecycle tasks, reporting, troubleshooting accelerators) within governance and access boundaries.
• Participate in SailPoint-based IGA delivery (IdentityIQ/IdentityNow): requirements translation, design validation, and alignment of governance outcomes with Microsoft identity patterns.
•  Implement IGA processes end-to-end (JML, access requests/approvals, certifications/reviews, SoD, role/entitlement modeling) and integrate with delivery/operations.
• Design and improve provisioning and lifecycle integrations (SCIM, authoritative sources, reconciliation, JIT vs managed provisioning), ensuring clean offboarding and access governance.

Qualifications

• Bachelor's degree plus 10 years of IT experience.
• Good knowledge of English equal to B2 according to CERF levels.
• Modern auth standards: solid understanding of OAuth 2.0, OpenID Connect and SAML, including typical enterprise use cases (apps, APIs, federation).
• Token & session security: knowledge of token/session lifecycles (issuance, validation, lifetimes, refresh tokens), plus common risks and mitigations.
• API permissions & consent: understanding and practical application of scopes vs roles, delegated vs application permissions, and admin/incremental consent models.
• Entra External ID patterns: practical knowledge of CIAM/B2B/B2C onboarding patterns and UX vs security trade-offs.
• Hybrid identity foundations (AD DS): solid understanding of domains/forests, trusts, OU/GPO, delegation and how AD DS impacts hybrid identity.
• SailPoint IGA exposure: practical experience with SailPoint IdentityIQ and/or IdentityNow concepts, delivery model and outcomes.
• Provisioning & lifecycle integrations: experience with SCIM, authoritative sources, reconciliation, and JIT vs managed provisioning trade-offs.
• GDPR/EUDPR + AI readiness: ability to apply privacy-by-design in IAM (minimisation, purpose, retention, token/claim hygiene, auditability) and extend governance to AI/agent access where required.
• Flow implementation & troubleshooting: ability to implement and debug Auth Code + PKCE, Device Code, Client Credentials and OBO flows in real applications.
• Claims & identity context: ability to design claim sets, mapping/normalization across IdPs, least-privilege claims, and handle group/role overage patterns.
• Federation operations: experience configuring IdP/SP integrations, metadata management, rollover planning, and resolving common SSO failures.
• Assurance & risk-based access: capability to apply step-up patterns, MFA trust models, phishing-resistant readiness, and Conditional Access alignment to sensitivity.
• Microsoft Entra ID delivery: hands-on experience with Entra ID tenant configuration, authentication posture, and operational governance.
• Conditional Access & Identity Protection: experience designing/tuning CA policies, MFA enforcement, risk signals, exclusions/break glass, and safe rollout practices.
• Entra ID Governance: working capability with access packages, entitlement management, access reviews, and lifecycle workflows in delivery contexts.
• App integration engineering: strong experience with Enterprise Apps, App Registrations, service principals, managed identities, and integration support.
• Federation legacy (AD FS): ability to operate/troubleshoot AD FS (claims rules, relying parties) and contribute to modernization planning.
• PowerShell automation (Entra/M365): ability to automate reporting and bulk ops using Microsoft Graph PowerShell and relevant modules with reliable logging.
• PowerShell (AD DS/AD FS): capability to script user/group operations and operational reporting/troubleshooting within governance constraints.
• IGA process delivery: ability to implement JML, access requests/approvals, certifications/reviews, SoD concepts, and role/entitlement