Systems Engineer - Senior

Job Description

The Senior Systems Engineer is primarily responsible for the administration and operation of the firm’s enterprise identity and privileged access platforms, with primary focus on Microsoft Entra ID infrastructure, identity governance, and CyberArk privileged access management. This role requires in-depth knowledge of Entra ID (Azure AD), Active Directory, Conditional Access, Privileged Identity Management (PIM), and CyberArk, along with strong proficiency in PowerShell automation. A solid understanding of hybrid identity (Entra Connect), identity protocols, and secure access controls is essential.

The ideal candidate is a hands-on engineer with strong troubleshooting capabilities, a self-starter mindset, and demonstrated experience delivering identity and access initiatives from design through implementation in a global enterprise environment.

Job Responsibilities:

· Identity & Access Management

o Manage identity lifecycle processes (joiner/mover/leaver)

o Implement Conditional Access, MFA, and risk-based controls

o Maintain role-based access models

o Administer enterprise applications and SSO integrations

· Active Directory

o Plan and Deploy AD Sites and Services, Promote/Demote Domain Controllers

o AD user migration using ADMT and Quest

o Support Multiple AD forests and trust between them

o Automate AD health checks, Identity Lifecyle management, etc.

o Setup and review AD health assessments to remediate any vulnerabilities

· Privileged Access (CyberArk)

o Operate CyberArk PAM platform

o Manage privileged account onboarding and credential rotation

o Implement just-in-time access

o Align CyberArk with Entra PIM

· Secure Cloud Administration

o Manage Microsoft Entra ID

o Protect administrative roles and tenant configurations

o Support secure application onboarding

· Identity Integration & Transformation

o Support hybrid identity (Entra Connect)

o Assist with M&A integrations

o Drive cloud-native identity adoption

· Automation & Operations

o Automate tasks using PowerShell

o Improve monitoring and reporting

o Support identity incident escalation

· Serve as an escalation point and provide guidance and direction for the resolution of escalated issues and/or complex production, application or system problems

· Must be able to accommodate schedule flexibility to deal with escalations and occasional changes during non-core business hours

Qualifications

Required Skills/Experience

· 5+ years in identity or security engineering

· Experience with Entra ID, Conditional Access, MFA

· Experience with CyberArk or similar PAM tools

· Knowledge of identity protocols (SAML, OAuth, OIDC)

· Knowledge of Kerberos, LDAP, Active Directory, ADFS, DNS, DHCP.

· Very good knowledge of Azure AD, Conditional Access, MFA, O365 licensing etc.

· Expert knowledge of Windows servers, Active Directory, ADFS, GPOs in a Windows Server 2012 R2 and 2016 environment

Desired Skills/Experience

· Ability to effectively plan, facilitate, and participate in meetings with employees from all organizational levels

· Effectively use teamwork to contribute to a high morale/high-performance team culture, leading by example

· Demonstrate the ability to work in an open way, willingness to share knowledge and resources and to educate others within a global team

· Effective team player and collaborator

· Strong skills in prioritization and reprioritization to react to a dynamic environment as Arch continues to evolve

· Excellent interpersonal and communication skills, including strong listening skills

· Ability to effectively communicate business and technical information to audiences with varying backgrounds

· Ability to communicate with offshore teams and technical development teams

· Good documentation and presentation skills

· Ability to interact with management in a professional manner

Additional Information

• 4-year college degree in Information Technology or similar field

• Technical degree or certifications preferred but not required

• Industry specific training or designation a plus