Identity & Privileged Access Security Engineer | Technology-Driven Trading Firm

We’re representing a leading investment management firm seeking an Identity & Privileged Access Security Engineer to strengthen identity, authentication, and privileged access controls across the estate. Sitting within cybersecurity, the role focuses on reducing excessive admin rights, tightening identity-based attack paths, and ensuring privileged access remains effective in production.

You’ll own key Microsoft identity capabilities - including Entra ID, Conditional Access, phishing-resistant MFA, privileged elevation, access reviews, and identity governance - in a hands‑on role that blends platform ownership, automation, and close collaboration with cloud, endpoint, and SecOps teams.

• Operate and enhance privileged access controls across internal platforms, including elevation workflows, policy lifecycle management, audit validation, and resilience testing.
• Maintain and improve Microsoft Entra ID configuration across hybrid identity, external collaboration, authentication methods, and user lifecycle processes.
• Own Conditional Access controls, including device posture requirements, risky sign‑in handling, phishing‑resistant MFA enforcement, and exception governance.
• Run regular privileged access reviews across in-scope systems, identifying excessive permissions and driving remediation activity.
• Manage phishing‑resistant authentication processes, including hardware key enrolment, replacement workflows, recovery routes, and supplier coordination.
• Maintain admin tiering standards across privileged accounts, including naming conventions, lifecycle automation, stale account removal, and drift monitoring.
• Partner with cloud security teams on Azure RBAC, PIM activation patterns, and identity‑to‑resource permission models.
• Work with endpoint engineering teams to ensure Conditional Access policies align with device compliance and posture requirements.
• Collaborate with security operations to improve identity detections covering suspicious sign‑ins, token abuse, MFA fatigue, privileged account anomalies, and related attack patterns.
• Support identity protection for senior or high‑risk users, ensuring hardened authentication, monitoring, and access controls are consistently applied.
• Build PowerShell and Microsoft Graph automation to streamline joiner/mover/leaver processes, access reviews, privileged account management, and reporting.

• 3-6 years’ experience in identity engineering, IAM, privileged access management, or identity security roles.
• Strong hands‑on experience with Microsoft Entra ID in production environments, including hybrid identity, Entra Connect or Cloud Sync, B2B collaboration, and authentication method migration.
• Practical experience designing and operating Conditional Access policies across enterprise environments.
• Understanding of privileged access models, including Entra PIM, admin tiering, emergency access, JIT elevation, or comparable PAM tooling.
• Hands‑on exposure to Active Directory hardening, including delegation clean‑up, privileged group review, AdminSDHolder, ACL remediation, or Tier‑0 protection.
• Experience with phishing‑resistant authentication approaches such as FIDO2, WebAuthn, passkeys, or hardware security keys.
• Strong PowerShell capability and practical experience using Microsoft Graph for automation or reporting.
• Ability to assess over‑privilege, identify identity control gaps, and drive remediation with technical stakeholders.
• Strong academic background, including a degree from a Russell Group university or international equivalent.
• (Preferred) Experience with identity governance platforms such as SailPoint, Saviynt, or Entra ID Governance.
• (Preferred) Microsoft identity or security certifications such as SC-300 or SC-100.
• (Preferred) Background in financial services or another regulated environment with strong identity control and audit expectations.