← Back to all positions

Active Directory / Entra ID Architect

Full-time

IT Infrastructure · Remote (US time zones) · Posted 2026-05-18

We operate a hybrid identity infrastructure spanning on-premises Active Directory Domain Services across three sites, synchronized to Entra ID (Azure AD) via Entra Connect Cloud Sync. We need an identity architect who understands forests, trusts, Kerberos delegation, and conditional access policy design — and can explain why the PDC emulator FSMO role still matters in 2026.

Responsibilities

  • Design and maintain multi-forest AD topology with selective authentication trusts between production, staging, and management forests
  • Manage Entra ID Connect Cloud Sync — attribute flow rules, OU scoping filters, writeback configuration for SSPR and device writeback
  • Own conditional access policy design: device compliance, MFA strength, session controls, risk-based sign-in policies
  • Manage Group Policy infrastructure: AGPM, Central Store, administrative templates, WMI filtering, loopback processing
  • Design and enforce PKI: internal AD CS two-tier hierarchy (offline root CA, issuing CAs with OCSP responders), certificate templates, auto-enrollment
  • Implement privileged access workstations (PAW), tiered admin model, and PIM for Entra ID roles
  • Write and maintain PowerShell automation for identity lifecycle — provisioning, deprovisioning, access reviews

Requirements

  • 7+ years working with Active Directory in an enterprise environment (5,000+ objects)
  • Deep understanding of Kerberos authentication, NTLM, claims-based authentication, and delegation (constrained, resource-based)
  • Experience with Entra ID Connect (or Cloud Sync), conditional access, and identity protection
  • Strong PowerShell scripting — AD module, MS Graph, AzureAD/Entra modules
  • Understanding of DNS integrated with AD, including secure dynamic updates and aging/scavenging
  • Knowledge of AD security — pass-the-hash mitigations, LAPS, Protected Users group, Credential Guard

Nice to Have

  • Experience with AD FS, Web Application Proxy, and claims provider trusts
  • Familiarity with Microsoft Identity Manager (MIM) or Entra Identity Governance
  • Knowledge of AAD Connect provisioning agent and HR-driven provisioning
  • Experience migrating from on-prem AD FS to Entra ID for SaaS SSO
  • MCSE: Core Infrastructure or Microsoft Certified: Identity and Access Administrator Associate

Apply for this position

Send us your resume and a brief cover letter. We review every application.

Apply Now

We respond within 5 business days.