Identity & Privileged Access Security Engineer

Identity & Privileged Access Security Engineer

Job Description

[Up to c. £175k Comp Package | On-Site Working]

Role Overview

We’re representing a leading investment management firm seeking an Identity & Privileged Access Security Engineer to strengthen identity, authentication, and privileged access controls across the estate. Sitting within cybersecurity, the role focuses on reducing excessive admin rights, tightening identity-based attack paths, and ensuring privileged access remains effective in production.

You’ll own key Microsoft identity capabilities - including Entra ID, Conditional Access, phishing-resistant MFA, privileged elevation, access reviews, and identity governance - in a hands-on role that blends platform ownership, automation, and close collaboration with cloud, endpoint, and SecOps teams...

Key Responsibilities

• Operate and enhance privileged access controls across internal platforms, including elevation workflows, policy lifecycle management, audit validation, and resilience testing
• Maintain and improve Microsoft Entra ID configuration across hybrid identity, external collaboration, authentication methods, and user lifecycle processes
• Own Conditional Access controls, including device posture requirements, risky sign-in handling, phishing-resistant MFA enforcement, and exception governance
• Run regular privileged access reviews across in-scope systems, identifying excessive permissions and driving remediation activity
• Manage phishing-resistant authentication processes, including hardware key enrolment, replacement workflows, recovery routes, and supplier coordination
• Maintain admin tiering standards across privileged accounts, including naming conventions, lifecycle automation, stale account removal, and drift monitoring
• Partner with cloud security teams on Azure RBAC, PIM activation patterns, and identity-to-resource permission models
• Work with endpoint engineering teams to ensure Conditional Access policies align with device compliance and posture requirements
• Collaborate with security operations to improve identity detections covering suspicious sign-ins, token abuse, MFA fatigue, privileged account anomalies, and related attack patterns
• Support identity protection for senior or high-risk users, ensuring hardened authentication, monitoring, and access controls are consistently applied
• Build PowerShell and Microsoft Graph automation to streamline joiner/mover/leaver processes, access reviews, privileged account management, and reporting

What You’ll Bring…

• 3-6 years’ experience in identity engineering, IAM, privileged access management, or identity security roles
• Strong hands-on experience with Microsoft Entra ID in production environments, including hybrid identity, Entra Connect or Cloud Sync, B2B collaboration, and authentication method migration
• Practical experience designing and operating Conditional Access policies across enterprise environments
• Understanding of privileged access models, including Entra PIM, admin tiering, emergency access, JIT elevation, or comparable PAM tooling
• Hands-on exposure to Active Directory hardening, including delegation clean-up, privileged group review, AdminSDHolder, ACL remediation, or Tier-0 protection
• Experience with phishing-resistant authentication approaches such as FIDO2, WebAuthn, passkeys, or hardware security keys
• Strong PowerShell capability and practical experience using Microsoft Graph for automation or reporting
• Ability to assess over-privilege, identify identity control gaps, and drive remediation with technical stakeholders
• Strong academic background, including a degree from a Russell Group university or international equivalent
• (Preferred) Experience with identity governance platforms such as SailPoint, Saviynt, or Entra ID Governance
• (Preferred) Microsoft identity or security certifications such as SC-300 or SC-100
• (Preferred) Background in financial services or another regulated environment with strong identity control and audit expectations

...

Apply for this role

All fields marked with * are required.