Identity and Access Management Consultant

About The Position

Requirements

• Experience: 2–5+ years implementing IAM across at least two areas (SSO/MFA, IGA, PAM/EPM, machine identity), including scripting and CI/CD.
• Education: Bachelor’s in Computer Science, Information Security, or related field—or equivalent practical experience.
• Technical Expertise: Hands‑on with Entra ID (Conditional Access, PIM, B2B/B2C/External ID), Okta/Ping; SailPoint or Saviynt; CyberArk/BeyondTrust/Delinea EPM; Azure Key Vault, managed identity, AKS federation; APIs/Graph; Terraform/Bicep; PowerShell/Python; CI/CD with Azure DevOps/GitHub Actions; observability (KQL/Log Analytics). Development of scripts using tools like powershell/python/javascript/Logic Apps/Power Automate/Flow/Automation Accounts utilizing APIs including Graph API/Rest/SOAP/XML.
• Solution Design and Implementation Experience: Ability to translate architecture into secure, testable designs with clear acceptance criteria and rollback plans. Track record of integrating HRIS/AD/LDAP/SaaS, migrating legacy WAM, and delivering high‑quality builds with automated testing and code review discipline.
• Problem-Solving & Communication: Strong debugging, performance tuning, and root‑cause analysis; bias for automation and simplification. Concise documentation and status reporting; ability to explain technical decisions to mixed audiences.
• Industry Knowledge: Appreciation of regulated‑industry expectations and common audit asks for identity controls and evidence.
• Client-Facing Skills: Comfortable leading working sessions, Knowledge Transfer, and UAT support; proactive in surfacing risks/assumptions.
• Demonstrated Passion: Contributions to scripts/modules, community forums, or knowledge sharing; stays current on passkeys, tenant isolation, and identity threat defenses.
• Additional Requirements: Availability for periodic client travel and professional engagements. Commitment to continuous learning and keeping pace with evolving identity platforms, patterns, and threats.

Nice To Haves

• Certifications (highly desirable): Microsoft SC‑300, AZ‑500; Okta, Ping, SailPoint, Saviynt; CyberArk Defender/Sentry; BeyondTrust/Delinea; HashiCorp Terraform Associate; AZ‑104.

Responsibilities

• Solution Design: Configure OIDC/SAML apps, Conditional Access, device trust, FIDO2/Passkeys, step‑up auth; implement lifecycle workflows (joiner/mover/leaver), access packages, access reviews, SCIM connectors; onboard privileged accounts/secrets, session recording, JIT elevation, endpoint privilege controls; implement Key Vault/managed identity, AKS federation, certificate enrollment/renewal, and secret rotation automation.
• Client Engagement: Translate architecture into build tasks and acceptance criteria; communicate trade‑offs and impacts in clear, actionable terms.
• Implementation: Automate with Terraform/Bicep, PowerShell/Python, and CI/CD (Azure DevOps/GitHub Actions); enforce policy‑as‑code, testing (unit/integration), linting, and code reviews; execute cutovers, blue‑green/rollback, and performance tuning.
• Compliance & Risk Management: Implement controls that satisfy regulatory and security requirements (e.g., NIST 800‑63, ISO 27001, HIPAA/HITRUST, PCI‑DSS, SOX, FedRAMP, NYDFS 500). Ensure privileged access, secrets, and logs meet auditability and SoD expectations.
• Technical Leadership: Demonstrate technical depth, mentor other resources, and contribute scripts, modules, and how‑tos; participate in design and threat‑model reviews.
• Documentation & Reporting: Maintain as‑built docs, config baselines, runbooks, and knowledge transfer materials; provide status, risk/issue tracking, and metrics (e.g., MFA coverage, JML SLAs, privileged onboarding).
• Continuous Improvement: Instrument monitoring/alerting (Log Analytics/KQL), validate DR/backups, and tune policies for usability and security; contribute accelerators that reduce delivery time/cost.
• Practice Development: Support demonstrations, POCs, and SoW inputs (effort estimates, assumptions, dependencies).