Senior IAM Engineer - Entra ID

Pay range: USD $140,000.00 - $185,000.00 / Year

Your opportunity

At Schwab, you're empowered to make an impact on your career. Here, innovative thought meets creative problem solving, helping us "challenge the status quo" and transform the finance industry together.

We believe in the importance of in-office collaboration and fully intend for the selected candidate for this role to work on site in the specified location(s).

We are seeking a highly experienced Senior IAM Engineer with strong architecture responsibility and deep expertise in Microsoft Entra ID, Active Directory, and modern Identity & Access Management (IAM) principles. This role operates in a large-scale, highly regulated enterprise environment and is responsible for driving enterprise-wide identity architecture, designing zero-trust-aligned access controls, modernizing hybrid identity environments, and delivering secure, scalable, and compliant identity solutions.

Key Responsibilities

Identity Architecture & Strategy

• Design, implement, and maintain end-to-end Identity & Access Management architectures using Microsoft Entra ID and Active Directory.
• Establish a long-term identity strategy aligned with business, security, and regulatory requirements.
• Architect secure hybrid identity models including Entra Connect, cloud sync strategies, and identity lifecycle automation.
• Drive adoption of Zero Trust identity principles, including continuous evaluation and least-privilege access.

• Lead design and optimization of Conditional Access policies, authentication flows, MFA, passwordless strategies (FIDO2, Windows Hello Business), and identity protection.
• Architect, standardize, and provide oversight for Entra ID Governance capabilities-PIM, access reviews, entitlement management, custom roles, and segregation of duties.
• Oversee configuration of Entra applications, service principals, federations, SCIM provisioning, and SSO integrations (SAML/OIDC/OAuth2).

• Design secure, resilient, and scalable Active Directory forests, domains, GPO structures, and privileged access boundaries.
• Lead initiatives to modernize AD security posture (tiered administration models, privileged access isolation, delegated administration, and secure baselines).
• Implement AD hardening, lifecycle management, group governance, and remediation of legacy dependencies.

• Develop identity standards, patterns, security baselines, and governance frameworks.
• Ensure compliance with regulatory requirements such as SOX, HIPAA, GDPR, ISO 27001, and internal audit controls.
• Provide guidance for RBAC/ABAC models, identity lifecycle management, privileged access governance, and application onboarding.
• Design identity controls that are auditable, measurable, and automatable, supporting internal risk assessments and regulatory compliance.
• Collaborate with cloud platform and DevSecOps teams to integrate identity controls into cloud landing zones, CI/CD pipelines, and enterprise architectures.
• Partner with security operations to integrate identity telemetry, threat detection, and incident response workflows.

• Work closely with Security Engineering, Application Owners, Cloud Platform Engineering & Architecture, and Infrastructure teams.
• Provide architectural direction during acquisition integration, cloud migrations, and modernization projects.
• Deliver architecture diagrams, roadmaps, threat models, and solution documentation.

• Drive IAM as a shared enterprise platform, balancing security, user experience, and operational resiliency.
• Stay current with identity trends, Entra roadmap updates, and emerging threats.
• Recommend continuous improvement opportunities across authentication, authorization, and identity governance.
• Mentor engineers and guide best practices on identity design and operations.

• 8+ years of experience in Identity & Access Management, architecture or engineering.
• Deep expertise in:
  • Microsoft Entra ID (Azure AD), Conditional Access, Identity Protection, Entra Governance
  • Active Directory design, replication, DNS, GPO, PKI, delegation models
  • SSO protocols: OAuth2, OIDC, SAML, WS-Fed
  • Identity lifecycle automation and provisioning
  • Zero Trust architecture principles
• Strong knowledge of MFA, passwordless, risk-based policies, and authentication flows.
• Experience securing hybrid identity using Entra Connect, federation services, and cloud-only patterns.
• Expertise building Terraform IaC resources and guardrails for identity services through reusable modules and automated CI/CD pipelines.
• Proficiency with PowerShell or automation frameworks.
• Strong understanding of IAM risk management, audit requirements, and regulatory standards.

• Microsoft certifications: SC-300, SC-100, AZ-305, or equivalent.
• Experience with:
  • Privileged Access Workstations (PAW)
  • Microsoft Identity Manager (MIM) or other ILM solutions
  • Conditional Access advanced configurations and automation
  • Enterprise-scale identity consolidation and domain migration projects
  • Modern IAM stacks (SailPoint, CyberArk, Okta)
• Background security architecture, threat modeling, or penetration testing related to identity systems.

• 401(k) with company match and Employee stock purchase plan
• Paid time for vacation, volunteering, and 28-day sabbatical after every 5 years of service for eligible positions
• Paid parental leave and family building benefits
• Tuition reimbursement
• Health, dental, and vision insurance