Senior Identity and Access Management (IAM) Engineer

Monroe University, founded in 1933, is a national leader in higher education access, affordability, and attainment. We believe in the power of education to facilitate social mobility and transform communities, and embrace our responsibility to advocate national policies that serve students’ best interests. We are proud of our outcomes and unique caring environment, especially for first-generation college students, newly arriving immigrants, and international students. Our innovative curriculum, taught by experienced industry professionals, integrates local, national, and global perspectives. Our academic programs align with industries that drive the New York and international economies that we serve. Our graduates are prepared for continued scholarship, professional growth, and career advancement.

Overview of the Position:

The Senior IAM Engineer is a senior individual contributor within the Cybersecurity team at Monroe University. This role owns the identity perimeter across Monroe’s hybrid environment — including the cloud identity tenant, on-premises directory services, and integrations with the Student Information System, Human Resources, and cloud applications. The Senior IAM Engineer serves as the primary technical authority on identity architecture, authentication, access lifecycle, and privileged access. This role partners closely with the CIO’s IT team on day-to-day operations while reporting to the Chief Information Security Officer for strategic direction and governance. The Senior IAM Engineer works in close coordination with Monroe’s student-serving functions to enable secure access for students, faculty, staff, and student workers across the Bronx, New Rochelle, and Saint Lucia campuses.

Core Responsibilities:

• Design, implement, and operate Monroe’s cloud identity architecture (Microsoft Entra ID / Azure AD) as the authoritative identity perimeter for students, faculty, staff, and third parties.

• Own identity segmentation strategy — establishing attribute-driven conditional access policies that separate student access from staff and faculty access, while enabling flexible handling of dual roles such as student workers.

• Administer and evolve multi-factor authentication coverage across the full user population, ensuring phishing-resistant authentication for privileged and sensitive roles.

• Implement and manage privileged access management (PAM) for administrative and service accounts across on-premises and cloud environments, including VMware, Microsoft 365, and critical business systems.

• Partner with HR and the Student Information System owners to establish authoritative, attribute-driven identity lifecycle automation — provisioning, deprovisioning, role changes, and academic calendar-aligned access adjustments.

• Own the identity governance function — access reviews, separation of duties enforcement, dormant account cleanup, and regular audits of privileged group membership.

• Manage integrations between the identity platform and cloud applications, including the Learning Management System, financial aid systems, and productivity tools, using modern federation standards (SAML, OAuth, OIDC, SCIM).

• Serve as the identity lead for incident response, providing rapid account investigation, credential compromise assessment, and containment support.

• Collaborate with the Senior Vulnerability and Threat Analyst on identity-centric threat detection, including anomalous sign-in patterns, impossible travel events, and privileged account misuse.

• Document identity architecture, policies, and procedures to support the institution’s GLBA Safeguards Rule compliance posture and to enable knowledge transfer across the Cybersecurity Nucleus and IT teams.

• Support the Student Cyber Corps program by designing secure, sandboxed access patterns for student-led security engagements that never touch production PII.

• Participate in Monroe’s incident response on-call rotation once established.

Skills and Attributes:

• Deep technical expertise with Microsoft Entra ID (Azure AD), including conditional access, Identity Protection, PIM, and hybrid join configurations.

• Strong working knowledge of on-premises Active Directory, Group Policy, and hybrid identity architectures.

• Hands-on experience with privileged access management platforms (CyberArk, BeyondTrust, Delinea, or Microsoft Privileged Identity Management).

• Fluency in modern authentication and federation protocols — SAML 2.0, OAuth 2.0, OIDC, SCIM, and WS-Federation.

• Scripting and automation skills — PowerShell, Microsoft Graph API, and basic Python or equivalent.

• Experience with identity governance platforms (Microsoft Entra ID Governance, SailPoint, Saviynt, or Okta Identity Governance) is strongly preferred.

• Understanding of higher-education identity contexts — FERPA, Family Educational Rights, GLBA Safeguards Rule — or demonstrated ability to learn rapidly.

• Excellent collaboration and communication skills; comfort working across IT, HR, academic, and student-facing functions.

• Strong documentation habits and a bias toward operationalizing solutions so others can run them.

• Calm, deliberate judgment during incidents; ability to work under pressure without compromising rigor.

Qualifications:

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or a related field; equivalent professional experience considered.

• Minimum 6–8 years of progressive experience in identity and access management, with at least 3 years in a senior or lead technical role.

• Professional certifications such as Microsoft Certified: Identity and Access Administrator Associate, CISSP, or SC-300 strongly preferred.

• Experience in higher education, healthcare, financial services, or another regulated environment is preferred.

• Demonstrated experience supporting MFA rollouts, conditional access implementations, or PAM deployments in production environments.

• Ability to work on-site at Monroe’s Bronx and New Rochelle campuses at least four days per week.