IT Engineer, Privileged Access Management (PAM)

IT Engineer, Privileged Access Management (PAM)

The Privileged Access Management (PAM) Engineer reports to the Information Security Manager and is responsible for designing, implementing, and operating enterprise PAM capabilities using Microsoft Security technologies and related platforms. This role secures privileged identities and access to critical systems, enforces least-privilege and Zero Trust principles, and supports regulatory and audit requirements.

The PAM Engineer collaborates closely with IAM, Security Operations, Infrastructure, and Application teams to reduce organizational risk while maintaining a secure and user-friendly access model. The role may support security operations and incident response activities when privileged access is involved.

Core PAM Engineering

• Design, implement, and maintain PAM solutions across cloud and hybrid environments using Microsoft Entra ID, Privileged Identity Management (PIM), Conditional Access, and related Microsoft security tooling
• Onboard and manage privileged user, service, and application accounts, including credential vaulting, rotation, and lifecycle management
• Configure and maintain Just-In-Time (JIT) access and privileged role workflows
• Ensure all in-scope systems, applications, vendors, and integrations are protected by PAM controls
• Ensure availability, reliability, and security of PAM platforms and services

Monitoring, Detection & Incident Support

• Monitor PAM-related alerts and logs using Microsoft Sentinel and Defender XDR
• Support investigation and response to incidents involving privileged account misuse or compromise
• Collaborate with Security Operations and MSSPs to enhance PAM monitoring and detection use cases

Governance, Risk & Compliance Support

• Support periodic access reviews and privileged role attestations
• Maintain PAM documentation, standards, runbooks, and operational procedures
• Provide input to security policies, standards, and annual review processes under the guidance of IT and Security leadership
• Support audits and compliance reporting related to privileged access

Integration & Enablement

• Integrate PAM controls with IAM, endpoint, cloud, SIEM, and application platforms
• Partner with application owners and business stakeholders to define privileged access roles and requirements
• Provide technical guidance and training to stakeholders on PAM processes and best practices

Automation & Continuous Improvement

• Develop automation and scripting for PAM account management, reporting, and operational efficiency
• Track PAM KPIs and apply metric driven improvements to reduce risk and operational friction
• Evaluate emerging Microsoft security features and recommend roadmap enhancements

Required Technical Skills

• Hands-on experience with Microsoft Entra ID, Privileged Identity Management (PIM), Conditional Access, and Microsoft Defender products
• Strong understanding of privileged access models, least-privilege principles, and Zero Trust security architecture
• Experience managing identities and access within Microsoft 365 and Azure environments
• Experience with Windows platforms, Active Directory, and authentication/authorization concepts
• Scripting or automation experience (PowerShell preferred)
• Familiarity with SIEM/XDR platforms (Microsoft Sentinel and Defender XDR preferred)
• Technical documentation and runbook development skills

Professional & Behavioral Skills

• Strong communication skills with the ability to explain technical concepts to non-technical audiences
• Proven ability to collaborate across security, IT, and business teams
• Strong analytical, troubleshooting, and problem-solving skills
• Ability to operate effectively in fast-paced and regulated environments
• Continuous-learning mindset with adaptability to evolving security technologies

Education & Experience

• Bachelor's degree in computer science, Information Technology, or a related field preferred
• 3+ years of experience in Microsoft Windows and Microsoft 365 environments with direct responsibility for identity or security controls
• 2+ years of hands-on experience with Microsoft Azure, Entra ID, Defender, and Purview portals
• Experience supporting hybrid (cloud and on-premises) environments
• Experience with application authentication (IdP) and authorization (IdM) concepts
• Experience working across multiple concurrent projects in a dynamic environment

Preferred Experience & Certifications

• Microsoft Certified: Identity and Access Administrator Associate
• Microsoft Certified: Security Operations Analyst Associate
• CISSP or equivalent security certification
• Additional Microsoft Security certifications
• Experience with IAM, Active Directory, Windows Server, SQL Server, or networking fundamentals (DNS, DHCP, LAN/WAN)

At ArchWell Health, we're creating a community of caring designed to help our members stay healthy and engaged. By focusing on a strong provider-patient relationship, routine wellness, and staying active, our members enjoy a higher level of care and better quality of life after the age of 60. Everything we do is for seniors. We believe seniors should be heard, listened to, and given ample time by their physicians to live well later in life.

Our value-based care model is designed to prevent illnesses while keeping members healthy and happy in every aspect of their life. We deliver best-in-class primary care at comfortable, accessible neighborhood centers where older adults can feel at home and become part of a vibrant, wellness-focused community. We're passionate about caring for older adults and united by the belief that caring has the power to change everything for our members.

ArchWell Health is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard to their race, color, religion, age, sex, sexual orientation, gender identity, national origin, disability, veteran status, or any other protected classification.