Staff Enterprise and Cloud Engineer

Our Mission Healthcare should work for patients, but it doesn’t. In their time of need, they call down outdated insurance directories. Then wait on hold. Then wait weeks for the privilege of a visit. Then wait in a room solely designed for waiting. Then wait for a surprise bill. In any other consumer industry, the companies delivering such a poor customer experience would not survive. But in healthcare, patients lack market power. Which means they are expected to accept the unacceptable. Zocdoc’s mission is to give power to the patient. To do that, we’ve built the leading healthcare marketplace that makes it easy to find and book in-person or virtual care in all 50 states, across +200 specialties and +12k insurance plans. By giving patients the ability to see and choose, we give them power. In doing so, we can make healthcare work like every other consumer sector, where businesses compete for customers, not the other way around. In time, this will drive quality up and prices down. We’re 18 years old and the leader in our space, but we are still just getting started. If you like solving important, complex problems alongside deeply thoughtful, driven, and collaborative teammates, read on. *Please note, we are open to remote candidates for this role. Your Impact on Our Mission Zocdoc’s greatest asset is its people. As a Staff Cloud IAM Engineer on our Corporate Cloud Engineering team within Corporate IT, you’ll make it possible for every Zocdoc’r to work securely and efficiently. You will own the technical vision and strategy for identity and access management across our corporate stack, with Microsoft Entra ID, enterprise SSO/SCIM, and our SaaS and AI platforms at the center. You’ll design scalable identity governance that keeps teams productive while reducing risk, and you’ll lead cross‑functional initiatives that make secure, least‑privilege access the default, not an afterthought. You’ll also play a key role in the reliability and security of our core corporate infrastructure: helping ensure our AWS/Azure/GCP environments, on‑prem VMware footprint, and foundational services are patched, healthy, and well‑run so engineering and business teams can focus on shipping product and supporting patients and providers. You'll enjoy this role if you are… Technical Domain Expert: Deeply fluent in Microsoft Entra ID (Identity Governance, Access Packages), SSO/SCIM standards (SAML, OIDC), and custom integrations for a diverse SaaS and AI estate. AI Governance Pioneer: Excited to scale AI platforms like OpenAI and Anthropic through thoughtful RBAC, tiered spend/quota governance, and secure, consumable access patterns. Outcome-Oriented Automationist: Comfortable working the access queue to identify patterns, with a relentless focus on building the automation and self-service tools that retire repetitive manual work. Collaborative Leader & Mentor: A cross-functional partner who models Staff-level behaviors by mentoring engineers, aligning stakeholders, and setting the technical standards that drive adoption across the organization. Autonomous & Curious Professional: An outcome-driven leader who brings humility, curiosity, and a sense of humor to solving challenging problems in a growing, high-scale environment. Your day to day is… Strategic IAM Vision & Authority: Own the multi-year technical roadmap and architectural standards for Corporate and Cloud IAM (centered on Entra ID), acting as the technical authority who uplevels the team through design reviews and RFCs. Scalable SSO & AI Governance: Architect secure SSO, SCIM, and JIT provisioning patterns for all enterprise tools, specifically owning the access posture, spend governance, and automated approval workflows for AI platforms (OpenAI, Claude, GCP). Enterprise SaaS Architecture: Define configuration standards, security baselines, and lifecycle management patterns that scale across dozens of SaaS platforms. Drive consolidation and rationalization initiatives, and proactively close governance gaps before they become audit findings or incidents. Automation & Toil Elimination: Field escalated tickets to identify and eliminate repeating manual work—converting complex access requests into self-service paths or automated workflows using Terraform, Python, or PowerShell. Access Incident Response & On-Call: Participate in a tiered on-call rotation for triaging functional area outages, conditional access failures, compromised accounts, and break-glass events, and convert recurring pages into automated detections, runbooks, and self-healing workflows to reduce toil over time. Endpoint Lifecycle & Software Distribution: Own the architectural engineering of endpoint configuration, software distribution, and provisioning workflows across Jamf (macOS) and Intune (Windows), partnering with InfoSec on hardening baselines and rolling out enterprise software (including AI developer tools) at scale. Identity Hygiene & Infrastructure: Hands-on ownership of identity certificate and token lifecycles, GitHub access pipelines, and AWS landing-zone governance (Control Tower/IAM baselines) to ensure proactive monitoring and prevent configuration drift. Zero Trust & Device Posture: Partner with Security to drive Zero Trust initiatives, integrating Conditional Access with device posture data from Intune, Jamf, and CrowdStrike across the broader SaaS estate (Snowflake, Jira, Google Workspace). Compliance & Audit Engineering: Lead IAM workstreams for HITRUST and SOC2 cycles by translating audit requirements into reusable engineering patterns and participating in a critical on-call rotation for access-related incidents. Trusted Cross-Functional Partner: Serve as a trusted technical partner to InfoSec, People Systems, Compliance, and Engineering leadership. Influence roadmap priorities based on deep understanding of stakeholder needs, and represent IT Engineering in strategic planning, audit cycles, and incident response. Org-Level Visibility: Lead initiatives whose impact is recognized at the organizational level identity governance transformation, least-privilege enforcement at scale, or AI access governance translating business goals into actionable plans and aligning multiple teams behind them. You'll be successful in this role if you have… Scope of Prior Ownership: Track record leading identity or enterprise platform initiatives at a multi-thousand-employee organization, with measurable outcomes (toil eliminated, audit findings reduced, time-to-access shortened, or comparable business metrics). Influence Without Authority: Demonstrated ability to drive adoption of standards across teams through RFCs, design reviews, and architectural pattern-setting. Architectural Leadership & Influence: 10+ years in IT/Systems (mid-to-large scale) as a "player-coach" with a proven track record of defining adoption-ready standards and writing the design docs/RFCs that become the organization’s source of truth. Entra ID & Identity Governance: Deep expertise in Microsoft Entra ID (Conditional Access, PIM, Identity Governance) and the ability to own the entire identity lifecycle, including onboarding/offboarding flows and permission hygiene. Scalable Integration Engineering: Extensive experience delivering SSO and SCIM integrations (SAML, OIDC/OAuth) across a massive SaaS estate, with a focus on replacing manual access work with programmatic or self-service provisioning. Process Automation & Toil Reduction: A systems-thinker comfortable being measured by toil eliminated; expert at automating workflows across IdP, HRIS (Workday), and SaaS platforms via APIs to remove repetitive manual tasks. Modern AI & Ecosystem Management: Experience governing IAM, spend, and quotas for AI platforms (OpenAI, Anthropic) and fluency in using Generative AI tools (Claude Code, LLMs) to accelerate engineering velocity. Compliance & Security Hygiene: Experience in audit-sensitive environments ( HITRUST/SOC2 evidence collection) and owning the security hygiene of the identity certificate and token lifecycle. Enterprise Platform Oversight: Familiarity with the broader endpoint and security ecosystem, including Intune, Jamf, Google Workspace, and CrowdStrike, to ensure a cohesive identity posture across all platforms. Infrastructure-as-Code & AWS: Hands-on experience with AWS infrastructure and networking primitives (VPC, DNS, Load Balancing) to debug connectivity, utilizing AWS CDK, Terraform, Python, or PowerShell for automation. Zocdoc is committed to fair and equitable compensation practices. Salary ranges are determined through alignment with market data. Base salary offered is determined by a number of factors including the candidate’s experience, qualifications, and skills. Certain positions are also eligible for variable pay and/or equity. Remote Base Salary Range

$180,000—$270,000 USD

About us Zocdoc is the country’s leading digital health marketplace that helps patients easily find and book the care they need. Each month, millions of patients use our free service to find nearby, in-network providers, compare choices based on verified patient reviews, and instantly book in-person or video visits online. Providers participate in Zocdoc’s Marketplace to reach new patients to grow their practice, fill their last-minute openings, and deliver a better healthcare experience. Founded in 2007 with a mission to give power to the patient, our work each day in pursuit of that mission is guided by our six core values. Zocdoc is a private company backed by some of the world’s leading investors, and we believe we’re still only scratching the surface of what we plan to accomplish. Zocdoc is a mission-driven organization dedicated to building teams as diverse as the patients and providers we aim to serve. In the spirit of one of our core values - Together, Not Alone, we are a company that prides itself on being highly collaborative, and we believe that diverse perspectives, experiences and contributors make our community and our platform better. We’re an equal opportunity employer committed to providing employees with a work environment free of discrimination and harassment. Applicants are considered for employment regardless of race, color, ethnicity, ancestry, religion, national origin, gender, sex, gender identity, gender expression, sexual orientation, age, citizenship, marital or parental status, disability, veteran status, or any other class protected by applicable laws. Job Applicant Privacy Notice