Identity & Access Management Specialist

Overview The Identity Management Specialist is responsible for designing, implementing, and operating the firm’s identity and access management (IAM) program across on-premises and cloud environments — with a strong emphasis on Microsoft Entra ID and hybrid identity architectures. This role administers the full identity lifecycle — joiner, mover, leaver (JML) - enforces least-privilege access, automates provisioning and governance, and ensures that every user, service account, and privileged identity is provisioned, reviewed, and deprovisioned in a controlled, auditable manner across both on-premises Active Directory and the Entra ID cloud. Responsibilities Identity Lifecycle Management Operate and enhance the JML (Joiner / Mover / Leaver) process across Active Directory, Entra ID, Exchange, M365, and downstream business applications. Automate provisioning, role changes, and deprovisioning through identity management solutions (One Identity Manager, ServiceNow, ManageEngine ADManager Plus, Cayosoft Administrator or others). Manage Active Directory and Entra ID objects (users, groups, OUs, contacts, mail-enabled objects) at scale using identity management solutions. Hybrid Identity & Directory Operations Design, operate, and troubleshoot hybrid identity across on-premises Active Directory and Microsoft Entra ID — including Entra Connect / Connect Sync / Cloud Sync, password hash sync (PHS), pass-through authentication (PTA), federation (AD FS), and seamless SSO. Administer multi-domain / multi-forest Active Directory, Entra ID tenants, and B2B/B2C scenarios. Manage Conditional Access, Entra ID Protection, Privileged Identity Management (PIM), Access Reviews, and Entra ID Governance. Maintain hybrid object flow, attribute mapping, filtering, and writeback (group, device, password writeback). Access Governance & Reviews Design and execute periodic access certification campaigns (One Identity Manager / ServiceNow Access Reviews / Entra ID Access Reviews) for high-risk applications, shared mailboxes, distribution lists, and privileged groups. Maintain role-based access control (RBAC) models, entitlement catalogs, and segregation of duties (SoD) policies. Investigate and remediate orphaned accounts, stale entitlements, and policy violations. Service Request & Workflow Automation Own the IAM request catalog in ServiceNow — new accounts, group membership changes, application access, privileged access, and terminations. Build and maintain ServiceNow workflows, IntegrationHub / Flow Designer flows, and approval routings that connect HRIS, ITSM, and identity systems. Implement self-service password reset, MFA enrollment, and account unlock through Entra ID SSPR. Privileged Account Operations Administer privileged and service accounts across AD and Entra ID; integrate with PAM solutions where applicable. Use privilege accounts password management solution for delegated administration, change auditing, AD recovery, and Entra ID tenant management. Monitoring, Compliance & Reporting Monitor identity-related alerts, sign-in risk events, and Conditional Access policy enforcement. Produce metrics and reports for audit, risk, and leadership — provisioning SLAs, access review completion, dormant accounts, privileged access usage. Support compliance evidence collection for SOC 2, ISO 27001, NYDFS Part 500, GDPR, and client security questionnaires. Collaboration & Documentation Partner with HR, Security, Infrastructure, and Application owners on onboarding/offboarding and role design. Maintain runbooks, SOPs, integration designs, and architecture diagrams for the IAM platform. Provide L3 support and mentor L1/L2 service desk staff on identity issues. Compensation : -The anticipated base salary range offered for this role will be between $140,000 to $160,000 and represents the firm’s good faith and reasonable estimate of the range of possible base compensation. Actual base compensation will be dependent upon several factors, including but not limited to the candidate’s relevant experience, performance, qualifications, degrees, and location, well as the needs of the firm. Qualifications Bachelor’s degree in Computer Science, Information Systems, or related field (equivalent experience accepted). 5+ years of hands‑on Identity and Access Management experience across hybrid Microsoft environments (Active Directory + Entra ID / Azure AD). Strong working knowledge of Microsoft Entra ID (Azure AD) and hybrid identity models — including Entra Connect / Connect Sync / Cloud Sync, password hash sync, pass‑through authentication, federation (AD FS), seamless SSO, Conditional Access, MFA, Entra ID Protection, Privileged Identity Management (PIM), Access Reviews, Entra ID Governance, and Enterprise Application SSO/provisioning. Deep, demonstrable experience with the following IAM/IGA toolset: One Identity Manager (OneIM) — connectors, synchronization projects, attestation/access reviews, custom workflows, IT Shop, role and entitlement modeling, and PowerShell/SQL customization. ServiceNow — IAM service catalog, workflow / Flow Designer, IntegrationHub, ITSM integration with identity systems, and ideally ServiceNow Identity Governance & Administration (SN-IGA) or HR Service Delivery integrations. ManageEngine ADManager Plus — bulk AD/Entra ID administration, automation policies, custom reports, self‑service password reset/MFA, and delegation. Cayosoft Administrator and Cayosoft Guardian — hybrid AD/Entra ID administration, change monitoring, AD object recovery, and tenant management. Solid understanding of Active Directory, Group Policy, Kerberos, LDAP, SAML, OAuth 2.0, OIDC, and SCIM. Scripting and automation proficiency in PowerShell (AD, Exchange Online, Microsoft Graph, Entra ID / MSOnline / AzureAD modules); familiarity with REST APIs and JSON. Solid understanding of RBAC, ABAC, least privilege, segregation of duties, and identity lifecycle controls. Preferred Qualifications Experience integrating IAM with HRIS platforms (Workday) as authoritative source for JML. Exposure to additional IAM/IGA/PAM platforms (SailPoint IdentityIQ / OneIdentity. Saviynt, CyberArk, BeyondTrust, Delinea, Microsoft Entra ID Governance). Experience with SaaS provisioning via SCIM and Entra ID Enterprise Applications. Industry certifications: SC-300 (Microsoft Identity and Access Administrator) , One Identity Manager certifications, ServiceNow CIS-ITSM / CIS-SecOps, CISSP, CIAM, or equivalent. Experience in a law firm, financial services, or other highly regulated environment. #J-18808-Ljbffr Milbank, Tweed, Hadley & McCloy LLP