Senior Principal/Architect (Identity & Security)

Are you ready to make an impact?

Senior Principal/Architect (Identity & Security)


Overview


West Monroe is seeking a Senior Principal/Architect (Identity & Security) to lead cross-functional teams in the design, remediation, and modernization of complex identity and cloud infrastructure solutions. This role focuses on securing and transforming critical IT environments for a diverse portfolio of clients, helping them navigate complex Active Directory modernizations, cloud identity migrations, and security hardening initiatives. This opportunity provides technical leadership in transforming complex IT environments across key industry verticals, including Healthcare, Financial Services, Private Equity, and High Tech. While the scope spans hybrid and cloud identity, the work is particularly grounded in Active Directory as a core Tier 0 platform, with strong Microsoft Entra ID expertise to design and operate modern hybrid identity patterns.


Responsibilities

• Partner with consultants and client leadership to architect, build, and deploy secure and modern Active Directory and Microsoft Entra ID solutions.

• Assess current-state identity environments and processes, interview stakeholders, define critical requirements, and present practical solution strategies and roadmaps to client executives.

• Lead the technical design of future-state Active Directory (AD DS) and Entra ID architectures, including privileged access management (PAM) design, tiered administrative access models (e.g., Microsoft's Enterprise Access Model (EAM)), and identity consolidation strategies.

• Establish and enforce identity architecture standards, best practices, and governance to deliver secure, compliant, and consistent solutions aligned with industry benchmarks (e.g., CIS and Microsoft baselines) .

• Lead security assessment and remediation planning, including consolidating findings from tools (e.g., Purple Knight, Maester, CIS Benchmark-based configuration assessments (e.g., CIS-CAT)) to create and manage prioritized, risk-based remediation backlogs.

• Provide expert technical oversight for security remediation initiatives, such as hardening domain controllers, remediating privileged access, resolving Entra Connect sync issues, and restricting legacy protocols.

• Develop detailed implementation plans, migration strategies, and remediation backlogs (e.g., in Smartsheet or similar project management tools) for AD restructuring, AD consolidation, identity synchronization, and legacy decommissioning.

• Establish and manage engagement-level governance, quality, and risk , including defining quantitative success criteria, RACI, and clear communications to both technical and executive stakeholders.

• Support key decision-making on project direction, including technology selections, team workstreams, and delivery methodologies.

• Mentor junior consultants on technical best practices, solution design, and client engagement.

• Assist business development efforts through proposals, pre-sales technical discovery, and client presentations.
• Leverage AI tools to accelerate analysis, synthesize complex information, and support data-driven recommendations for clients, exercising sound judgment in evaluating outputs.
• Apply AI technologies (e.g., generative AI, automation tools, data models) to enhance insights, improve delivery efficiency, and elevate the quality of client outcomes.

Qualifications

• Bachelor's degree in a relevant field preferred, or equivalent experience required.

• Prior experience in consulting preferred.

• 8-12+ years of experience in IT architecture, engineering, and/or security with a deep focus on identity solutions.

• Expert-level knowledge of Active Directory Domain Services (AD DS) design, security, and administration, including: domain/forest architecture, sites/replication, DNS, Group Policy (GPO) management, DC virtualization safeguards, and forest recovery principles.

• Strong experience with Microsoft Entra ID (formerly Azure AD), including Entra Connect, Conditional Access, modern authentication methods, and Privileged Identity Management (PIM).

• Proven experience leading identity migrations (including on-premises to cloud, cross-forest restructurings, and Tenant-to-Tenant (cross-tenant) consolidations), AD remediations, and/or consolidation projects.

• Experience designing and implementing hybrid authentication patterns between AD DS and Microsoft Entra ID, including pass-through authentication (PTA), Seamless SSO, Cloud Kerberos Trust, and phishing-resistant authentication methods.

• Proficiency in designing and implementing enterprise Privileged Access Management (PAM) solutions (including typical platforms like CyberArk, Delinea, or similar) and tiered administrative access models (e.g., Tier 0/1/2, Microsoft's Enterprise Access Model (EAM)).

• Hands-on experience with Active Directory and Microsoft Entra ID security assessment and testing tools (e.g., Purple Knight, PingCastle, Maester, Microsoft Defender for Identity or similar AD threat detection platforms) and hardening methodologies (e.g., CIS Benchmarks and Microsoft security baselines).

• Proficiency with AD security hardening techniques such as KRBTGT password rotations, restricting NTLM, Group Policy object (GPO) cleanup, Local Administrator Password Solution (LAPS), implementing resource-based Kerberos constrained delegation (RBKCD), and configuring LDAP signing.

• Familiarity with migration and directory protection tools (e.g., Quest On-Demand Migration) and identity-driven application dependencies.

• Strong communication (written and verbal), presentation, client management, and team leadership skills.

• Willingness to travel for out-of-town client engagements.
• Experience integrating AI tools (e.g., ChatGPT) into day-to-day workflows to enhance productivity and insight generation, coupled with strong critical thinking to assess accuracy, mitigate bias, and ensure high-quality outputs.

• Bonus skills:

• Familiarity with compliance standards (e.g., NIST, HIPAA, ISO).

• Advanced scripting for automation and analysis (e.g., PowerShell ).

• Knowledge of Infrastructure as Code (Terraform) and DevSecOps practices.

• Familiarity with application dependency and network flow mapping tools (e.g., Device42, Faddom) used to discover AD-integrated application dependencies and support migration planning or microsegmentation boundaries.

• Familiarity with Active Directory resilience and recovery tooling (e.g., Semperis, ADEngine) is a plus.

• Experience migrating from on-premises Active Directory Certificate Services (AD CS) to cloud-native PKI solutions is a plus.

• Familiarity with enterprise Identity Governance and Administration (IGA) platforms (e.g., SailPoint, Saviynt) to manage and improve periodic access certifications (e.g., moving from spreadsheets to a tool) and run detective Segregation of Duties (SoD) reports.

• Experience automating identity lifecycles by replacing nightly batch files from a Human Resources Information System (HRIS) with Application Programming Interface (API)-driven syncs or establishing governance for non-employee/contractor identities.

• Understanding of System for Cross-domain Identity Management (SCIM) or API-based provisioning to automate Joiner-Mover-Leaver (JML) workflows for Software as a Service (SaaS) apps, expanding beyond just core directories and email.

• Experience with Tier-0 threat monitoring and detection strategies, including security event logging and SIEM integration with Active Directory and other Tier 0 assets.

• Professional certifications (e.g., Microsoft Identity/SC series, CISSP, CyberArk/Delinea).

• Occasional exposure to CIAM platforms (e.g., Microsoft Entra External ID, Okta, Auth0) and associated migration/implementation patterns is a plus but not a core requirement.

What to Expect

• A collaborative, flexible, and outcomes-driven consulting environment.

• A culture that values inclusion, diverse perspectives, and teamwork.

• A business-focused and industry-specific approach to deploying technology that helps clients tackle their most significant challenges and deliver tangible results, free from rigid hierarchies.

• While the role spans a broad range of identity technologies and tools, no candidate is expected to be an expert in every item listed . We are seeking deep strength in Tier-0 Active Directory security and modernization, paired with strong Microsoft Entra ID knowledge and the curiosity to rapidly master adjacent areas.

Ready to get started? Join the team and make an impact.


Based on pay transparency guidelines, the salary range for this role can vary based on your proximity to one of our West Monroe offices (see table below). Information on our competitive total rewards package, including our bonus structure and benefits is here. Individual salaries are determined by evaluating a variety of factors including geography, experience, skills, education, and internal equity.

Employees (and their families) are covered by medical, dental, vision, and basic life insurance. Employees are able to enroll in our company's 401k plan, purchase shares from our employee stock ownership program and be eligible to receive annual bonuses. Employees will also receive unlimited flexible time off and ten paid holidays throughout the calendar year. Eligibility for ten weeks of paid parental leave will also be available upon hire date.


Seattle or Washington, D.C.

$203,200-$239,100 USD

Los Angeles

$212,900-$250,500 USD

New York City or San Francisco

$222,500-$261,900 USD

A location not listed above

$193,500-$227,700 USD

Other consultancies talk at you.
At West Monroe, we work with you.

We're a global business and technology consulting firm passionate about creating measurable value for our clients, delivering real-world solutions.

The combination of business and technology is not new, but how we bring them together is unique. We're fluent in both. We know that technology alone is not the answer, but how we apply it is. We rely on data to constantly adapt and solve new challenges. Actions that work today with outcomes that generate value for years to come.

At West Monroe, we zero in on the heart of the opportunity, getting to results faster and preparing people for what's next.

You'll feel the difference in how we work. We show up personally. We're right there in the room with you, co-creating through the challenges. With West Monroe, collaboration isn't a lofty promise, but a daily action. We work together with you to turn vision into clear action with lasting impact.

West Monroe is an Equal Employment Opportunity Employer
We believe in treating each employee and applicant for employment fairly and with dignity. We base our employment decisions on merit, experience, and potential, without regard to race, color, national origin, sex, sexual orientation, gender identity, marital status, age, religion, disability, veteran status, or any other characteristic prohibited by federal, state or local law. To learn more about diversity, equity and inclusion at West Monroe, visit If you require a reasonable accommodation to participate in our recruiting process, please inquire by sending an email to View email address on click.appcast.io.

Please review our current policy regarding use of generative artificial intelligence during the application process.

If you are based in California, we encourage you to read West Monroe's Notice at Collection for California residents, provided pursuant to the California Consumer Privacy Act (CCPA) and linked here.