Job Description

This role is four days onsite at our Wilmington, DE Tech Hub location, with the flexibility to work from home one day per week

Responsible for designing, securing, and operating Microsoft Active Directory Domain Services (AD DS) in regulated, high-availability environments. Acts as knowledge resource for and trains less experienced engineers. Completes day-to-day support activities and special projects.

Primary Responsibilities:

Enterprise Active Directory Architecture

• Proven expertise supporting large-scale, Tier‑1 identity infrastructures with strict uptime, latency, and change‑control requirements

• Strong experience with:

  • Multi-domain and multi-forest designs aligned to business units, regions, or regulatory boundaries

  • Forest and external trusts supporting M&A, joint ventures, and third-party integrations

  • FSMO role placement optimized for resilience and auditability

• Advanced understanding of Active Directory–integrated DNS, split‑brain DNS, and secure name resolution models

Hybrid Identity & Microsoft Entra ID (Azure AD)

• Extensive experience integrating on-prem AD with Microsoft Entra ID in regulated financial environments

• Hands-on implementation of:

  • Entra Connect (Cloud Sync and Traditional)

  • Password Hash Sync, Pass-through Authentication, and Federation

• Strong experience with:

  • Conditional Access aligned to regulatory and risk-based controls

  • Hybrid Join, Entra ID Join, and legacy device coexistence

• Understanding of identity lifecycle controls to support joiners, movers, leavers, and separation-of-duties requirements

Security, Compliance & Risk Controls

• Expert-level knowledge of Active Directory security hardening in financial services, including:

  • Tiered administrative model (Tier 0/1/2)

  • Dedicated admin forests or hardened admin boundaries (where applicable)

  • Privileged Access Workstations (PAWs) / Secure Admin Workstations

• Experience enforcing least privilege, role separation, and dual‑control models

• Deep familiarity with threats targeting financial institutions:

  • Credential theft, Kerberoasting, Pass-the-Hash/Ticket

  • Delegation and ACL abuse

• Hands-on experience with:

  • Privileged Identity Management (PIM)

  • Regular access reviews and entitlement recertification

• Strong alignment with Zero Trust and defense-in-depth identity strategies

Regulatory & Audit Readiness

• Demonstrated experience supporting audits and controls for financial regulations and frameworks, such as:

  • SOX, GLBA, PCI DSS, SOC 2

  • Internal risk management and model governance requirements

• Ability to design AD environments that support:

  • Strong logging and traceability

  • Tamper-resistant audit logs

  • Evidence generation for internal and external auditors

Automation & PowerShell

• Advanced PowerShell expertise for:

  • Controlled, auditable administrative changes

  • Automated provisioning/deprovisioning aligned to compliance workflows

  • Identity reporting for risk, security, and audit teams

• Experience building automation that integrates with:

  • Change management processes

  • IAM, ticketing, and security tooling

Operations, Resilience & Recovery

• Deep experience managing:

  • AD replication topology across data centers and regions

  • SYSVOL (DFSR) health and recovery

  • Latency-sensitive authentication dependencies

• Strong understanding of:

  • AD backup, recovery, and authoritative restore procedures

  • Identity disaster recovery scenarios with defined RTO/RPO

• Experience implementing monitoring and alerting with a focus on early risk detection

Leadership & Governance

• Acts as technical authority and escalation point for all directory and identity services

• Defines and enforces:

  • Enterprise identity standards

  • Secure configuration baselines

  • Operational runbooks and procedures

• Partners closely with:

  • Information Security and IAM teams

  • Risk, audit, and compliance stakeholders

  • Infrastructure, cloud, and application teams

• Mentors engineers and reviews designs from a security and risk-first perspective

Education and Experience Required:

• Bachelor's degree and a minimum of 5 years’ relevant work experience, or in lieu of a degree, a combined minimum of 9 years’ higher education and/or work experience

Education and Experience Preferred:

• Advanced understanding of the security system development and infrastructure lifecycle and architecture, and systems design

• Proven experience with the development and customization of tools utilized in assigned Cybersecurity function

• Demonstrated ability to translate architecture into technical requirements

• Proficient level of critical thinking and problem solving ability

• Excellent communication and interpersonal skills

• Experience partnering with leaders to design solutions to business needs.

• Proficient persuasive communication skills to gain buy-in of others

• Strong ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources

• Ability effectively serves in indirect leadership role

#LI-JB3 #Hybrid

M&T Bank is committed to fair, competitive, and market-informed pay for our employees. The pay range for this position is $128,100.00 - $213,500.00 (USD). The successful candidate’s particular combination of knowledge, skills, and experience will inform their specific compensation.

Location

Wilmington, Delaware, United States of America