Lead Active Directory Engineer

This role is four days onsite at our Seneca One Buffalo, NY location, with the flexibility to work from home one day per week

Overview:

Responsible for designing, securing, and operating Microsoft Active Directory Domain Services (AD DS) in regulated, high-availability environments. Acts as knowledge resource for and trains less experienced engineers. Completes day-to-day support activities and special projects.

Primary Responsibilities:

Enterprise Active Directory Architecture

• Proven expertise supporting large-scale, Tier‑1 identity infrastructures with strict uptime, latency, and change‑control requirements

• Strong experience with:

• Multi-domain and multi-forest designs aligned to business units, regions, or regulatory boundaries

• Forest and external trusts supporting M&A, joint ventures, and third-party integrations

• FSMO role placement optimized for resilience and auditability

• Advanced understanding of Active Directory-integrated DNS, split‑brain DNS, and secure name resolution models

Hybrid Identity & Microsoft Entra ID (Azure AD)

• Extensive experience integrating on-prem AD with Microsoft Entra ID in regulated financial environments

• Hands-on implementation of:

• Entra Connect (Cloud Sync and Traditional)

• Password Hash Sync, Pass-through Authentication, and Federation

• Strong experience with:

• Conditional Access aligned to regulatory and risk-based controls

• Hybrid Join, Entra ID Join, and legacy device coexistence

• Understanding of identity lifecycle controls to support joiners, movers, leavers, and separation-of-duties requirements

Security, Compliance & Risk Controls

• Expert-level knowledge of Active Directory security hardening in financial services, including:

• Tiered administrative model (Tier 0/1/2)

• Dedicated admin forests or hardened admin boundaries (where applicable)

• Privileged Access Workstations (PAWs) / Secure Admin Workstations

• Experience enforcing least privilege, role separation, and dual‑control models

• Deep familiarity with threats targeting financial institutions:

• Credential theft, Kerberoasting, Pass-the-Hash/Ticket

• Delegation and ACL abuse

• Hands-on experience with:

• Privileged Identity Management (PIM)

• Regular access reviews and entitlement recertification

• Strong alignment with Zero Trust and defense-in-depth identity strategies

Regulatory & Audit Readiness

• Demonstrated experience supporting audits and controls for financial regulations and frameworks, such as:

• SOX, GLBA, PCI DSS, SOC 2

• Internal risk management and model governance requirements

• Ability to design AD environments that support:

• Strong logging and traceability

• Tamper-resistant audit logs

• Evidence generation for internal and external auditors

Automation & PowerShell

• Advanced PowerShell expertise for:

• Controlled, auditable administrative changes

• Automated provisioning/deprovisioning aligned to compliance workflows

• Identity reporting for risk, security, and audit teams

• Experience building automation that integrates with:

• Change management processes

• IAM, ticketing, and security tooling

Operations, Resilience & Recovery

• Deep experience managing:

• AD replication topology across data centers and regions

• SYSVOL (DFSR) health and recovery

• Latency-sensitive authentication dependencies

• Strong understanding of:

• AD backup, recovery, and authoritative restore procedures

• Identity disaster recovery scenarios with defined RTO/RPO

• Experience implementing monitoring and alerting with a focus on early risk detection

Leadership & Governance

• Acts as technical authority and escalation point for all directory and identity services

• Defines and enforces:

• Enterprise identity standards

• Secure configuration baselines

• Operational runbooks and procedures

• Partners closely with:

• Information Security and IAM teams

• Risk, audit, and compliance stakeholders

• Infrastructure, cloud, and application teams

• Mentors engineers and reviews designs from a security and risk-first perspective

Education and Experience Required:

• Bachelor's degree and a minimum of 5 years' relevant work experience, or in lieu of a degree, a combined minimum of 9 years' higher education and/or work experience

Education and Experience Preferred:

• Advanced understanding of the security system development and infrastructure lifecycle and architecture, and systems design
• Proven experience with the development and customization of tools utilized in assigned Cybersecurity function
• Demonstrated ability to translate architecture into technical requirements
• Proficient level of critical thinking and problem solving ability
• Excellent communication and interpersonal skills
• Experience partnering with leaders to design solutions to business needs.
• Proficient persuasive communication skills to gain buy-in of others
• Strong ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources
• Ability effectively serves in indirect leadership role

#LI-JB3 #Hybrid

M&T Bank is committed to fair, competitive, and market-informed pay for our employees. The pay range for this position is $116,400.00 - $194,000.00 Annual (USD). The successful candidate's particular combination of knowledge, skills, and experience will inform their specific compensation.

Location

Buffalo, New York, United States of America