This role is four days onsite at our Seneca One Buffalo, NY location, with the flexibility to work from home one day per week

Overview:   

Responsible for designing, securing, and operating Microsoft Active Directory Domain Services (AD DS) in regulated, high-availability environments. Acts as knowledge resource for and trains less experienced engineers. Completes day-to-day support activities and special projects.

Primary Responsibilities:

Enterprise Active Directory Architecture

• Proven expertise supporting large-scale, Tier‑1 identity infrastructures with strict uptime, latency, and change‑control requirements
• Strong experience with:
  • Multi-domain and multi-forest designs aligned to business units, regions, or regulatory boundaries
  • Forest and external trusts supporting M&A, joint ventures, and third-party integrations
  • FSMO role placement optimized for resilience and auditability
• Advanced understanding of Active Directory–integrated DNS, split‑brain DNS, and secure name resolution models

Hybrid Identity & Microsoft Entra ID (Azure AD)

• Extensive experience integrating on-prem AD with Microsoft Entra ID in regulated financial environments
• Hands-on implementation of:
  • Entra Connect (Cloud Sync and Traditional)
  • Password Hash Sync, Pass-through Authentication, and Federation
• Strong experience with:
  • Conditional Access aligned to regulatory and risk-based controls
  • Hybrid Join, Entra ID Join, and legacy device coexistence
• Understanding of identity lifecycle controls to support joiners, movers, leavers, and separation-of-duties requirements

Security, Compliance & Risk Controls

• Expert-level knowledge of Active Directory security hardening in financial services, including:
  • Tiered administrative model (Tier 0/1/2)
  • Dedicated admin forests or hardened admin boundaries (where applicable)
  • Privileged Access Workstations (PAWs) / Secure Admin Workstations
• Experience enforcing least privilege, role separation, and dual‑control models
• Deep familiarity with threats targeting financial institutions:
  • Credential theft, Kerberoasting, Pass-the-Hash/Ticket
  • Delegation and ACL abuse
• Hands-on experience with:
  • Privileged Identity Management (PIM)
  • Regular access reviews and entitlement recertification
• Strong alignment with Zero Trust and defense-in-depth identity strategies

Regulatory & Audit Readiness

• Demonstrated experience supporting audits and controls for financial regulations and frameworks, such as:
  • SOX, GLBA, PCI DSS, SOC 2
  • Internal risk management and model governance requirements
• Ability to design AD environments that support:
  • Strong logging and traceability
  • Tamper-resistant audit logs
  • Evidence generation for internal and external auditors

Automation & PowerShell

• Advanced PowerShell expertise for:
  • Controlled, auditable administrative changes
  • Automated provisioning/deprovisioning aligned to compliance workflows
  • Identity reporting for risk, security, and audit teams
• Experience building automation that integrates with:
  • Change management processes
  • IAM, ticketing, and security tooling

Operations, Resilience & Recovery

• Deep experience managing:
  • AD replication topology across data centers and regions
  • SYSVOL (DFSR) health and recovery
  • Latency-sensitive authentication dependencies
• Strong understanding of:
  • AD backup, recovery, and authoritative restore procedures
  • Identity disaster recovery scenarios with defined RTO/RPO
• Experience implementing monitoring and alerting with a focus on early risk detection

Leadership & Governance

• Acts as technical authority and escalation point for all directory and identity services
• Defines and enforces:
  • Enterprise identity standards
  • Secure configuration baselines
  • Operational runbooks and procedures
• Partners closely with:
  • Information Security and IAM teams
  • Risk, audit, and compliance stakeholders
  • Infrastructure, cloud, and application teams
• Mentors engineers and reviews designs from a security and risk-first perspective

Education and Experience Required:

• Bachelor's degree and a minimum of 5 years’ relevant work experience, or in lieu of a degree, a combined minimum of 9 years’ higher education and/or work experience

Education and Experience Preferred:

• Advanced understanding of the security system development and infrastructure lifecycle and architecture, and systems design
• Proven experience with the development and customization of tools utilized in assigned Cybersecurity function
• Demonstrated ability to translate architecture into technical requirements
• Proficient level of critical thinking and problem solving ability
• Excellent communication and interpersonal skills
• Experience partnering with leaders to design solutions to business needs.
• Proficient persuasive communication skills to gain buy-in of others
• Strong ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources
• Ability effectively serves in indirect leadership role

#LI-JB3  #Hybrid

M&T Bank is committed to fair, competitive, and market-informed pay for our employees. The pay range for this position is $116,400.00 - $194,000.00 Annual (USD). The successful candidate’s particular combination of knowledge, skills, and experience will inform their specific compensation.

Location

Buffalo, New York, United States of America