This role is four days onsite at our Wilmington, DE Tech Hub location, with the flexibility to work from home one day per week

Overview:   

Responsible for designing, securing, and operating Microsoft Active Directory Domain Services (AD DS) in regulated, high-availability environments. Acts as knowledge resource for and trains less experienced engineers. Completes day-to-day support activities and special projects.

Primary Responsibilities:

Enterprise Active Directory Architecture

• Proven expertise supporting large-scale, Tier‑1 identity infrastructures with strict uptime, latency, and change‑control requirements

• Strong experience with:

  • Multi-domain and multi-forest designs aligned to business units, regions, or regulatory boundaries

  • Forest and external trusts supporting M&A, joint ventures, and third-party integrations

  • FSMO role placement optimized for resilience and auditability

• Advanced understanding of Active Directory–integrated DNS, split‑brain DNS, and secure name resolution models

Hybrid Identity & Microsoft Entra ID (Azure AD)

• Extensive experience integrating on-prem AD with Microsoft Entra ID in regulated financial environments

• Hands-on implementation of:

  • Entra Connect (Cloud Sync and Traditional)

  • Password Hash Sync, Pass-through Authentication, and Federation

• Strong experience with:

  • Conditional Access aligned to regulatory and risk-based controls

  • Hybrid Join, Entra ID Join, and legacy device coexistence

• Understanding of identity lifecycle controls to support joiners, movers, leavers, and separation-of-duties requirements

Security, Compliance & Risk Controls

• Expert-level knowledge of Active Directory security hardening in financial services, including:

  • Tiered administrative model (Tier 0/1/2)

  • Dedicated admin forests or hardened admin boundaries (where applicable)

  • Privileged Access Workstations (PAWs) / Secure Admin Workstations

• Experience enforcing least privilege, role separation, and dual‑control models

• Deep familiarity with threats targeting financial institutions:

  • Credential theft, Kerberoasting, Pass-the-Hash/Ticket

  • Delegation and ACL abuse

• Hands-on experience with:

  • Privileged Identity Management (PIM)

  • Regular access reviews and entitlement recertification

• Strong alignment with Zero Trust and defense-in-depth identity strategies

Regulatory & Audit Readiness

• Demonstrated experience supporting audits and controls for financial regulations and frameworks, such as:

  • SOX, GLBA, PCI DSS, SOC 2

  • Internal risk management and model governance requirements

• Ability to design AD environments that support:

  • Strong logging and traceability

  • Tamper-resistant audit logs

  • Evidence generation for internal and external auditors

Automation & PowerShell

• Advanced PowerShell expertise for:

  • Controlled, auditable administrative changes

  • Automated provisioning/deprovisioning aligned to compliance workflows

  • Identity reporting for risk, security, and audit teams

• Experience building automation that integrates with:

  • Change management processes

  • IAM, ticketing, and security tooling

Operations, Resilience & Recovery

• Deep experience managing:

  • AD replication topology across data centers and regions

  • SYSVOL (DFSR) health and recovery

  • Latency-sensitive authentication dependencies

• Strong understanding of:

  • AD backup, recovery, and authoritative restore procedures

  • Identity disaster recovery scenarios with defined RTO/RPO

• Experience implementing monitoring and alerting with a focus on early risk detection

Leadership & Governance

• Acts as technical authority and escalation point for all directory and identity services

• Defines and enforces:

  • Enterprise identity standards

  • Secure configuration baselines

  • Operational runbooks and procedures

• Partners closely with:

  • Information Security and IAM teams

  • Risk, audit, and compliance stakeholders

  • Infrastructure, cloud, and application teams

• Mentors engineers and reviews designs from a security and risk-first perspective

Education and Experience Required:

• Bachelor's degree and a minimum of 5 years’ relevant work experience, or in lieu of a degree, a combined minimum of 9 years’ higher education and/or work experience

Education and Experience Preferred:

• Advanced understanding of the security system development and infrastructure lifecycle and architecture, and systems design

• Proven experience with the development and customization of tools utilized in assigned Cybersecurity function

• Demonstrated ability to translate architecture into technical requirements

• Proficient level of critical thinking and problem solving ability

• Excellent communication and interpersonal skills

• Experience partnering with leaders to design solutions to business needs.

• Proficient persuasive communication skills to gain buy-in of others

• Strong ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources

• Ability effectively serves in indirect leadership role

#LI-JB3  #Hybrid

M&T Bank is committed to fair, competitive, and market-informed pay for our employees. The pay range for this position is $128,100.00 - $213,500.00 (USD). The successful candidate’s particular combination of knowledge, skills, and experience will inform their specific compensation.

Location

Wilmington, Delaware, United States of America