This role is four days onsite at our Seneca One Buffalo, NY location, with the flexibility to work from home one day per week
Overview:
Responsible for designing, securing, and operating Microsoft Active Directory Domain Services (AD DS) in regulated, high-availability environments. Acts as knowledge resource for and trains less experienced engineers. Completes day-to-day support activities and special projects.
Primary Responsibilities:
Enterprise Active Directory Architecture
- Proven expertise supporting large-scale, Tier‑1 identity infrastructures with strict uptime, latency, and change‑control requirements
- Strong experience with:
- Multi-domain and multi-forest designs aligned to business units, regions, or regulatory boundaries
- Forest and external trusts supporting M&A, joint ventures, and third-party integrations
- FSMO role placement optimized for resilience and auditability
- Advanced understanding of Active Directory–integrated DNS, split‑brain DNS, and secure name resolution models
Hybrid Identity & Microsoft Entra ID (Azure AD)
- Extensive experience integrating on-prem AD with Microsoft Entra ID in regulated financial environments
- Hands-on implementation of:
- Entra Connect (Cloud Sync and Traditional)
- Password Hash Sync, Pass-through Authentication, and Federation
- Strong experience with:
- Conditional Access aligned to regulatory and risk-based controls
- Hybrid Join, Entra ID Join, and legacy device coexistence
- Understanding of identity lifecycle controls to support joiners, movers, leavers, and separation-of-duties requirements
Security, Compliance & Risk Controls
- Expert-level knowledge of Active Directory security hardening in financial services, including:
- Tiered administrative model (Tier 0/1/2)
- Dedicated admin forests or hardened admin boundaries (where applicable)
- Privileged Access Workstations (PAWs) / Secure Admin Workstations
- Experience enforcing least privilege, role separation, and dual‑control models
- Deep familiarity with threats targeting financial institutions:
- Credential theft, Kerberoasting, Pass-the-Hash/Ticket
- Delegation and ACL abuse
- Hands-on experience with:
- Privileged Identity Management (PIM)
- Regular access reviews and entitlement recertification
- Strong alignment with Zero Trust and defense-in-depth identity strategies
Regulatory & Audit Readiness
- Demonstrated experience supporting audits and controls for financial regulations and frameworks, such as:
- SOX, GLBA, PCI DSS, SOC 2
- Internal risk management and model governance requirements
- Ability to design AD environments that support:
- Strong logging and traceability
- Tamper-resistant audit logs
- Evidence generation for internal and external auditors
Automation & PowerShell
- Advanced PowerShell expertise for:
- Controlled, auditable administrative changes
- Automated provisioning/deprovisioning aligned to compliance workflows
- Identity reporting for risk, security, and audit teams
- Experience building automation that integrates with:
- Change management processes
- IAM, ticketing, and security tooling
Operations, Resilience & Recovery
- Deep experience managing:
- AD replication topology across data centers and regions
- SYSVOL (DFSR) health and recovery
- Latency-sensitive authentication dependencies
- Strong understanding of:
- AD backup, recovery, and authoritative restore procedures
- Identity disaster recovery scenarios with defined RTO/RPO
- Experience implementing monitoring and alerting with a focus on early risk detection
Leadership & Governance
- Acts as technical authority and escalation point for all directory and identity services
- Defines and enforces:
- Enterprise identity standards
- Secure configuration baselines
- Operational runbooks and procedures
- Partners closely with:
- Information Security and IAM teams
- Risk, audit, and compliance stakeholders
- Infrastructure, cloud, and application teams
- Mentors engineers and reviews designs from a security and risk-first perspective
Education and Experience Required:
- Bachelor's degree and a minimum of 5 years’ relevant work experience, or in lieu of a degree, a combined minimum of 9 years’ higher education and/or work experience
Education and Experience Preferred:
- Advanced understanding of the security system development and infrastructure lifecycle and architecture, and systems design
- Proven experience with the development and customization of tools utilized in assigned Cybersecurity function
- Demonstrated ability to translate architecture into technical requirements
- Proficient level of critical thinking and problem solving ability
- Excellent communication and interpersonal skills
- Experience partnering with leaders to design solutions to business needs.
- Proficient persuasive communication skills to gain buy-in of others
- Strong ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources
- Ability effectively serves in indirect leadership role
#LI-JB3 #Hybrid
M&T Bank is committed to fair, competitive, and market-informed pay for our employees. The pay range for this position is $116,400.00 - $194,000.00 Annual (USD). The successful candidate’s particular combination of knowledge, skills, and experience will inform their specific compensation.
Location
Buffalo, New York, United States of America