This role is four days onsite at our Wilmington, DE Tech Hub location, with the flexibility to work from home one day per week
Responsible for designing, securing, and operating Microsoft Active Directory Domain Services (AD DS) in regulated, high-availability environments. Acts as knowledge resource for and trains less experienced engineers. Completes day-to-day support activities and special projects.
Enterprise Active Directory Architecture
Proven expertise supporting large-scale, Tier‑1 identity infrastructures with strict uptime, latency, and change‑control requirements
Strong experience with:
Multi-domain and multi-forest designs aligned to business units, regions, or regulatory boundaries
Forest and external trusts supporting M&A, joint ventures, and third-party integrations
FSMO role placement optimized for resilience and auditability
Advanced understanding of Active Directory–integrated DNS, split‑brain DNS, and secure name resolution models
Hybrid Identity & Microsoft Entra ID (Azure AD)
Extensive experience integrating on-prem AD with Microsoft Entra ID in regulated financial environments
Hands-on implementation of:
Entra Connect (Cloud Sync and Traditional)
Password Hash Sync, Pass-through Authentication, and Federation
Strong experience with:
Conditional Access aligned to regulatory and risk-based controls
Hybrid Join, Entra ID Join, and legacy device coexistence
Understanding of identity lifecycle controls to support joiners, movers, leavers, and separation-of-duties requirements
Security, Compliance & Risk Controls
Expert-level knowledge of Active Directory security hardening in financial services, including:
Tiered administrative model (Tier 0/1/2)
Dedicated admin forests or hardened admin boundaries (where applicable)
Privileged Access Workstations (PAWs) / Secure Admin Workstations
Experience enforcing least privilege, role separation, and dual‑control models
Deep familiarity with threats targeting financial institutions:
Credential theft, Kerberoasting, Pass-the-Hash/Ticket
Delegation and ACL abuse
Hands-on experience with:
Privileged Identity Management (PIM)
Regular access reviews and entitlement recertification
Strong alignment with Zero Trust and defense-in-depth identity strategies
Regulatory & Audit Readiness
Demonstrated experience supporting audits and controls for financial regulations and frameworks, such as:
SOX, GLBA, PCI DSS, SOC 2
Internal risk management and model governance requirements
Ability to design AD environments that support:
Strong logging and traceability
Tamper-resistant audit logs
Evidence generation for internal and external auditors
Automation & PowerShell
Advanced PowerShell expertise for:
Controlled, auditable administrative changes
Automated provisioning/deprovisioning aligned to compliance workflows
Identity reporting for risk, security, and audit teams
Experience building automation that integrates with:
Change management processes
IAM, ticketing, and security tooling
Operations, Resilience & Recovery
Deep experience managing:
AD replication topology across data centers and regions
SYSVOL (DFSR) health and recovery
Latency-sensitive authentication dependencies
Strong understanding of:
AD backup, recovery, and authoritative restore procedures
Identity disaster recovery scenarios with defined RTO/RPO
Experience implementing monitoring and alerting with a focus on early risk detection
Leadership & Governance
Acts as technical authority and escalation point for all directory and identity services
Defines and enforces:
Enterprise identity standards
Secure configuration baselines
Operational runbooks and procedures
Partners closely with:
Information Security and IAM teams
Risk, audit, and compliance stakeholders
Infrastructure, cloud, and application teams
Mentors engineers and reviews designs from a security and risk-first perspective
Bachelor's degree and a minimum of 5 years’ relevant work experience, or in lieu of a degree, a combined minimum of 9 years’ higher education and/or work experience
Advanced understanding of the security system development and infrastructure lifecycle and architecture, and systems design
Proven experience with the development and customization of tools utilized in assigned Cybersecurity function
Demonstrated ability to translate architecture into technical requirements
Proficient level of critical thinking and problem solving ability
Excellent communication and interpersonal skills
Experience partnering with leaders to design solutions to business needs.
Proficient persuasive communication skills to gain buy-in of others
Strong ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources
Ability effectively serves in indirect leadership role
#LI-JB3 #Hybrid
M&T Bank is committed to fair, competitive, and market-informed pay for our employees. The pay range for this position is $128,100.00 - $213,500.00 (USD). The successful candidate’s particular combination of knowledge, skills, and experience will inform their specific compensation.