Lead Active Directory Engineer

This role is

four

days onsite at our Seneca One Buffalo, NY location, with the flexibility to work from home one day per week
Overview:

Responsible for designing, securing, and operating Microsoft Active Directory Domain Services (AD DS) in regulated, high-availability environments. Acts as knowledge resource for and trains less experienced engineers. Completes day-to-day support activities and special projects.
Primary Responsibilities:

Enterprise Active Directory Architecture
Proven expertise supporting

large-scale, Tier‑1 identity infrastructures

with strict uptime, latency, and change‑control requirements
Strong experience with:

Multi-domain and multi-forest designs aligned to business units, regions, or regulatory boundaries
Forest and external trusts supporting M&A, joint ventures, and third-party integrations
FSMO role placement optimized for resilience and auditability

Advanced understanding of

Active Directory–integrated DNS

, split‑brain DNS, and secure name resolution models
Hybrid Identity & Microsoft Entra ID (Azure AD)
Extensive experience integrating on-prem AD with

Microsoft Entra ID

in regulated financial environments
Hands-on implementation of:

Entra Connect (Cloud Sync and Traditional)
Password Hash Sync, Pass-through Authentication, and Federation

Strong experience with:

Conditional Access aligned to regulatory and risk-based controls
Hybrid Join, Entra ID Join, and legacy device coexistence

Understanding of

identity lifecycle controls

to support joiners, movers, leavers, and separation-of-duties requirements
Security, Compliance & Risk Controls
Expert-level knowledge of

Active Directory security hardening

in financial services, including:

Tiered administrative model (Tier 0/1/2)
Dedicated admin forests or hardened admin boundaries (where applicable)
Privileged Access Workstations (PAWs) / Secure Admin Workstations

Experience enforcing

least privilege

, role separation, and

dual‑control

models
Deep familiarity with threats targeting financial institutions:

Credential theft, Kerberoasting, Pass-the-Hash/Ticket
Delegation and ACL abuse

Hands-on experience with:

Privileged Identity Management (PIM)
Regular access reviews and entitlement recertification

Strong alignment with

Zero Trust

and defense-in-depth identity strategies
Regulatory & Audit Readiness
Demonstrated experience supporting audits and controls for financial regulations and frameworks, such as:

SOX, GLBA, PCI DSS, SOC 2
Internal risk management and model governance requirements

Ability to design AD environments that support:

Strong logging and traceability
Tamper-resistant audit logs
Evidence generation for internal and external auditors

Automation & PowerShell
Advanced

PowerShell

expertise for:

Controlled, auditable administrative changes
Automated provisioning/deprovisioning aligned to compliance workflows
Identity reporting for risk, security, and audit teams

Experience building automation that integrates with:

Change management processes
IAM, ticketing, and security tooling

Operations, Resilience & Recovery
Deep experience managing:

AD replication topology across data centers and regions
SYSVOL (DFSR) health and recovery
Latency-sensitive authentication dependencies

Strong understanding of:

AD backup, recovery, and

authoritative restore procedures
Identity disaster recovery scenarios with defined RTO/RPO

Experience implementing

monitoring and alerting

with a focus on early risk detection
Leadership & Governance
Acts as

technical authority and escalation point

for all directory and identity services
Defines and enforces:

Enterprise identity standards
Secure configuration baselines
Operational runbooks and procedures

Partners closely with:

Information Security and IAM teams
Risk, audit, and compliance stakeholders
Infrastructure, cloud, and application teams

Mentors engineers and reviews designs from a

security and risk-first

perspective
Education and Experience Required:

Bachelor’s degree and a minimum of 5 years’ relevant work experience, or in lieu of a degree, a combined minimum of 9 years’ higher education and/or work experience
Education and Experience Preferred:

Advanced understanding of the security system development and infrastructure lifecycle and architecture, and systems design
Proven experience with the development and customization of tools utilized in assigned Cybersecurity function
Demonstrated ability to translate architecture into technical requirements
Proficient level of critical thinking and problem solving ability
Excellent communication and interpersonal skills
Experience partnering with leaders to design solutions to business needs.
Proficient persuasive communication skills to gain buy-in of others
Strong ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources
Ability effectively serves in indirect leadership role
#LI-JB3 #Hybrid
M&T Bank is committed to fair, competitive, and market-informed pay for our employees. The pay range for this position is $116,400.00 - $194,000.00 Annual (USD). The successful candidate’s particular combination of knowledge, skills, and experience will inform their specific compensation.
Location

Buffalo, New York, United States of America

#J-18808-Ljbffr