Senior Microsoft Active Directory Security Engineer

We are seeking a Senior Active Directory Security Engineer to strengthen and secure our enterprise Active Directory infrastructure. This role will focus on assessing, remediating, and hardening our AD environment based on detailed security assessments, ensuring compliance with best practices and minimizing attack surfaces.

The ideal candidate will be deeply experienced in AD architecture, security controls, group policies, permissions management, and privilege governance, with a strong track record of remediating complex AD risks in large-scale environments.

RESPONSIBILITIES:

• Conduct detailed Active Directory security assessments and interpret findings from tools like SharpHound and BloodHound.
• Remediate identified AD vulnerabilities such as excessive privileges, unconstrained delegation, unprotected ACLs, plaintext password risks, and insecure Kerberos configurations.
• Implement and enforce Least Privilege Access models across users, groups, OUs, and computers.
• Manage and audit Group Policy Objects (GPOs), permissions, and inheritance to prevent privilege escalation and unauthorized changes.
• Oversee Local Administrator Password Solution (LAPS) deployment and enforcement to secure local admin accounts.
• Analyze and secure service principal names (SPNs), Kerberos encryption types, and delegation settings.
• Collaborate with IT teams to remediate stale or dormant accounts and enforce password policies including expiration and complexity.
• Develop and maintain scripts and automated tools for continuous AD monitoring, reporting, and remediation validation.
• Educate and support IT teams and stakeholders on AD best practices and security controls.
• Participate in incident response activities related to AD compromise or misuse.

• Minimum Bachelors Degree in IT, Computer Science or Engineering
• 5+ years experience managing and securing Microsoft Active Directory in large enterprise environments (10,000+ objects).
• In-depth knowledge of AD architecture, permissions (ACLs), delegation models, and group policy management.
• Strong expertise with Active Directory security tools such as SharpHound, BloodHound, PowerShell, and native Windows auditing.
• Hands-on experience deploying and managing LAPS (Local Administrator Password Solution).
• Understanding of Kerberos authentication mechanisms, SPNs, and encryption types including mitigation of weaknesses like RC4.
• Experience with AD hygiene: identifying and remediating dormant accounts, unprotected ACLs, improper delegation, and privilege abuse.
• Familiarity with scripting (PowerShell, Python) for automation of AD tasks and security checks.
• Experience in designing and enforcing Least Privilege Access policies.
• Knowledge of Windows Server versions and security patching processes.
• Strong communication skills to translate complex security issues for technical and non-technical audiences.
• Microsoft Certified: Identity and Access Administrator Associate (SC-300) or Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900)
• Experience with enterprise SIEM integration and incident response processes related to AD
• Familiarity with Azure Active Directory and hybrid AD environments
• Knowledge of cybersecurity frameworks (NIST, CIS Controls, MITRE ATT&CK) relating to identity security
• Meticulous attention to detail
• Proactive problem solver with strong investigative skills
• Ability to work independently and collaboratively across teams
• Passionate about security and continuous learning