Senior Active Directory - Cloud Identit… at Bank of America

What you'd actually do

Lead architecture, engineering, and operations for Active Directory forests, domains, and Group Policy **in a multi-site, highly regulated environment.

Design and drive adoption of hybrid identity solutions** integrating on‑prem and cloud-based services.

Implement and optimize authentication and authorization controls: SSO, MFA, Conditional Access, identity protection, and modern protocols (SAML, OAuth2, OIDC).

Define and enforce standards for identity lifecycle: joiner/mover/leaver processes, automated provisioning/deprovisioning, access reviews, and role-based access control (RBAC).

Partner with stakeholders and business teams to implement least-privilege, privileged access management (PAM), and Zero Trust-aligned identity controls.

Skills

Required

10+ years of hands-on experience administering and engineering enterprise Active Directory in a large, multi-site environment.
Strong expertise in: AD forest/domain design, trusts, DNS, Group Policy, replication, and AD security hardening.
5+ years working with Azure AD/Entra ID and hybrid identity (synchronization, federation, ADFS or equivalent, cloud-only and hybrid scenarios).
Deep understanding of identity and access management concepts: authentication, authorization, RBAC, least privilege, PAM, Zero Trust.
Strong experience with MFA, Conditional Access, SSO, and identity federation using SAML, OAuth2, and OpenID Connect.
Proficiency with PowerShell for automation, reporting, and bulk operations in AD and Azure AD.
Experience operating in regulated environments (preferably banking/financial services) with audit, risk, and compliance requirements.
Solid understanding of networking and security fundamentals (TCP/IP, firewalls, TLS, certificates, PKI as it relates to identity).
Excellent communication skills and ability to translate technical identity risks and solutions for non-technical stakeholders.

Nice to have

Experience with IAM platforms such as Okta, Ping, ForgeRock, SailPoint, or similar.
Experience with AWS IAM and/or GCP IAM and integrating them with corporate identity.
Background with PAM solutions (CyberArk, Delinea/Thycotic, BeyondTrust, Hashi, etc.).
Relevant certifications: Microsoft Certified: Identity and Access Administrator Associate, Azure Administrator, Security Engineer, or equivalent.

Job Description:

At Bank of America, we are guided by a common purpose to help make financial lives better through the power of every connection. We do this by driving Responsible Growth and delivering for our clients, teammates, communities and shareholders every day.

Being a Great Place to Work is core to how we drive Responsible Growth. This includes our commitment to being an inclusive workplace, attracting and developing exceptional talent, supporting our teammates’ physical, emotional, and financial wellness, recognizing and rewarding performance, and how we make an impact in the communities we serve.

Bank of America is committed to an in-office culture with specific requirements for office-based attendance and which allows for an appropriate level of flexibility for our teammates and businesses based on role-specific considerations.

At Bank of America, you can build a successful career with opportunities to learn, grow, and make an impact. Join us!

Summary:

We are seeking a Senior Directory Services analyst to modernize our enterprise identity platform across on‑prem Active Directory, LDAP’s, and other cloud-based directories and stores. The role is focused on securing employee, partner, and application access in a highly-regulated financial services environment and will partner closely with security, infrastructure, and application teams. If you are passionate about identity security and thrive in high-stakes environments, this role offers the chance to make a measurable impact on the security posture of a global enterprise.

Key Responsibilities:

**Lead architecture, engineering, and operations for Active Directory forests, domains, and Group Policy **in a multi-site, highly regulated environment.
Design and drive adoption of hybrid identity solutions integrating on‑prem and cloud-based services.
Implement and optimize authentication and authorization controls: SSO, MFA, Conditional Access, identity protection, and modern protocols (SAML, OAuth2, OIDC).
Define and enforce standards for identity lifecycle: joiner/mover/leaver processes, automated provisioning/deprovisioning, access reviews, and role-based access control (RBAC).
Partner with stakeholders and business teams to implement least-privilege, privileged access management (PAM), and Zero Trust-aligned identity controls.
Lead and support AD and identity-related projects: domain/forest consolidation, mergers/acquisitions, cloud migrations, and re-platforming.
Enhance monitoring, alerting, and reporting for directory and identity health, security posture, and compliance (audit trails, SOX, GLBA, PCI, etc.)
Develop and maintain scripts and automation (primarily PowerShell) to drive consistency, efficiency, and security in identity operations.
Serve as a senior SME and escalation point for complex identity incidents, outages, and security events.
Produce and maintain technical documentation, runbooks, standards, and architecture diagrams for AD and cloud identity services.
Mentor and guide junior engineers, analysts, and admins and contribute to identity and access strategy and roadmap.

Required Qualifications:

10+ years of hands-on experience administering and engineering enterprise Active Directory in a large, multi-site environment.
Strong expertise in: AD forest/domain design, trusts, DNS, Group Policy, replication, and AD security hardening.
5+ years working with Azure AD/Entra ID and hybrid identity (synchronization, federation, ADFS or equivalent, cloud-only and hybrid scenarios).
Deep understanding of identity and access management concepts: authentication, authorization, RBAC, least privilege, PAM, Zero Trust.
Strong experience with MFA, Conditional Access, SSO, and identity federation using SAML, OAuth2, and OpenID Connect.
Proficiency with PowerShell for automation, reporting, and bulk operations in AD and Azure AD.
Experience operating in regulated environments (preferably banking/financial services) with audit, risk, and compliance requirements.
Solid understanding of networking and security fundamentals (TCP/IP, firewalls, TLS, certificates, PKI as it relates to identity).
Excellent communication skills and ability to translate technical identity risks and solutions for non-technical stakeholders.

Desired Qualifications:

Experience with IAM platforms such as Okta, Ping, ForgeRock, SailPoint, or similar.
Experience with AWS IAM and/or GCP IAM and integrating them with corporate identity.
Background with PAM solutions (CyberArk, Delinea/Thycotic, BeyondTrust, Hashi, etc.).
Relevant certifications: Microsoft Certified: Identity and Access Administrator Associate, Azure Administrator, Security Engineer, or equivalent.

Shift:

1st shift (United States of America)

**Hours Per Week: **

Pay Transparency details

US - MA - Boston - 100 Federal St - 100 Federal St Lp (MA5100), US - NJ - Jersey City - 101 Hudson St - 101 Hudson (NJ2101)

Pay and benefits information

Pay range

$135,000.00 - $182,100.00 annualized salary, offers to be determined based on experience, education and skill set.

Discretionary incentive eligible

This role is eligible to participate in the annual discretionary plan. Employees are eligible for an annual discretionary award based on their overall individual performance results and behaviors, the performance and contributions of their line of business and/or group; and the overall success of the Company.

Benefits

This role is currently benefits eligible. We provide industry-leading benefits, access to paid time off, resources and support to our employees so they can make a genuine impact and contribute to the sustainable growth of our business and the communities we serve.