IAM Engineer

Job Description

As our IAM Engineer - Modern Authentication specialist, you will own / maintain the technical configuration of our Entra ID tenant with a primary focus on modernizing our authentication systems, as part of a wider Identity & Access Management strategy / project roadmap. Join our growing IAM team to have a hands-on key role on Authentication/Authorization topics, securing application onboarding & systems configuration hardening (ex: conditional access / adaptative MFA), designing, implementing & maintaining a robust, scalable framework to ensure a frictionless end-user experience.

• Access Management & Governance: Define, implement, and maintain Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) models across Vitol identity platforms, including on-prem AD, Entra ID and AWS. Partner with Security, Infrastructure, Cloud and Development teams to establish consistent access control standards across platforms and applications. Support the design and management of access models for applications, APIs, service accounts, cloud platforms and workload identities.
• System and Application Integration: Integrate external and internal applications with Vitol's identity providers for Single Sign-On (SSO) using SAML, OAuth, and OIDC protocols. Lead engagement and workshops with application development teams to support integration. Advise developers on secure authentication and authorization flows, including tokens, claims, scopes, roles, secrets, certificates and redirect URIs.
• Development Team Enablement: Work with Development teams to embed IAM best practices into shared libraries, frameworks, SDKs, templates and reference architectures. Help define reusable authentication and authorization components for Vitol applications. Ensure internal libraries support least privilege, secure token validation, secure session management, claims-based authorization, secretless authentication and modern federation patterns. Act as an IAM subject matter expert, helping teams choose the right protocol and identity architecture.
• Identity Lifecycle Management: Ensure secure provisioning and de-provisioning of user accounts within the "joiner, mover, leaver" (JML) process.
• Policy Enforcement: Implement, maintain and enforce identity security policies, including Multi-Factor Authentication (MFA), Conditional Access and least privileges. Help ensure policies are consistently applied across users, applications and platforms, while balancing security requirements with business usability.
• Troubleshooting & Support: Provide Tier 3 support for identity-related incidents, including authentication, authorization, SSO, federation and access issues. Work with infrastructure, security, cloud and application teams to diagnose root causes and implement effective resolutions.
• Automation: Utilize scripting (e.g., PowerShell, Python) and APIs/SCIM to automate identity lifecycle and access management workflows. Improve operational efficiency by reducing manual tasks, standardising processes and supporting scalable IAM operations.
• IAM as a service: Create and own the documentation of "IAM as a service"; Define onboarding processes, integration patterns and standard operating procedures for IAM services; Provide clear guidance to application teams on how to consume IAM services securely and efficiently.

Qualifications

• Bachelor's degree in Information Security, Computer Science, or a related field - equivalent professional experience will also be considered.
• 4/5+ years in IAM / Authentication / Security engineering
• Deep knowledge of IAM standards and protocols: SAML, OIDC, OAuth2, SCIM, LDAP, PKI basics, and modern auth patterns
• Experience onboarding and supporting SaaS, web, mobile, and API applications & systems with standards/protocols mentioned above into IAM solutions
• Strong understanding of cloud identity patterns (esp. AWS & Azure), hybrid identity, and Zero Trust
• Ability to communicate architecture decisions clearly to technical and non-technical stakeholders
• Hands-on experiences / proven expertise as an Identity Security Engineer (& administrative experience with privileged roles) of following tools/modules/platforms:
  • Microsoft Cloud environment:
    • Core Microsoft Identity: deep expertise in Entra ID, Entra Connect / Cloud Sync, and Graph API
    • Identity Governance: deployment and management of PIM, Access Reviews, and Entitlement Management
    • Advanced configuration of Identity Protection (user/sign-in risk), Risk-based Conditional Access, and Microsoft Defender for Identity (MDI)
    • EntraID Workload Identities
    • Collaboration cross-tenant / multi-tenant organizations
    • ADFS / PTA / PHS
    • Intune & endpoint integration
    • Azure Key Vault & other Azure managed services
  • AWS Cloud Environment
    • AWS IAM Users, Groups, Roles & Policies Management
    • AWS Organizations & Service Control Policies (SCPs)
    • AWS IAM Identity Center (SSO) & Federation
    • Least-Privilege Enforcement & Access Analysis
    • Secrets Management & Temporary Credentials
    • AWS KMS for secure credential and key management.
  • Modern Authentication Deployment:
    • Methods / Passwordless technologies: Windows Hello for Business, FIDO2 security keys, Microsoft Authenticator, Certificate-based Auth
    • Protocols: OAuth 2.0, OpenID Connect, SAML 2.0
    • Hardware: YubiKeys, TPM-based biometrics, Passkeys
    • SSPR / self-service tools, AAD Password Protection
    • Application management: app registration, Entreprise App, managed identity, ServicePrincipal…
    • Dashboard creation: PowerBI / Workbook Azure
  • Scripting: Powershell / Python / etc
    • Develop custom scripts from scratch and optimize existing codebase to automate identity workflows and system administration
  • Directories: Active Directory
    • ADDS & AD authentication services (NTLM / Kerberos)
    • 3-tier model & delegation model for AD services
    • FSMO roles, GPO management, AD backup/restore…
• Certifications: one or more of the following would be held by the candidate: SC-300, AZ-500, MS-500
• Good knowledge of:
  • Principles & technical mechanisms of identity & access management, Privileged Access Management
  • Cloud/IaC: AWS/Azure/GCP IAM, Terraform, CI/CD
  • Observability/Security: SIEM, EDR integrations, centralized logging

Additional Information

Personal Characteristics

• A self-motivated individual who thrives on seeing the results of their work make an impact
• Strong communication skills, both verbally and in writing
• Proven ability to be flexible, work hard, and a sense for the art of the possible
• Methodical, organized and with an attention to detail - in general, in experimental design, and in code!
• Willingness to share their knowledge and learn from others
• An interest in learning about the commodities space
• Resourceful, able to think creatively and adapt in a dynamic environment
• Team player, with an open non-political style and a high level of integrity

What we offer

• Competitive salary and benefits package
• Real-world impacts on a truly global scale
• Entrepreneurial environment within a flat hierarchy, where great ideas come to life quickly
• Close collaboration with various teams and stakeholders across our key regions (eg. London, Singapore, Houston, Geneva)
• A highly motivated MIS organization comprised of experienced individuals with a supportive attitude and great team spirit