Cloud Identity and Access Management (IAM) Engineer
Maybank
Job Description
About the RoleDefine, test and maintain Joiner-Mover-Leaver (JML) and Role-Based Access Control (RBAC) for Entra ID, Azure, and M365 admin roles; maintain a Segregation-of-Duties (SoD) matrix for cloud roles.Implement and maintain Privileged Access Management (PAM) and relating tooling, MFA, approval workflows, break-glass governance.Govern service principals/managed identities (key rotation, least privilege, owner accountability).Run periodic privileged access reviews, attestations, re-certifications, and produce evidence for audits and inspections.Act as Level-2 technical and incident response for identity compromise (token theft, consent phishing, impossible travel), and coordinate with SOC/Sentinel/Splunk.
Key Responsibilities
- Privileged access governance Design and operate PAM for Entra/Azure/M365.Enforce MFA/Conditional AccessMaintain break-glass governanceTest controls regularly
- Define and maintain cloud RBAC and JML for privileged rolesBuild role catalogueMap job functions to rolesImplement JML workflows for admin rolesEnforce least privilegesValidate with test caseskeep mappings updated as org/tech changes
- Govern service principals / managed identitiesCreate standards for app registrations / managed identities.Enforce naming / ownershipDesign least-privilege permissionsImplement secrets / cert rotationsRemove orphaned identitiesPeriodically review high-risk permissions and consent grants
- L2 technical support + incident response for identity compromiseInvestigate suspicious sign-ins/token anomaliesCoordinate containment (revoke sessions/tokens, disable accounts, reset creds)Tune detections with SOCDevelop/run playbooks; perform post-incident improvements
You are someone with:Bachelor’s degree in Information Security, Computer Science, Engineering, Information Technology, or related field.Minimum of 5 years relevant experience in IAM, cloud security, security and/or engineering. Microsoft certifications relevant to identity/security such as: > SC-300 (Identity and Access Administrator) > SC-200 (Security Operations Analyst) > AZ-500 (Azure Security Engineer) > CCSP or CISSP or CISM or CompTIA SecurityRelevant working experience in regulated environments (e.g. banking, FSIs) and/or audit/regulatory engagements is an advantage.Hands-on administration of Microsoft Entra ID, Azure RBAC, and M365 admin roles (including role scoping, assignment models, and least privilege).Experience implementing Privileged Access Management concepts such as MFA enforcements, break-glass controls, privileged monitoring and governance.Experience in governance of service principals / app registrations / managed identities: permissions, consent, secret/certificate lifecycle, rotation, and ownership accountability.Ability to design and operationalise SoD controls and manage exceptions with compensating controls and risk sign-off.Practical incident response for identity threats such as token/session revocation, conditional access response, account lock-down, risky sign-in investigation, consent grant review, and remediation.Working knowledge integrating IAM telemetry with Microsoft Sentinel and/or Splunk, and collaborating with SOC on detection use-cases (impossible travel, anomalous token usage, risky apps, privilege escalation).Strong control mindset and ability to explain controls clearly to auditors and regulators.High ownership, attention to detail, and disciplined change management.