Identity and Access Management Architect in Southfield, Michigan at Open Dealer Exchange

Identity and Access Management Architect

Open Dealer Exchange (ODE), is seeking an Identity and Access Management (IAM) Architect to support its workforce in Southfield, MI. As an IAM Architect, you will own and mature our identity security posture across a complex, multi-platform environment, serving as the primary driver of a structured rolebased access control (RBAC) program and a trusted technical advisor across infrastructure, IT, and development teams. The ideal candidate will have deep experience with Entra ID, Active Directory, identity lifecycle automation, and governing access in regulated enterprise environments. Open Dealer Exchange is a dynamic, exciting place to work. Open Dealer Exchange offers a hybrid work model as well as an excellent compensation/benefit package.

Responsibilities

• Design and implement enterprise RBAC: Build a cohesive role-based access control model across Entra ID, Active Directory, and Entra External ID, replacing ad hoc access grants with governed, role-aligned entitlements.
• Lead identity lifecycle automation: Integrate the HR system with Entra ID to automate provisioning and deprovisioning, ensuring access changes are event-driven and auditable at the point of hire, transfer, and termination.
• Govern directory structure and access hygiene: Define and enforce naming conventions, group structures, and access review cadences across all directory platforms.
• Manage non-human identities: Govern service accounts, including managed identities, service principals, and app registrations, enforcing least privilege and credential hygiene across all environments.
• Advise development teams on identity security: Provide architectural guidance on token handling, session management, and federation patterns for teams building or maintaining identity adjacent systems.
• Drive Conditional Access and PIM: Lead Conditional Access policy design and own Privileged Identity Management configuration and the privileged access model for admin roles across Azure and M365.
• Support Entra External ID governance: Advise teams on External ID tenant configuration, custom policy, user flows, and external identity federation.
• Produce compliance-ready documentation: Maintain IAM documentation including access control matrices, provisioning runbooks, and audit-ready entitlement inventories supporting FCRA and FTC Safeguards Rule obligations.
• Collaborate across the security program: Align IAM initiatives with the broader security roadmap and participate in change management and architecture review processes alongside security engineers and the Cybersecurity Manager.

Required Skills & Experience

• 5+ years of hands-on IAM engineering experience, with at least 3 years focused on Entra ID (Azure AD) in enterprise environments.
• Deep working knowledge of Active Directory, including group policy, OU design, domain trust models, and hybrid identity patterns.
• Demonstrated experience designing and implementing RBAC models at scale in complex or legacy environments.
• Hands-on experience with Entra ID Governance, including access reviews, entitlement management, lifecycle workflows, and Privileged Identity Management (PIM).
• Strong working knowledge of OAuth 2.0, OIDC, and SAML, sufficient to review developer implementations and identify security risk.
• Practical experience automating identity lifecycle events using Logic Apps, Azure Functions, PowerShell, or the Microsoft Graph API.
• Ability to communicate risk clearly to non-technical stakeholders and produce compliance-ready documentation.
• Will accept any suitable combination of education, training, or experience.

Preferred Skills & Experience

• Experience in regulated industries such as financial services, fintech, or automotive with access control obligations.
• Familiarity with FTC Safeguards Rule requirements or equivalent data security regulatory frameworks.
• Prior experience integrating an HRIS platform (Workday, BambooHR, UKG, or similar) with Entra ID via SCIM or custom connector.
• Exposure to IGA platforms such as SailPoint, Saviynt, or Omada.
• Experience advising development teams on token validation, scope design, role claims, and secure session management.
• Bachelor's degree in Computer Science, Information Systems, or a related field, or equivalent professional experience.
• Relevant certifications: SC-300 (Microsoft Identity and Access Administrator), AZ-500 (Microsoft Azure Security Technologies), or equivalent