IPAM Engineer – Active Directory at Investec

Description

• The IPAM Engineer – Active Directory is responsible for supporting, maintaining, hardening and improving Investec's core Active Directory and hybrid identity services. The role provides hands-on engineering and operational capability across domain services, domain controllers, Group Policy, DNS-integrated services, authentication flows, privileged administration pathways and directory health. 
• Reporting to the Head of Identity and Privileged Access Management Operations, the role helps ensure that identity infrastructure remains secure, resilient, auditable and fit for purpose in a regulated banking environment. It supports the protection of Tier 0 assets, privileged access controls, secure authentication and operational resilience across on-premises and hybrid identity platforms. 
• The role is based in Sandton and works closely with Identity and Access Management, Information Security, Cyber Defence, Infrastructure, Application, Service Management, Risk, Audit and operational teams to provide trusted, controlled and recoverable directory services for critical business operations. 

Key Responsibilities

Active Directory Engineering and Operational Support

• Provide day-to-day engineering and operational support for the Active Directory estate, including domain services, domain controllers, replication, Group Policy, DNS integration and authentication services. 
• Monitor and maintain directory health, replication status, domain controller performance and core identity service availability. 
• Troubleshoot directory-related incidents, perform root cause analysis and deliver controlled remediation for recurring issues. 
• Support secure access to critical banking platforms, applications and operational services through robust directory engineering and identity integration. 

Security, Privileged Access and Tier 0 Protection

• Support protection and hardening of Tier 0 identity assets, including domain controllers, privileged groups, service accounts and administrative pathways. 
• Contribute to privileged access controls, administrative segregation, secure authentication practices, patching, hardening and monitoring of critical identity infrastructure. 
• Assist with the reduction of standing administrative rights, shared accounts and orphaned credentials in line with least privilege principles. 
• Support controlled use of privileged access tooling and processes, including evidence generation, access reviews and remediation of identified control gaps. 
• Implement and maintain secure Group Policy configurations aligned to agreed enterprise standards and security baselines. 
• Support DNS, DHCP and certificate-related dependencies that underpin the Active Directory ecosystem. 
• Contribute to hybrid identity integration activities involving Microsoft Entra ID, AD Connect, Conditional Access, MFA and single sign-on capabilities. 
• Develop and maintain scripts, automation and standard operating procedures to improve consistency, repeatability and operational control. 

Governance, Risk, Resilience and Compliance

• Operate Active Directory services in line with banking regulatory, risk, audit and internal control expectations. 
• Support audit evidence, control testing, access reviews, vulnerability remediation and timely closure of identity-related findings. 
• Contribute to operational resilience through documented recovery procedures, backup and restore readiness, failover preparedness and regular testing. 
• Maintain high-quality operational documentation, build standards, recovery runbooks and knowledge transfer material to reduce key person dependency risk. 
• Ensure directory changes follow approved change, release and incident management processes with appropriate risk assessment and evidence. 

Continuous Improvement and Automation

• Drive practical improvements in monitoring, alerting, reporting, supportability and engineering standards for the directory estate. 
• Use PowerShell and standardised processes to automate repeatable administration, health checks, reporting and remediation tasks. 
• Identify and reduce operational fragility through documentation, standardisation, cross-skilling and improved support readiness. 

Stakeholder Collaboration and Service Delivery

• Work closely with Identity and Access Management, Information Security, Cyber Defence, Infrastructure, Application, Service Management, Risk and Audit teams. 
• Provide clear technical input, impact analysis and operational updates to service owners and stakeholders. 
• Support incident response, problem management and service restoration activities where identity services are impacted. 
• Promote knowledge sharing, disciplined engineering practices and strong operational ownership across the identity services team. 

Experience & Qualifications 

• Minimum 5 years' relevant experience in Active Directory, identity infrastructure, Microsoft platform engineering or enterprise directory support. 
• Strong hands-on experience with AD DS, domain controllers, replication, Group Policy, DNS integration, authentication flows and directory troubleshooting. 
• Good understanding of privileged access, Tier 0 protection, least privilege, identity hardening and secure administration practices. 
• Experience operating in a regulated, highly controlled or financial services environment with strong change, audit and evidence expectations. 
• Experience with PowerShell scripting, automation, documentation and standardised operational procedures. 
• Desirable exposure to Microsoft Entra ID, AD Connect, Conditional Access, MFA, SSO and hybrid identity integration. 
• ITIL Foundation Certification or comparable service management experience 
• Relevant Microsoft infrastructure, identity or security certification preferred 
• Microsoft Certified: Identity and Access Administrator Associate or equivalent Microsoft identity certification preferred 
• Exposure to BeyondTrust, CyberArk or comparable privileged access management tooling is advantageous 
• Security certifications such as SC-300, AZ-800 / AZ-801, CISSP Associate, SSCP or equivalent are advantageous