M&T Bank
Financial Services
LeadActiveDirectoryEngineer
Neural analysis suggests this role is
optimal for Lead candidates.
“Lead Active Directory Engineer at M&T Bank. Skills: Enterprise Active Directory Architecture, Hybrid Identity & Microsoft Entra ID (Azure AD), Security, Compliance & Risk Controls, Automation & PowerShell. Designing, securing, and operating Microsoft Active Directory Domain Services (AD DS) in regulated, high-availability environments. Completes day-to-day support activities and special projects”
Industry & Context.
Proficient level of critical thinking and problem solving ability; ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources
Four days onsite at our Seneca One Buffalo, NY location, with the flexibility to work from home one day per week
What They're Looking For.
Must Have
Bachelor's degree and a minimum of 5 years’ relevant work experience, or in lieu of a degree, a combined minimum of 9 years’ higher education and/or work experience
Nice to Have
Advanced understanding of the security system development and infrastructure lifecycle and architecture, and systems design, Proven experience with the development and customization of tools utilized in assigned Cybersecurity function, Demonstrated ability to translate architecture into technical requirements, Proficient level of critical thinking and problem solving ability, Excellent communication and interpersonal skills, Experience partnering with leaders to design solutions to business needs, Proficient persuasive communication skills to gain buy-in of others, ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources, ability Effectively serves in indirect leadership role
What You'll Do.
and operating Microsoft Active Directory Domain Services (AD DS) in regulated
high-availability environments
Completes day-to-day support activities and special projects
Acts as knowledge resource for and trains less experienced engineers
Supporting large-scale
Tier‑1 identity infrastructures with strict uptime
and change‑control requirements
Implementing Entra Connect (Cloud Sync and Traditional)
Implementing Password Hash Sync
Pass-through Authentication
Enforcing least privilege
and dual‑control models
Performing regular access reviews and entitlement recertification
Designing AD environments that support logging and traceability
tamper-resistant audit logs
and evidence generation
Building automation that integrates with change management processes
Managing AD replication topology across data centers and regions
Managing SYSVOL (DFSR) health and recovery
Managing latency-sensitive authentication dependencies
Implementing monitoring and alerting with a focus on early risk detection
How You'll Work.
Team & Collaboration
Acts as knowledge resource for and trains less experienced engineers; Partners closely with Information Security and IAM teams; Partners closely with Risk, audit, and compliance stakeholders; Partners closely with Infrastructure, cloud, and application teams; Mentors engineers and reviews designs from a security and risk-first perspective; Experience partnering with leaders to design solutions to business needs
Communication Scope
Excellent communication and interpersonal skills; Proficient persuasive communication skills to gain buy-in of others
Process & Methodology
Completes special projects
Full Job Description
This role is **four** days onsite at our Seneca One Buffalo, NY location, with the flexibility to work from home one day per week # **Overview: ** Responsible for designing, securing, and operating Microsoft Active Directory Domain Services (AD DS) in regulated, high-availability environments. Acts as knowledge resource for and trains less experienced engineers. Completes day-to-day support activities and special projects. ## **Primary Responsibilities:** **Enterprise Active Directory Architecture** * Proven expertise supporting **large-scale, Tier‑1 identity infrastructures** with strict uptime, latency, and change‑control requirements * Strong experience with: * Multi-domain and multi-forest designs aligned to business units, regions, or regulatory boundaries * Forest and external trusts supporting M&A, joint ventures, and third-party integrations * FSMO role placement optimized for resilience and auditability * Advanced understanding of **Active Directory–integrated DNS** , split‑brain DNS, and secure name resolution models **Hybrid Identity & Microsoft Entra ID (Azure AD)** * Extensive experience integrating on-prem AD with **Microsoft Entra ID** in regulated financial environments * Hands-on implementation of: * Entra Connect (Cloud Sync and Traditional) * Password Hash Sync, Pass-through Authentication, and Federation * Strong experience with: * Conditional Access aligned to regulatory and risk-based controls * Hybrid Join, Entra ID Join, and legacy device coexistence * Understanding of **identity lifecycle controls** to support joiners, movers, leavers, and separation-of-duties requirements **Security, Compliance & Risk Controls** * Expert-level knowledge of **Active Directory security hardening** in financial services, including: * Tiered administrative model (Tier 0/1/2) * Dedicated admin forests or hardened admin boundaries (where applicable) * Privileged Access Workstations (PAWs) / Secure Admin Workstations * Experience enforcing **least privilege** , ro
Applying for this Lead Active Directory Engineer role?
Most applicants get filtered before a human reads their resume. See if yours makes the cut.
How to Apply on Workday
- Workday has a multi-step form — save your progress after every section.
- "Apply With LinkedIn" can fail or lose data; manual entry is more reliable.
- Watch for the "Submit for Review" final step — hitting "Save" alone does not submit.
- Job requisition numbers are useful when following up with HR by email.
ANONYMOUS · UNFILTERED
What do employees actually say about M&T Bank?
Real rants from real employees. Read before you apply.