Key skills
Active DirectoryEntra ID (Azure AD)OktaIdentity ArchitectureIdentity MigrationDirectory SynchronizationAuthentication ProtocolsOIDCOAuth 2.0SAMLKerberosNTLMLDAPCertificate-based AuthenticationPowerShellConditional AccessMulti-factor Authentication (MFA)Zero Trust IdentityIdentity FederationSingle Sign-On (SSO)Identity Lifecycle ManagementIdentity GovernancePrivileged Access ManagementInfrastructure as CodeTerraformBicepSCIM ProvisioningCloud Identity IntegrationHybrid IdentityAnalytical SkillsAnalyticsAzureKubernetesIAMAzure ADEntra IDOAuthSSOSaaSLeadershipCommunicationZero Trust
About this role
LATCH LLC provides technical consulting services to the US Federal Government, focusing on high-quality solutions and innovative designs. The Principal Identity Engineer/Architect will lead the migration of on-premises Active Directory services to Entra ID and Okta, overseeing the architecture, planning, and execution of this enterprise identity modernization effort.
Responsibilities:
- Lead the architecture and design of the enterprise Active Directory to Okta and Entra ID migration strategy, including governance, synchronization, coexistence, and long-term identity modernization patterns
- Develop the migration roadmap, technical design documentation, data models, attribute strategies, and phased implementation plan
- Evaluate and define authentication and authorization patterns using Entra ID, Okta, and hybrid identity services
- Perform hands-on engineering tasks including directory synchronization configuration (Entra Connect / Cloud Sync), domain consolidation, forest remediation, schema extension validation, conditional access design, and authentication flow design
- Engineer and implement secure identity federation, SSO, and application migration to Entra ID and Okta
- Execute directory clean-up, identity rationalization, and environment normalization as part of modernization efforts
- Identify migration risks, service dependencies, integration challenges, legacy system constraints, and remediation strategies
- Develop and execute detailed test plans, pilot programs, coexistence validation, rollback plans, and production cutover procedures
- Conduct performance, reliability, and security validation for all directory and identity workloads being migrated
- Provide technical leadership to engineers, analysts, and cross-functional teams involved in the migration
- Serve as a senior advisor to program leadership, communicating architectural decisions, constraints, risks, and tradeoffs with clarity
- Coordinate with security, networking, application owners, and enterprise architecture teams to ensure alignment and interoperability
- Produce high-quality engineering documentation, architecture diagrams, standards, migration runbooks, and operational SOPs
- Establish and enforce directory and identity governance best practices aligned to Zero Trust and federal security requirements
Requirements:
- Extensive hands-on experience designing and migrating Active Directory environments, including multi-domain/forest consolidation, remediation, and modernization
- Proven experience planning and executing large-scale migrations to Entra ID (Azure AD), including Cloud Sync, Entra Connect, attribute flows, UPN/identity normalization, and hybrid identity patterns
- Strong expertise integrating Okta with Active Directory and Entra ID for authentication, provisioning, federation, and lifecycle management
- Deep understanding of identity protocols and technologies including OIDC, OAuth 2.0, SAML, Kerberos, NTLM, LDAP, LDAPS, and certificate-based authentication
- Demonstrated ability to define identity architecture, evaluate tradeoffs, and make high-stakes technical decisions
- Strong hands-on engineering skills with PowerShell, directory utilities, synchronization tools, replication troubleshooting, and identity analytics
- Experience designing Conditional Access, MFA, secure authentication flows, segmentation, and Zero Trust identity patterns
- Ability to lead technical efforts, guide engineers, and manage deliverables in a complex, multi-team environment
- Strong communication skills with an ability to translate complex identity architecture into clear guidance for technical and non-technical stakeholders
- Strong analytical and troubleshooting skills with an obsessive attention to detail and accuracy
- 15+ years of Systems Engineering experience
- 10+ years of experience supporting enterprise identity and directory services
- 5+ years hands-on experience designing and executing Active Directory modernization and migration efforts
- 5+ years of experience supporting or integrating with Entra ID (Azure AD)
- Proven track record delivering large-scale identity transformations in complex enterprise environments
- Experience with large-scale identity modernization efforts within federal agencies or regulated industries
- Experience modernizing legacy authentication or IAM platforms during AD/Entra migrations
- Familiarity with identity governance, privileged access management, or Zero Trust policy enforcement
- Experience with Infrastructure as Code (Terraform, Bicep) for Entra ID and identity configuration deployment
- Experience integrating identity systems with cloud workloads, Kubernetes, API gateways, and enterprise SaaS platforms
- Certification(s) such as: Microsoft Identity and Access Administrator (SC-300), Microsoft Azure Solutions Architect (AZ-305), Okta Certified Professional or Okta Certified Consultant, CISSP or equivalent