Active Directory / IAM Security Consultant
Rate - £550p/d Outside IR35
Duration: 3 months(with potential extension)
Location: Hybrid / UK-based (on-site as required)
Overview
Our client is undertaking a major security improvement initiative across its hybrid identity estate, spanning on‑premises Active Directory and cloud identity platforms. We are seeking an experienced Active Directory / Identity Security Contractor to design and deliver a comprehensive least privilege programme, reducing cyber risk and aligning the organisation with modern security best practice.
This engagement is outcome-focused, not advisory. You will have autonomy over how the work is delivered, with responsibility for achieving tangible, auditable improvements to privileged access across the environment.
Key Responsibilities
You will be accountable for the end-to-end delivery of a least privilege programme, including:
Discovery & Current State Analysis
Assess on‑premises Active Directory forests, domains, trusts, and OU structures
Review Entra ID (Azure AD) and integrated SaaS identity platforms
Analyse GPOs, Conditional Access policies, RBAC models, and delegation structures
Identify excessive privilege, legacy configurations, and inherited risk
Review privileged, service, and shared accounts
Assess joiner / mover / leaver processes as they relate to access control
Least Privilege Strategy & Target Architecture
Define a pragmatic least privilege strategy and design principles
Design an administrative tiering model
Redesign role and group structures aligned to business functions
Eliminate or redesign standing privileged access
Introduce just‑in‑time / just‑enough access where feasible
Align on‑prem and cloud privilege models
Ensure designs support operational delivery and business continuity
Implementation & Delivery
Remediate excessive privilege and high‑risk configurations
Redesign and implement groups, roles, and delegation models
Refactor or migrate legacy administrative accounts
Implement least privilege controls across on‑prem and cloud platforms
Deliver changes incrementally to minimise operational risk
Validate that business‑critical access requirements continue to be met
Documentation & Knowledge Transfer
Produce audit‑ready documentation covering:
Target state architecture
Design decisions and assumptions
Operational runbooks and support guidance
Ongoing governance and review processes
Deliver structured knowledge‑transfer sessions to internal teams
Required Experience & Skills
Deep hands‑on expertise with Active Directory (on‑prem) in complex enterprise environments
Strong experience with Entra ID / Azure AD and hybrid identity models
Proven delivery of least privilege or privileged access reduction initiatives
Strong understanding of:
Administrative tiering models
Delegation and RBAC design
Privileged, service, and shared account management
Experience remediating legacy or over‑privileged environments
Ability to work autonomously and deliver against agreed outcomes
Strong documentation and stakeholder communication skills
Nice to Have
Experience with PAM / PIM tooling (e.g. Microsoft PIM or equivalent)
Background in security assurance, audit, or regulatory environments
Experience delivering identity transformation in large distributed organisations
What We’re Looking For
This role is ideal for a senior identity engineer or architect who enjoys hands‑on delivery, not just design. You should be comfortable making and implementing change in live environments, balancing security improvement with operational reality