Title:  Sr. Identity Engineer

Astellas’ Global Capability Centres – Overview

Astellas’ Global Capability Centres (GCCs) are strategically located sites that give Astellas the ability to access talent across various functions in the value chain and to co-locate core capabilities that are currently dispersed. Our three GCCs are located in India, Poland and Mexico.

The GCCs will enhance our operational efficiency, resilience and innovation potential, enabling a timely response to changing business demands.

Our GCCs are an integral part of Astellas, guided by our shared values and behaviors, and are critical enablers of the company’s strategic priorities, sustainable growth, and commitment to turn innovative science into VALUE for patients.

We're seeking passionate individuals who thrive in dynamic environments, embrace new ideas and aren't afraid to take intelligent risks. People who act with unwavering integrity and are deeply committed to making a tangible impact.

Working Environment and Location

This position is based in Mexico City (Santa Fe area) and will require on-site work in a hybrid set up.

At Astellas we recognize the importance of work/life balance, and we are proud to offer a hybrid working solution allowing time to connect with colleagues at the office with the flexibility to also work from home. We believe this will optimize the most productive work environment for all employees to succeed and deliver. Hybrid work from certain locations may be permitted in accordance with Astellas’ Responsible Flexibility Guidelines.

Purpose and Scope

As an Identity and Access Management (IAM) Engineer, you will play a key role in protecting our organization’s digital assets by ensuring secure, compliant, and efficient management of user identities and access across systems and applications. This position has been established as part of our initiative to strengthen internal IAM operations, enhance automation in identity lifecycle management, and advance towards a ‘best in industry’ access governance framework.

Role and Responsibilities

• Design, implement, and manage enterprise IAM solutions using Microsoft Entra ID, including Identity Governance (IGA/JML), Entra ID Protection, Conditional Access, MFA, SSO, and CyberArk.
• Own and operate Joiner‑Mover‑Leaver (JML) lifecycle management using Entra ID Governance features to ensure timely and secure access provisioning and deprovisioning.
• Configure and manage Entra ID Identity Governance capabilities such as access packages, lifecycle workflows, entitlement management, and access reviews.
• Design, deploy, and enforce Entra Conditional Access and risk‑based policies using Entra ID Protection, aligned with Zero Trust principles.
• Lead implementation and support of SSO integrations, MFA, and adaptive authentication across cloud and on‑prem applications.
• Perform hands‑on administration and operational support for Active Directory, Entra ID (Azure AD), Identity Governance, Identity Protection, and CyberArk platforms.
• Troubleshoot and resolve complex authentication and access issues across Conditional Access, SSO, JML/IGA processes, CyberArk, and On‑Prem AD.
• Configure and maintain CyberArk CPM and PSM components to support privileged access use cases.

Continue:Role and Responsibilities

• Execute access reviews, certification campaigns, and RBAC reviews to meet governance, audit, and compliance requirements.
• Monitor and resolve IAM‑related incidents and service requests within defined SLAs, driving stability and security of IAM platforms.
• Drive automation, process optimization, documentation (SOPs), cross‑team collaboration (HR/IT/Security), audit support, and continuous improvement through awareness of Microsoft Entra enhancements and IAM best practices.

Essential Qualifications

• 13–15+ years of hands‑on experience in Identity and Access Management (IAM) and Privileged Access Management (PAM) within enterprise environments.
• Strong practical experience with IAM/PAM platforms, including Microsoft Entra ID, CyberArk, and Azure SSO.
• Demonstrated hands‑on expertise in:
• • CyberArk Core PAS: Vault, CPM, PVWA, PSM
  • Microsoft Entra ID (Azure AD): Conditional Access, Identity Protection, and Identity Governance (JML, access reviews)
  • Identity and authentication technologies: Active Directory, LDAP, SAML, OAuth 2.0, OpenID Connect
  • Scripting and automation using PowerShell and/or Python to improve IAM operations
  • Cloud and hybrid environments, including Azure, AWS, and GCP
  • ITSM tools (e.g., ServiceNow) and incident / service‑request handling
• Strong experience collaborating with HR, IT, Security, and application teams to support identity lifecycle (JML) and access governance processes.
• Strong analytical and troubleshooting skills with attention to detail and an engineering mindset.
• Effective verbal and written communication skills, capable of working with both technical and non‑technical stakeholders.

Preferred Qualifications

• Strong knowledge of Active Directory, Azure AD (Entra ID), CyberArk, SSO, and authentication mechanisms (SAML, OAuth, OIDC).
• Understanding of IAM governance, RBAC, and compliance standards (ISO 27001, SOX, GDPR).
• IAM certifications such as below is an advantage.
• • CyberArk Defender (mandatory)
  • CyberArk Sentry
  • CyberArk CCDE - Core PAS
  • Microsoft Certified: Identity and Access Administrator Associate
• Supporting technology in healthcare industry experience is an advantage.

Benefits

Careers | Astellas

Why Astellas

• We're seeking passionate individuals who thrive in dynamic environments, embrace new ideas and aren't afraid to take intelligent risks. 
• People who act with unwavering integrity and are deeply committed to making a tangible impact. 

Learn more at Astellas.com