System Engineer (Identity and Access Management)

Zagreb, Croatia (Hybrid)

Do you want to join a growing team of top professionals who invest time and effort into teaching, career growth, and cultivating employees into the next generation of IT experts? You've come to the right place. Span is a Croatian IT company with a global reach specializing in high-quality information systems design and management services, as well as tech support for customers and enterprises. We're constantly improving, advancing, and adopting new trends, new skills, and new expertise, giving our employees virtually endless opportunities for professional development.

Why join us?

We support a large-scale hybrid identity environment and we’re looking for someone who loves deep technical challenges around Active Directory and IAM. If you enjoy troubleshooting replication quirks, automating identity tasks with PowerShell, or designing secure authentication flows that actually work in practice — this is the role for you.

You won’t be just “keeping the lights on.” You’ll help shape how we manage identity and access across a global enterprise, working side by side with security, cloud, and infrastructure teams.

What you'll do:

Engineer and run Active Directory (multi-domain, multi-forest) at enterprise scale
Automate routine processes using PowerShell scripting to improve efficiency, enforce policies, and generate reports
Keep authentication secure: Kerberos, PKI, MFA, federation, conditional access
Support hybrid identity (AD + Entra ID/Azure AD, AD Connect)
Help design and enforce tiering / privileged access models
Troubleshoot complex issues, including replication errors, trust relationship problems, and authentication failures
Collaborate with security engineers on IAM hardening and detection

We could be a perfect fit if you are:

Approaching activities in a planned and organized manner, focused on essentials and working quickly and efficiently
Showing a strong desire for constant career development and gaining experience
Inclined to innovate, always trying out different approaches and looking for new, better and more efficient ways of working
Appreciating and accepting differences, respecting other people and their opinions and ideas and readily giving them yourself

What we expect:

You’ve spent 3+ years working with Active Directory in production and know it inside out
Solid experience with Entra ID / Azure AD and hybrid identity
You know your way around PowerShell (and maybe even enjoy it)
Comfortable with Windows Server infra (DNS, DHCP, certificate services)
Strong understanding of IAM concepts: SSO, federation, MFA, PAM
Curiosity, problem-solving, and a willingness to get hands-on

What will bring you extra points:

Experience with Saviynt or other IGA platforms
Familiarity with MIM, SailPoint, or other IAM/IAG tools
Enjoy digging into protocols (LDAP, Kerberos, OAuth, SAML, OIDC)
You understand the difference between Passwordless authentication and PasswordNeverExpires (and why one is not the other)
Comfortable at enterprise scale (multiple forests, thousands of objects)

What's in it for you:

Competitive salary according to your experience
A business phone of your choice
InHouse testing center- we are giving you an option of gaining professional certificates
Mentor - no matter how much experience you've got, we will provide you with an adequate mentor
Regular feedback on your performance and personalized career development plan
Possibility to earn different types of bonuses
Subvention of Multisport card or PassSport- not only brain workout is important
Minimum of 25 vacation days
Complete health checks- adjusted for men and women
Psychological counseling- we care about your well-being
Lunch and transportation compensations
Benefits for children of employees