Senior Engineer — Identity Infrastructure & MA & D

Our team members are at the heart of everything we do. At Cencora, we are united in our responsibility to create healthier futures, and every person here is essential to us being able to deliver on that purpose. If you want to make a difference at the center of health, come join our innovative company and help us improve the lives of people and animals everywhere. Apply today!

Job Details Position Summary:

We are seeking a Senior Engineer — Identity Infrastructure & MA&D to serve as a technical leader responsible for the design, integration, and optimization of Cencora's identity platform across on-premises Active Directory, Microsoft Entra ID (formerly Azure AD), and related authentication/authorization services. This role is central to our corporate development strategy: you will lead the identity workstream for acquisitions (onboarding users, devices, and applications from acquired entities into Cencora's identity ecosystem) and divestitures (cleanly separating identity services and severing trust relationships). Identity is the foundational layer that gates access to every system, application, and resource — making this one of the most critical and complex workstreams in any deal. The ideal candidate combines deep Active Directory and Entra expertise with the structured, security-conscious mindset required to execute identity transitions without disrupting user productivity or compromising the security posture of either organization. Primary Focus Advanced identity infrastructure design, MA&D identity integration/separation, authentication and access management, complex troubleshooting, and cross-functional technical leadership.

Key Responsibilities:

Identity Infrastructure Engineering Design and maintain Cencora's enterprise identity architecture spanning on-premises Active Directory Domain Services (AD DS), Microsoft Entra ID, Entra Connect (formerly Azure AD Connect), and Entra Domain Services — ensuring a resilient, well-governed, and scalable identity platform. Own the AD forest and domain topology — manage domain controllers, sites and services, replication topology, FSMO roles, Group Policy (GPO) architecture, and OU structure across a multi-site enterprise environment. Administer and optimize Microsoft Entra ID — manage tenant configuration, application registrations, enterprise app SSO integrations (SAML, OIDC, WS-Fed), Entra Connect sync rules, and hybrid identity topologies. Manage multi-factor authentication (MFA) and Conditional Access — design and enforce Entra MFA policies, Conditional Access frameworks, authentication strengths, and risk-based access controls aligned with zero-trust principles. Oversee certificate services and PKI where applicable — AD Certificate Services (AD CS), certificate templates, auto-enrollment, and certificate-based authentication. Perform advanced troubleshooting of complex identity issues — Kerberos/NTLM authentication failures, AD replication conflicts, Entra Connect sync errors, token issuance problems, Conditional Access policy conflicts, and hybrid join issues. Drive identity automation — leverage PowerShell, Microsoft Graph API, and automation platforms to streamline user lifecycle management, group management, and identity governance tasks. Document and maintain identity architecture diagrams, trust relationship maps, Entra Connect topology, GPO standards, and operational run-books. Mergers, Acquisitions & Divestitures (MA&D) Lead the identity workstream for each MA&D event end-to-end — from due diligence through Day 1 access enablement to full identity consolidation or separation and steady-state hand-off. Acquisition — Integration Conduct identity discovery and assessment of target company environments: inventory AD forests/domains, domain controllers, Entra tenants, federation services (AD FS, PingFederate, Okta, etc.), MFA solutions, PAM tools, and SSO-integrated applications. Develop identity integration blueprints that define the path from Day 0 (deal close) to full consolidation — including interim coexistence strategies, trust relationships, Entra B2B/cross-tenant access, GAL synchronization, and phased user migration plans. Architect and execute AD consolidation — design inter-forest trust relationships, plan and execute domain migrations (ADMT or equivalent), migrate user accounts, computer objects, group memberships, SID history, and GPOs into the Cencora AD environment. Plan and execute Entra ID tenant consolidation — migrate cloud identities, application registrations, Conditional Access policies, and MFA registrations from the acquired tenant into Cencora's Entra tenant using cross-tenant migration tools and Microsoft Graph. Manage Entra Connect reconfiguration — transition sync scope, filtering rules, and hybrid identity topology as domains and OUs are consolidated. Coordinate user MFA re-enrollment or migration — ensure acquired users are seamlessly onboarded to Cencora's Entra MFA policies with minimal friction, planning for authentication method registration, Authenticator app rollout, and fallback methods. Enable Day 1 access — ensure acquired employees have functional credentials, email, and access to critical systems from the moment the deal closes, even before full consolidation (e.g., via Entra B2B, external identities, or temporary trust configurations). Divestiture — Carve-Out Architect identity separation plans that cleanly extract divested users, groups, service accounts, and computer objects from Cencora's AD and Entra environments into a new or target-company identity platform. Stand up greenfield identity infrastructure where needed — new AD forests/domains, Entra tenants, Entra Connect instances, MFA policies, and Conditional Access baselines for the divested entity. Manage coexistence during TSA periods — design interim trust relationships, cross-tenant access policies, and shared authentication mechanisms that allow continued access to shared resources until the Transition Services Agreement expires. Plan and execute credential cutover — coordinate the transition of user identities, passwords (or forced resets), MFA methods, and device registrations to the divested entity's identity platform with minimal disruption. Sever trust relationships and remove residual access — methodically decommission forest/domain trusts, Entra B2B relationships, cross-tenant configurations, and stale objects post-TSA to eliminate security exposure. Leadership & Collaboration Collaborate cross-functionally with Security, Network, Messaging/M365, Application, Endpoint, and GRC teams to ensure identity changes are coordinated with dependent systems — email migration, device management (Intune), application SSO cutover, and security tooling. Partner with Project Management and Corporate Development to align identity milestones with broader deal timelines, legal close dates, budgets, and business commitments. Coordinate with the acquired/divested company's IT staff to gather requirements, validate discoveries, and execute joint cutover activities. Develop and enforce identity standards and policies, ensuring compliance with Cencora security and regulatory requirements (e.g., HIPAA, SOX, DEA) and zero-trust principles. Mentor and guide junior identity and systems engineers; serve as the technical escalation point for complex identity incidents. Build repeatable MA&D identity playbooks — standardize discovery templates, migration checklists, cutover run-books, and rollback procedures to accelerate and de-risk future deals. Experience, skillset & Educational requirements: Bachelor's degree or technical institute degree/certificate in a relevant field or equivalent work experience. Typically requires 8 or more years of relevant IT work experience. Experience leading technical teams preferred Relevant certification is required. Demonstrates in-depth knowledge of a broad range of hardware and software products. Strong experience with Unix-based systems and command-line interfaces Experience with Terraform or other infrastructure as code Familiarity with Git or other version control systems Strong experience with AWS, including EC2, S3, Lambda, and IAM preferred. Experience with RDS/MySQL/database management preferred. Knowledge of networking concepts such as DNS, TCP/IP, and load balancing preferred. Experience with general IT concepts beyond their primary discipline Good analytical and problem-solving skills. Good interpersonal skills; effective team player Exceptional presentation skills Ability to prioritize load. Technical leadership, negotiation, and conflict resolution Ability to be on-site as needed in Conshohocken, PA What Cencora offers We provide compensation, benefits, and resources that enable a highly inclusive culture and support our team members' ability to live with purpose every day. In addition to traditional offerings like medical, dental, and vision care, we also provide a comprehensive suite of benefits that focus on the physical, emotional, financial, and social aspects of wellness. This encompasses support for working families, which may include backup dependent care, adoption assistance, infertility coverage, family building support, behavioral health solutions, paid parental leave, and paid caregiver leave. To encourage your personal growth, we also offer a variety of training programs, professional development resources, and opportunities to participate in mentorship programs, employee resource groups, volunteer activities, and much more. For details, visit https://www.virtualfairhub.com/cencora Full time Salary Range• $100,700 - 155,100 •This Salary Range reflects a National Average for this job. The actual range may vary based on your locale. Ranges in Colorado/California/Washington/New York/Hawaii/Vermont/Minnesota/Massachusetts/Illinois State-specific locations may be up to 10% lower than the minimum salary range, and 12% higher than the maximum salary range. Equal Employment Opportunity Cencora is committed to providing equal employment opportunity without regard to race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, age, disability, veteran status or membership in any other class protected by federal, state or local law. The company's continued success depends on the full and effective utilization of qualified individuals. Therefore, harassment is prohibited and all matters related to recruiting, training, compensation, benefits, promotions and transfers comply with equal opportunity principles and are non-discriminatory. Cencora is committed to providing reasonable accommodations to individuals with disabilities during the employment process which are consistent with legal requirements. If you wish to request an accommodation while seeking employment, please call 888.692.2272 or email hrsc@cencora.com. We will make accommodation determinations on a request-by-request basis. Messages and emails regarding anything other than accommodations requests will not be returned .

Affiliated Companies:

Affiliated Companies:

AmerisourceBergen Services Corporation Cencora is a leading global pharmaceutical solutions company that is committed to improving the lives of people and animals everywhere. We connect manufacturers, providers, and patients to ensure that anyone can get the therapies they need, where and when they need them. We're a purpose-driven organization, where all of our team members around the world are united in our responsibility to create healthier futures. We work together every day to help our partners bring their innovations to patients worldwide, creating unparalleled access and impact at the center of health. Recruitment scams are on the rise and the intent is to target individuals looking for employment opportunities. To protect yourself, we urge you to be vigilant and follow these guidelines. 1.) Research the

Company:

Thoroughly research any company before applying or sharing personal information, check their website, read reviews, and verify their legitimacy. 2.)

Be Wary of Unrealistic Promises:

Exercise caution If a job posting offers high salaries and minimal qualifications. Legitimate jobs will have realistic expectations and provide detailed job requirements. Jobs at Cencora can be found on Cencora.com/careers 3.)

Guard Your Personal Information:

Only share sensitive information after vetting the employer's credibility. Avoid sharing your Social Security number, bank account details, or identification documents during the application process. Cencora does not request this information as part of the employment application. 4.)

Avoid Upfront Payments:

Legitimate employers do not require payment during the hiring process. Be suspicious if you are asked to pay for training materials, processing fees, or background checks before securing a job offer. Cencora will never ask you for payment information during the hiring or onboarding process. 5.)

Verify Communication Channels:

Scammers often use free email services or chat platforms without providing an official company contact information. Cencora recruiters will have an email address ending in @cencora.com, @alliance-healthcare.net, @alliance-healthcare.co.uk, alliance-healthcare.fr or alliance-healthcare.ro Remember to stay vigilant and informed about common scam tactics to reduce the risk of falling victim to fraudulent employment schemes. If you believe you have encountered a job scam posing as a Cencora opportunity, please report it immediately to: GlobalTalentAcquisition@Cencora.com