Metropolitan Council
Entra ID Security Engineer (Systems Engineer 3)
Metropolitan Council, Saint Paul, Minnesota, United States, 55199
We are the
Metropolitan Council , the regional government for the seven-county Twin Cities metropolitan area. We plan 30 years ahead for the future of the metropolitan area and provide regional transportation, wastewater, and housing services.
More information about us on our website.
We are committed to supporting a diverse workforce that reflects the communities we serve.
Information Services
is the central IT department supporting all divisions of the Metropolitan Council. Our 140 team members provide technology, practices, and innovative solutions that enable the core services of the Council.
How your work would contribute to our organization and the Twin Cities region:We are seeking a highly skilled Entra ID Security Engineer to join our team to design, implement, and manage secure identity services across our cloud infrastructure using Microsoft Entra ID (formerly Azure Active Directory). The ideal candidate will have in-depth experience with identity governance, zero-trust architecture, and hybrid identity environments.
As an Entra ID Security Engineer, you will focus on architecting and maintaining Microsoft Entra ID and Active Directory environments, ensuring robust security for cloud and on-premises resources. You will collaborate closely with the security and operations teams to ensure seamless and secure authentication and authorization processes, enforce identity security best practices, and respond to potential identity threats.
This position is eligible for a hybrid (both remote and onsite) telework arrangement. Candidate's permanent residence must be in Minnesota or Wisconsin.
Full Salary Range:
$42.79 - $69.41 hourly/$89,003 - $144,373 yearly
Architect and Implement Identity Solutions:
Design and implement
Microsoft Entra ID
identity services to secure access to cloud-based and on-premises applications.Configure and maintain
Azure AD Conditional Access Policies
to enforce risk-based sign-in controls, such as multi-factor authentication (MFA), device compliance policies, and geolocation-based restrictions.Architect and maintain
Identity Governance
using
Access Reviews ,
Entitlement Management , and
Lifecycle Workflows
for efficient user lifecycle management.Identity Security Best Practices:Implement
Identity Protection
policies to detect and respond to risks such as leaked credentials, risky sign-ins, and compromised user accounts.Develop
Zero Trust
identity architectures, ensuring strong authentication mechanisms and least privilege access controls.Regularly update and audit
Access Control Lists (ACLs)
and
Role-Based Access Control (RBAC)
policies to minimize access vulnerabilities.Utilize
Conditional Access Report-Only Mode
to simulate policies and fine-tune their impact before enforcing.Hybrid Identity Environment Management:Oversee and maintain
Azure AD Connect
to ensure proper synchronization between on-premises Active Directory (AD) and Microsoft Entra ID.Configure and secure
Single Sign-On (SSO)
for both
SaaS
applications and on-premises resources, leveraging protocols such as
SAML, OAuth2, OpenID Connect , and
WS-Federation .Troubleshoot and manage issues related to hybrid identity environments, including synchronization conflicts, password hash synchronization, and pass-through authentication.Monitor and manage
Azure AD Domain Services (AAD DS)
for secure legacy app integration.Automation and Infrastructure as Code (IaC):Automate routine identity tasks, such as user provisioning and group management, using
PowerShell
and
Microsoft Graph API .Develop and manage
Azure ARM templates
or
Terraform
scripts for automating the deployment of identity-related infrastructure components.Integrate identity services into
CI/CD pipelines
using
Azure DevOps
to ensure secure and automated provisioning of roles, policies, and access controls.Identity Monitoring and Incident Response:Utilize
Microsoft Entra Identity Protection
to detect and respond to identity-based threats, such as sign-ins from unfamiliar locations, impossible travel scenarios, and suspicious user behavior.Set up alerts and monitoring using
Microsoft Sentinel
to track security incidents involving identity resources.Perform regular security assessments using tools like
Azure Security Center
to evaluate identity configuration, detect vulnerabilities, and apply remediation steps.Coordinate and respond to identity-related incidents, such as account compromises or privilege escalation attempts, following defined incident response protocols.Data Security and Compliance:Securely store and manage encryption keys, certificates, and secrets using
Azure Key Vault
integrated with Entra ID for role-based access.Implement and enforce
Data Loss Prevention (DLP)
policies within Entra ID to ensure that sensitive data remains protected within the identity system.Ensure compliance with frameworks such as
GDPR ,
HIPAA , and
PCI-DSS , regularly auditing identity logs and access records using
Azure AD Sign-in Logs
and
Audit Logs .Minimum Qualifications:Bachelor's degree and 5 years of experience.Associate's degree and 7 years of experience.High school diploma or GED and 9 years of experience.Knowledge, Skills, and Abilities:Experience in configuring and managing
Microsoft Entra ID (Azure AD)
environments.Experience with
Conditional Access ,
Multi-Factor Authentication (MFA) , and
Privileged Identity Management (PIM) .Experience with hybrid identity models, including managing
Azure AD Connect
and
on-premises AD
integration.Proficiency in scripting with
PowerShell
and managing API-based automation through
Microsoft Graph API .Experience with cloud identity management tools, including
Azure Identity Protection ,
Microsoft Defender for Identity , and
Microsoft Sentinel .Understanding of
OAuth2 ,
OpenID Connect , and
SAML
protocols for SSO and federated identity.Ability to attain Microsoft AZ-900 fundamentals certification and progress to additional advanced certifications.Ability to complete Azure DevOps services CI/CD implementation for custom applications.Ability to define a plan to implement security and quality tooling into CI/CD pipelines.Skilled in collaboration, facilitation, and mentoring skills.Strong understanding of overall information security best practices.Ability to provide great quality customer service.Ability to prioritize and balance multiple tasks.Ability to communicate effectively with diverse peers, business units, and vendors.Ability to work independently and with minimal supervision.Ability to implement corrective actions.What additional skills and experience would be helpful in this job (desired qualifications):Relevant certifications such as
Microsoft Certified: Identity and Access Administrator Associate
or
Microsoft Certified: Security, Compliance, and Identity Fundamentals .Experience with auditing tools like
Azure AD Identity Governance
and
Access Reviews
for compliance.Familiarity with
Zero Trust
security frameworks and their application to identity management.What you can expect from us:We offer the opportunity to make a difference and positively influence the Twin Cities metropolitan area.We encourage our employees to develop their skills through on-site training and tuition reimbursement.We provide a competitive salary, excellent benefits, and a good work/life balance.More about why you should join us!Union/Grade:
AFSCME, Grade IFLSA Status:
ExemptSafety Sensitive:
No
Work Environment:Work is performed in a standard office setting. May require travel between primary worksite and various locations on short notice to resolve computer system problems.
What steps the recruitment process involves:We review your minimum qualifications.We rate your education and experience.We conduct a structured panel interview.We conduct a selection interview.Once you have successfully completed the steps above, then:
If you are new to the Metropolitan Council , you must pass a drug test (safety sensitive positions only), and a background check which verifies education, employment, and criminal history. A driving record check and/or physical may be conducted if applicable to the job. If you have a criminal conviction, you do not automatically fail. The Metropolitan Council considers felony, gross misdemeanor, and misdemeanor convictions on a case-by-case basis, based on whether they are related to the job and whether the candidate has demonstrated adequate rehabilitation.
If you are already an employee of the Metropolitan Council , you must pass a drug test (if moving from a non-safety sensitive position to a safety sensitive position) and criminal background check if the job you're applying for is safety sensitive, is a supervisory or management job, is in the Finance, Information Services, Audit, or Human Resources departments, or has access to financial records, files/databases, cash, vouchers, or transit fare cards. A driving record check and/or physical may be conducted if applicable to the position.
IMPORTANT: If you make a false statement or withhold information, you may be barred from job consideration.
The Metropolitan Council is an Equal Opportunity, Affirmative Action, and veteran-friendly employer. The Council is committed to a workforce that reflects the diversity of the region and strongly encourages persons of color, members of the LGBTQ community, individuals with disabilities, women, and veterans to apply.
If you have a disability that requires accommodation during the selection process, please email
HR-OCCHealth@metc.state.mn.us .#J-18808-Ljbffr
Metropolitan Council , the regional government for the seven-county Twin Cities metropolitan area. We plan 30 years ahead for the future of the metropolitan area and provide regional transportation, wastewater, and housing services.
More information about us on our website.
We are committed to supporting a diverse workforce that reflects the communities we serve.
Information Services
is the central IT department supporting all divisions of the Metropolitan Council. Our 140 team members provide technology, practices, and innovative solutions that enable the core services of the Council.
How your work would contribute to our organization and the Twin Cities region:We are seeking a highly skilled Entra ID Security Engineer to join our team to design, implement, and manage secure identity services across our cloud infrastructure using Microsoft Entra ID (formerly Azure Active Directory). The ideal candidate will have in-depth experience with identity governance, zero-trust architecture, and hybrid identity environments.
As an Entra ID Security Engineer, you will focus on architecting and maintaining Microsoft Entra ID and Active Directory environments, ensuring robust security for cloud and on-premises resources. You will collaborate closely with the security and operations teams to ensure seamless and secure authentication and authorization processes, enforce identity security best practices, and respond to potential identity threats.
This position is eligible for a hybrid (both remote and onsite) telework arrangement. Candidate's permanent residence must be in Minnesota or Wisconsin.
Full Salary Range:
$42.79 - $69.41 hourly/$89,003 - $144,373 yearly
Architect and Implement Identity Solutions:
Design and implement
Microsoft Entra ID
identity services to secure access to cloud-based and on-premises applications.Configure and maintain
Azure AD Conditional Access Policies
to enforce risk-based sign-in controls, such as multi-factor authentication (MFA), device compliance policies, and geolocation-based restrictions.Architect and maintain
Identity Governance
using
Access Reviews ,
Entitlement Management , and
Lifecycle Workflows
for efficient user lifecycle management.Identity Security Best Practices:Implement
Identity Protection
policies to detect and respond to risks such as leaked credentials, risky sign-ins, and compromised user accounts.Develop
Zero Trust
identity architectures, ensuring strong authentication mechanisms and least privilege access controls.Regularly update and audit
Access Control Lists (ACLs)
and
Role-Based Access Control (RBAC)
policies to minimize access vulnerabilities.Utilize
Conditional Access Report-Only Mode
to simulate policies and fine-tune their impact before enforcing.Hybrid Identity Environment Management:Oversee and maintain
Azure AD Connect
to ensure proper synchronization between on-premises Active Directory (AD) and Microsoft Entra ID.Configure and secure
Single Sign-On (SSO)
for both
SaaS
applications and on-premises resources, leveraging protocols such as
SAML, OAuth2, OpenID Connect , and
WS-Federation .Troubleshoot and manage issues related to hybrid identity environments, including synchronization conflicts, password hash synchronization, and pass-through authentication.Monitor and manage
Azure AD Domain Services (AAD DS)
for secure legacy app integration.Automation and Infrastructure as Code (IaC):Automate routine identity tasks, such as user provisioning and group management, using
PowerShell
and
Microsoft Graph API .Develop and manage
Azure ARM templates
or
Terraform
scripts for automating the deployment of identity-related infrastructure components.Integrate identity services into
CI/CD pipelines
using
Azure DevOps
to ensure secure and automated provisioning of roles, policies, and access controls.Identity Monitoring and Incident Response:Utilize
Microsoft Entra Identity Protection
to detect and respond to identity-based threats, such as sign-ins from unfamiliar locations, impossible travel scenarios, and suspicious user behavior.Set up alerts and monitoring using
Microsoft Sentinel
to track security incidents involving identity resources.Perform regular security assessments using tools like
Azure Security Center
to evaluate identity configuration, detect vulnerabilities, and apply remediation steps.Coordinate and respond to identity-related incidents, such as account compromises or privilege escalation attempts, following defined incident response protocols.Data Security and Compliance:Securely store and manage encryption keys, certificates, and secrets using
Azure Key Vault
integrated with Entra ID for role-based access.Implement and enforce
Data Loss Prevention (DLP)
policies within Entra ID to ensure that sensitive data remains protected within the identity system.Ensure compliance with frameworks such as
GDPR ,
HIPAA , and
PCI-DSS , regularly auditing identity logs and access records using
Azure AD Sign-in Logs
and
Audit Logs .Minimum Qualifications:Bachelor's degree and 5 years of experience.Associate's degree and 7 years of experience.High school diploma or GED and 9 years of experience.Knowledge, Skills, and Abilities:Experience in configuring and managing
Microsoft Entra ID (Azure AD)
environments.Experience with
Conditional Access ,
Multi-Factor Authentication (MFA) , and
Privileged Identity Management (PIM) .Experience with hybrid identity models, including managing
Azure AD Connect
and
on-premises AD
integration.Proficiency in scripting with
PowerShell
and managing API-based automation through
Microsoft Graph API .Experience with cloud identity management tools, including
Azure Identity Protection ,
Microsoft Defender for Identity , and
Microsoft Sentinel .Understanding of
OAuth2 ,
OpenID Connect , and
SAML
protocols for SSO and federated identity.Ability to attain Microsoft AZ-900 fundamentals certification and progress to additional advanced certifications.Ability to complete Azure DevOps services CI/CD implementation for custom applications.Ability to define a plan to implement security and quality tooling into CI/CD pipelines.Skilled in collaboration, facilitation, and mentoring skills.Strong understanding of overall information security best practices.Ability to provide great quality customer service.Ability to prioritize and balance multiple tasks.Ability to communicate effectively with diverse peers, business units, and vendors.Ability to work independently and with minimal supervision.Ability to implement corrective actions.What additional skills and experience would be helpful in this job (desired qualifications):Relevant certifications such as
Microsoft Certified: Identity and Access Administrator Associate
or
Microsoft Certified: Security, Compliance, and Identity Fundamentals .Experience with auditing tools like
Azure AD Identity Governance
and
Access Reviews
for compliance.Familiarity with
Zero Trust
security frameworks and their application to identity management.What you can expect from us:We offer the opportunity to make a difference and positively influence the Twin Cities metropolitan area.We encourage our employees to develop their skills through on-site training and tuition reimbursement.We provide a competitive salary, excellent benefits, and a good work/life balance.More about why you should join us!Union/Grade:
AFSCME, Grade IFLSA Status:
ExemptSafety Sensitive:
No
Work Environment:Work is performed in a standard office setting. May require travel between primary worksite and various locations on short notice to resolve computer system problems.
What steps the recruitment process involves:We review your minimum qualifications.We rate your education and experience.We conduct a structured panel interview.We conduct a selection interview.Once you have successfully completed the steps above, then:
If you are new to the Metropolitan Council , you must pass a drug test (safety sensitive positions only), and a background check which verifies education, employment, and criminal history. A driving record check and/or physical may be conducted if applicable to the job. If you have a criminal conviction, you do not automatically fail. The Metropolitan Council considers felony, gross misdemeanor, and misdemeanor convictions on a case-by-case basis, based on whether they are related to the job and whether the candidate has demonstrated adequate rehabilitation.
If you are already an employee of the Metropolitan Council , you must pass a drug test (if moving from a non-safety sensitive position to a safety sensitive position) and criminal background check if the job you're applying for is safety sensitive, is a supervisory or management job, is in the Finance, Information Services, Audit, or Human Resources departments, or has access to financial records, files/databases, cash, vouchers, or transit fare cards. A driving record check and/or physical may be conducted if applicable to the position.
IMPORTANT: If you make a false statement or withhold information, you may be barred from job consideration.
The Metropolitan Council is an Equal Opportunity, Affirmative Action, and veteran-friendly employer. The Council is committed to a workforce that reflects the diversity of the region and strongly encourages persons of color, members of the LGBTQ community, individuals with disabilities, women, and veterans to apply.
If you have a disability that requires accommodation during the selection process, please email
HR-OCCHealth@metc.state.mn.us .#J-18808-Ljbffr