WHO WE ARE
This position is eligible for a hybrid (both remote and onsite) telework arrangement. Candidate's permanent residence must be in Minnesota or Wisconsin.
We are the Metropolitan Council , the regional government for the seven-county Twin Cities metropolitan area. We plan 30 years ahead for the future of the metropolitan area and provide regional transportation, wastewater, and housing services.
More information about us on our website.
We are committed to supporting a diverse workforce that reflects the communities we serve.
Information Services is the central IT department supporting all divisions of the Metropolitan Council. Our 140 team members provide technology, practices, and innovative solutions that enable the core services of the Council.
How your work would contribute to our organization and the Twin Cities region :
We are seeking a highly skilled Entra ID Security Engineer to join our team to design, implement, and manage secure identity services across our cloud infrastructure using Microsoft Entra ID (formerly Azure Active Directory).
The ideal candidate will have in-depth experience with identity governance, zero-trust architecture, and hybrid identity environments.
As an Entra ID Security Engineer, you will focus on architecting and maintaining Microsoft Entra ID and Active Directory environments, ensuring robust security for cloud and on-premises resources.
You will collaborate closely with the security and operations teams to ensure seamless and secure authentication and authorization processes, enforce identity security best practices, and respond to potential identity threats.
Full Salary Range : $42.79 - $69.41 hourly / $89,003 - $144,373 yearly
What you would do in this job
Architect and Implement Identity Solutions :
- Design and implement Microsoft Entra ID identity services to secure access to cloud-based and on-premises applications
- Configure and maintain Azure AD Conditional Access Policies to enforce risk-based sign-in controls, such as multi-factor authentication (MFA), device compliance policies, and geolocation-based restrictions
- Architect and maintain Identity Governance using Access Reviews , Entitlement Management , and Lifecycle Workflows for efficient user lifecycle management
Identity Security Best Practices :
- Implement Identity Protection policies to detect and respond to risks such as leaked credentials, risky sign-ins, and compromised user accounts
- Develop Zero Trust identity architectures, ensuring strong authentication mechanisms and least privilege access controls
- Regularly update and audit Access Control Lists (ACLs) and Role-Based Access Control (RBAC) policies to minimize access vulnerabilities
- Utilize Conditional Access Report-Only Mode to simulate policies and fine-tune their impact before enforcing
Hybrid Identity Environment Management :
- Oversee and maintain Azure AD Connect to ensure proper synchronization between on-premises Active Directory (AD) and Microsoft Entra ID
- Configure and secure Single Sign-On (SSO) for both SaaS applications and on-premises resources, leveraging protocols such as SAML, OAuth2, OpenID Connect , and WS-Federation
- Troubleshoot and manage issues related to hybrid identity environments, including synchronization conflicts, password hash synchronization, and pass-through authentication
- Monitor and manage Azure AD Domain Services (AAD DS) for secure legacy app integration
Automation and Infrastructure as Code (IaC) :
- Automate routine identity tasks, such as user provisioning and group management, using PowerShell and Microsoft Graph API
- Develop and manage Azure ARM templates or Terraform scripts for automating the deployment of identity-related infrastructure components
- Integrate identity services into CI / CD pipelines using Azure DevOps to ensure secure and automated provisioning of roles, policies, and access controls
Identity Monitoring and Incident Response :
- Utilize Microsoft Entra Identity Protection to detect and respond to identity-based threats, such as sign-ins from unfamiliar locations, impossible travel scenarios, and suspicious user behavior
- Set up alerts and monitoring using Microsoft Sentinel to track security incidents involving identity resources
- Perform regular security assessments using tools like Azure Security Center to evaluate identity configuration, detect vulnerabilities, and apply remediation steps
- Coordinate and respond to identity-related incidents, such as account compromises or privilege escalation attempts, following defined incident response protocols
Data Security and Compliance :
- Securely store and manage encryption keys, certificates, and secrets using Azure Key Vault integrated with Entra ID for role-based access
- Implement and enforce Data Loss Prevention (DLP) policies within Entra ID to ensure that sensitive data remains protected within the identity system
- Ensure compliance with frameworks such as GDPR , HIPAA , and PCI-DSS , regularly auditing identity logs and access records using Azure AD Sign-in Logs and Audit Logs
What education and experience are required for this job (minimum qualifications)
Any of the following combinations of education (in Computer Science, Systems Security, or similar) and relevant experience :
- Bachelor's degree and 5 years of experience
- Associate's degree and 7 years of experience
- High school diploma or GED and 9 years of experience
Knowledge, Skills, and Abilities :
- Experience in configuring and managing Microsoft Entra ID (Azure AD) environments
- Experience with Conditional Access , Multi-Factor Authentication (MFA) , and Privileged Identity Management (PIM)
- Experience with hybrid identity models, including managing Azure AD Connect and on-premises AD integration
- Proficiency in scripting with PowerShell and managing API-based automation through Microsoft Graph API
- Experience with cloud identity management tools, including Azure Identity Protection , Microsoft Defender for Identity , and Microsoft Sentinel
- Understanding of OAuth2 , OpenID Connect , and SAML protocols for SSO and federated identity
- Ab ility to attain Microsoft AZ-900 fundamentals certification and progress to additional advanced certifications
- Ab ility to complete Azure DevOps services CI / CD implementation for custom applications
- Abili ty to define a plan to implement security and quality tooling into CI / CD pipelines
- Skilled in collaboration, facilitation, and mentoring skills
- St rong understanding of overall information security best practices
- Ab ility to provide great quality customer service
- Ab ility to prioritize and balance multiple tasks
- Ab ility to communicate effectively with diverse peers, business units and vendors
- Ab ility to work independently and with minimal supervision
- Ability to implement corrective actions
What additional skills and experience would be helpful in this job (desired qualifications) :
- Relevant certifications such as Microsoft Certified : Identity and Access Administrator Associate or Microsoft Certified : Security, Compliance, and Identity Fundamentals
- Experience with auditing tools like Azure AD Identity Governance and Access Reviews for compliance
- Familiarity with Zero Trust security frameworks and their application to identity management
What you can expect from us :
- We offer the opportunity to make a difference and positively influence the Twin Cities metropolitan area
- We encourage our employees to develop their skills through on-site training and tuition reimbursement
- We provide a competitive salary, excellent benefits and a good work / life balance
More about why you should join us!
Additional information
Union / Grade : AFSCME, Grade I
FLSA Status : Exempt
Safety Sensitive : No
Work Environment :
Work is performed in a standard office setting.
May require travel between primary worksite and various locations on short notice to resolve computer system problems.
What steps the recruitment process involves :
- We review your minimum qualifications.
- We rate your education and experience.
- We conduct a structured panel interview.
- We conduct a selection interview.
Once you have successfully completed the steps above, then :
If you are new to the Metropolitan Council , you must pass a drug test (safety sensitive positions only), and a background check which verifies education, employment, and criminal history.
A driving record check and / or physical may be conducted if applicable to the job. If you have a criminal conviction, you do not automatically fail.
The Metropolitan Council considers felony, gross misdemeanor and misdemeanor convictions on a case-by-case basis, based on whether they are related to the job and whether the candidate has demonstrated adequate rehabilitation.
If you are already an employee of the Metropolitan Council , you must pass a drug test (if moving from a non-safety sensitive position to a safety sensitive position) and criminal background check if the job you're applying for is safety sensitive, is a supervisory or management job, is in the Finance, Information Services, Audit, or Human Resources departments, or has access to financial records, files / databases, cash, vouchers or transit fare cards.
A driving record check and / or physical may be conducted if applicable to the position.
IMPORTANT : If you make a false statement or withhold information, you may be barred from job consideration.
The Metropolitan Council is an Equal Opportunity, Affirmative Action, and veteran-friendly employer. The Council is committed to a workforce that reflects the diversity of the region and strongly encourages persons of color, members of the LGBTQ community, individuals with disabilities, women, and veterans to apply.
If you have a disability that requires accommodation during the selection process, please email [email protected] .