Senior Entra ID/Active Directory Engineer (Systems Engineer 3)

We are the Metropolitan Council, the regional government for the seven-county Twin Cities metropolitan area. We plan 30 years ahead for the future of the metropolitan area and provide regional transportation, wastewater, and housing services. More information about us on our website.

We are committed to supporting a diverse workforce that reflects the communities we serve.

Information Services is the central IT department supporting all divisions of the Metropolitan Council. Our 140 team members provide technology, practices, and innovative solutions that enable the core services of the Council.

How your work would contribute to our organization and the Twin Cities region:
We are seeking a highly skilled and experienced Senior Entra ID / Active Directory Engineer to join our team. This role is critical in administering and securing a complex IT environment containing CJIS Data, PCI, HIPAA, and PII data. The ideal candidate will have extensive experience in managing hybrid on-premises and cloud identity services, implementing security best practices, and ensuring compliance with regulatory requirements. This position demands a proactive individual with strong technical expertise, leadership skills, and a commitment to operational excellence.

This position is eligible for a hybrid (both remote and onsite) telework arrangement. Candidate's permanent residence must be in Minnesota or Wisconsin.

Full Salary Range: $44.72 - $72.53 hourly/$93,018 - $150,862 yearly

Identity Management & Administration:

• Design, implement, and manage hybrid Active Directory (AD) environments and Azure Active Directory (Entra ID)
• Integrate systems and applications with centralized authentication solutions
• Administer identity federation services such as Single Sign On (SSO) and Multifactor Authentication (MFA)
• Manage directory synchronization tools like Azure AD Connect or Okta

• Implement security measures to protect AD/Entra ID environments against vulnerabilities
• Ensure compliance with CJIS, PCI, HIPAA, and other relevant regulatory frameworks
• Conduct regular disaster recovery exercises for AD/Entra ID environments
• Develop and enforce security baselines and policies for identity services

• Monitor system performance, capacity planning, and resolve high-severity incidents
• Automate processes using PowerShell scripting or other tools to enhance efficiency
• Conduct regular health checks of identity platforms to ensure operational stability
• Maintain detailed technical documentation and Standard Operating Procedures (SOPs)

• Provide technical leadership to cross-functional teams
• Mentor junior engineers and operational teams on best practices
• Participate in architectural discussions to design scalable, secure solutions
• Collaborate with stakeholders to align identity services with business needs

Any of the following combinations of education (in Computer Science, Systems Security, or similar) and relevant experience:

• Bachelor's degree and 5 years of experience
• Associate's degree and 7 years of experience
• High school diploma or GED and 9 years of experience

• Advanced knowledge of Active Directory (onpremises) and Azure Active Directory/Entra ID
• Expertise in authentication protocols such as LDAP, Kerberos, SAML, OIDC
• Proficiency in PowerShell scripting for automation tasks
• Experience with disaster recovery planning for directory services
• Familiarity with Group Policy Objects (GPO), AD replication, backup/restoration processes
• Strong understanding of identity security best practices
• Experience implementing privileged access management (PAM) solutions
• Familiarity with regulatory frameworks like CJIS, PCI DSS, HIPAA
• Strong problem-solving abilities under pressure
• Excellent communication skills for collaboration across teams
• High attention to detail with a proactive approach to identifying risks
  
  

• Relevant certifications such as Microsoft Certified: Identity and Access Administrator Associate (SC300) or MCSE: Core Infrastructure
• Expertise with Microsoft Azure
• Expertise with Entra ID
• Experience in domain consolidation or migration projects
• Knowledge of modern access control models (RBAC, PBAC)
• Exposure to AI/ML tools for enhancing IT operations
  
  

• We offer the opportunity to make a difference and positively influence the Twin Cities metropolitan area
• We encourage our employees to develop their skills through on-site training and tuition reimbursement
• We provide a competitive salary, excellent benefits and a good work/life balance

Union/Grade: AFSCME, Grade I
FLSA Status: Exempt
Safety Sensitive: No

Work Environment:
Work is performed in a standard office setting. May require travel between primary worksite and various locations on short notice to resolve computer system problems.

What steps the recruitment process involves:

1. We review your minimum qualifications
2. We rate your education and experience
3. We conduct a structured panel interview
4. We conduct a selection interview

Security Policy:

This position

involves direct access to Criminal Justice Information (CJI) as defined by the

FBI CJIS (Criminal Justice Information Services) security policy. In accordance

with section 5.12.1.1 of the FBI CJIS Security Policy, final candidates must

agree to submit to a state of residence and national fingerprint-based record

check.

If the result of the

record check reveals criminal convictions, the nature and circumstances of

those convictions will be reviewed by the Metropolitan Transit Police

Department and/or the Minnesota Bureau of Criminal Apprehension to determine if

access to Criminal Justice Information would be permissible. If it is

determined that access to Criminal Justice Information would not be

permissible, the candidate will no longer be considered for the position.