Entra ID Engineer (IAM SME)

Stream Data Centers•Dallas, TX

7h•$130,000 - $155,000•Hybrid

About The Position

Stream Data Centers is a trusted partner providing world-class data center solutions, focusing on sustainable, secure, and reliable infrastructure since 1999. With 90% of its inventory leased to Fortune 100 customers, Stream has developed and managed over 27 data center projects nationally. The company specializes in wholesale colocation capacity and build-to-suit facilities for hyperscale and enterprise users, also sourcing low-risk land sites and providing energy procurement with a focus on renewable options. Stream's IT team delivers modern, secure technology solutions, combining proactive management, rigorous cybersecurity, and agile software development to drive business growth and innovation. The Entra ID Engineer (IAM SME) will own the strategy, architecture, and day-to-day governance of Microsoft Entra ID and identity services across Stream. This role involves partnering with Security, Network/Cloud, Applications, and Data Center Operations teams to implement a mature Zero Trust posture, enforce least privilege, and ensure reliable access to critical systems. The engineer will design scalable identity standards, automate lifecycle workflows, drive SSO and provisioning for applications, and serve as the primary escalation point for identity incidents, access requests, and audits. Success requires deep technical expertise in Entra ID and Azure RBAC, a builder’s mindset for automation, and the ability to influence cross-functional partners.

Requirements

Bachelor’s degree or equivalent combination of education and experience.
7–10+ years in Identity and Security engineering/architecture, with 5+ years hands-on with Microsoft Entra ID and Microsoft 365 ecosystems.
Expert-level knowledge of Entra ID tenant configuration, Conditional Access, MFA/SSPR, PIM/JIT, Identity Protection, access reviews/entitlement management, app registrations, and directory roles.
Strong experience with SSO protocols (OpenID Connect, OAuth 2.0, SAML 2.0) and SCIM provisioning; deep understanding of service principals, managed identities, certificates/secrets, and consent governance.
Proficiency in automation and IaC: PowerShell, Microsoft Graph, REST APIs, and at least one of Terraform, Bicep, Azure DevOps, or GitHub Actions.
Practical knowledge of Intune device compliance and device trust; Windows Hello for Business and certificate-based authentication a plus.
Demonstrated Zero Trust and least-privilege design across Azure management groups, subscriptions, and resources; experience writing custom RBAC roles preferred.
Background in regulated environments and audits (SOC 2, ISO 27001, NIST); ability to produce control evidence and lead access attestations.
Excellent written and verbal communication; proven ability to influence cross-functional teams and mentor others.
Ability to work across multiple U.S. locations and travel to data center sites as needed; after-hours availability for high-priority identity incidents when required.

Nice To Haves

Experience with Microsoft Entra Admin Center, Azure Portal, Microsoft 365 Admin Center, Intune, Microsoft Defender, Microsoft Sentinel, PowerShell, Microsoft Graph API, GitHub/Azure DevOps, Terraform/Bicep, Power Automate/Logic Apps
Experience with alternate IdPs (Okta, Ping, Keycloak, etc.)

Responsibilities

Own Entra ID/IAM roadmap and standards: Define target architecture, patterns, and guardrails for identities (users, service principals, managed identities), tenant configuration, and cross-tenant access.
Design and enforce strong access controls: Implement and tune Conditional Access, MFA, phishing-resistant authentication, risk-based policies (Identity Protection), and device trust integrations (Intune compliance signals).
Implement privileged access at scale: Deploy PIM/JIT for directory roles and Azure RBAC, including approval workflows, break-glass accounts, access reviews, and periodic attestation.
Drive application onboarding to SSO: Lead integration of SaaS and internal applications using OpenID Connect, OAuth 2.0, and SAML; standardize claims, consent, token lifetimes, app registrations, and certificate/secret governance.
Automate identity lifecycle: Build and maintain join-move-leave provisioning and deprovisioning for users, groups, and roles using SCIM, Microsoft Graph API, PowerShell, and workflow tools to minimize standing privilege and manual processes.
Govern external identities: Establish secure policies for B2B/B2C/guest access, cross-tenant trust, and vendor/partner controls aligned to data center operations.
Harden Azure access: Apply least-privilege RBAC across management groups, subscriptions, custom roles, and resource scopes for both cloud and on-premises integrations.
Monitor and respond: Integrate IAM signals with Microsoft Sentinel and Defender; lead identity-related incident response, forensics, RCAs, and prevention plans.
Ensure compliance and audit readiness: Map IAM controls to SOC 2, ISO 27001, NIST, and other frameworks; maintain evidence, control narratives, and access review cadence for internal and external audits.
Document and upskill: Publish runbooks, SOPs, and reference architectures; mentor engineers and administrators; deliver knowledge transfer to support teams and stakeholders.
Collaborate and communicate: Serve as the primary IAM SME to security, cloud, application, and operations teams; provide regular metrics and risk updates to leadership.
Drive continuous improvement: Evaluate new Entra ID and Azure features, licensing impacts, and third-party tools; recommend adoption and deprecation plans to optimize security, cost, and user experience.