Entra ID Engineer (IAM SME)

For years,  Stream Data Centers has been a trusted partner in providing world-class data center solutions. With a focus on sustainable, secure, and reliable infrastructure, Stream empowers businesses to scale their digital operations while prioritizing environmental and social responsibility.

Stream Data Centers continues to set new standards for innovation, operational excellence, and sustainability in the data center industry, having provided premium data center services since 1999. Now, with 90% of its inventory leased to Fortune 100 customers, the company has acquired, developed and managed more than 27 data center projects nationally, while leadership has remained consistent for over two decades.

From site selection to data center construction and operations, Stream develops wholesale colocation capacity and build-to-suit facilities for hyperscale and enterprise users in major markets across the United States. Additionally, Stream sources and develops low-risk land sites for optimum data center development and provides energy procurement services with a focus on reducing market risk and providing low-cost renewable energy options.

Information Technology Department:

Stream’s IT team delivers modern, secure technology solutions that power our global operations. We combine proactive management, rigorous cybersecurity, and agile software development to drive business growth. By aligning technology strategy with business goals, we keep Stream at the forefront of innovation and operational excellence.

The Role:

The Entra ID Engineer (IAM SME) owns the strategy, architecture, and day-to-day governance of Microsoft Entra ID and identity services across Stream. You will partner closely with Security, Network/Cloud, Applications, and Data Center Operations teams to implement a mature Zero Trust posture, enforce least privilege, and deliver reliable access to critical systems.

You will design scalable identity standards, automate lifecycle workflows, drive SSO and provisioning for applications, and serve as the go-to escalation point for identity incidents, access requests, and audits. Success requires deep technical expertise in Entra ID and Azure RBAC, a builder’s mindset for automation, and the ability to influence cross-functional partners.

Key Responsibilities:

• Own Entra ID/IAM roadmap and standards: Define target architecture, patterns, and guardrails for identities (users, service principals, managed identities), tenant configuration, and cross-tenant access.

• Design and enforce strong access controls: Implement and tune Conditional Access, MFA, phishing-resistant authentication, risk-based policies (Identity Protection), and device trust integrations (Intune compliance signals).

• Implement privileged access at scale: Deploy PIM/JIT for directory roles and Azure RBAC, including approval workflows, break-glass accounts, access reviews, and periodic attestation.

• Drive application onboarding to SSO: Lead integration of SaaS and internal applications using OpenID Connect, OAuth 2.0, and SAML; standardize claims, consent, token lifetimes, app registrations, and certificate/secret governance.

• Automate identity lifecycle: Build and maintain join-move-leave provisioning and deprovisioning for users, groups, and roles using SCIM, Microsoft Graph API, PowerShell, and workflow tools to minimize standing privilege and manual processes.

• Govern external identities: Establish secure policies for B2B/B2C/guest access, cross-tenant trust, and vendor/partner controls aligned to data center operations.

• Harden Azure access: Apply least-privilege RBAC across management groups, subscriptions, custom roles, and resource scopes for both cloud and on-premises integrations.

• Monitor and respond: Integrate IAM signals with Microsoft Sentinel and Defender; lead identity-related incident response, forensics, RCAs, and prevention plans.

• Ensure compliance and audit readiness: Map IAM controls to SOC 2, ISO 27001, NIST, and other frameworks; maintain evidence, control narratives, and access review cadence for internal and external audits.

• Document and upskill: Publish runbooks, SOPs, and reference architectures; mentor engineers and administrators; deliver knowledge transfer to support teams and stakeholders.

• Collaborate and communicate: Serve as the primary IAM SME to security, cloud, application, and operations teams; provide regular metrics and risk updates to leadership.

• Drive continuous improvement: Evaluate new Entra ID and Azure features, licensing impacts, and third-party tools; recommend adoption and deprecation plans to optimize security, cost, and user experience.

Success Metrics & KPIs

• Identity security posture: Measurable reduction in risky sign-ins and legacy authentication; high MFA/SSPR adoption; improved Secure Score and identity recommendations.

• Privileged access governance: Full PIM coverage for privileged roles; reduced standing privilege; timely approvals and successful periodic access reviews/attestations.

• Application onboarding velocity: Predictable, high-quality SSO + provisioning deliveries using standardized patterns and low defect rates.

• Operational reliability: Fewer identity-related incidents; faster MTTR for IAM issues; clear RCAs and prevention actions.

• Audit readiness: On-time access reviews, complete evidence packages, and minimal (or zero) audit findings related to identity controls.

Requirements

Basic Qualifications

• Bachelor’s degree or equivalent combination of education and experience.

• 7–10+ years in Identity and Security engineering/architecture, with 5+ years hands-on with Microsoft Entra ID and Microsoft 365 ecosystems.

• Expert-level knowledge of Entra ID tenant configuration, Conditional Access, MFA/SSPR, PIM/JIT, Identity Protection, access reviews/entitlement management, app registrations, and directory roles.

• Strong experience with SSO protocols (OpenID Connect, OAuth 2.0, SAML 2.0) and SCIM provisioning; deep understanding of service principals, managed identities, certificates/secrets, and consent governance.

• Proficiency in automation and IaC: PowerShell, Microsoft Graph, REST APIs, and at least one of Terraform, Bicep, Azure DevOps, or GitHub Actions.

• Practical knowledge of Intune device compliance and device trust; Windows Hello for Business and certificate-based authentication a plus.

• Demonstrated Zero Trust and least-privilege design across Azure management groups, subscriptions, and resources; experience writing custom RBAC roles preferred.

• Background in regulated environments and audits (SOC 2, ISO 27001, NIST); ability to produce control evidence and lead access attestations.

• Excellent written and verbal communication; proven ability to influence cross-functional teams and mentor others.

• Ability to work across multiple U.S. locations and travel to data center sites as needed; after-hours availability for high-priority identity incidents when required.

Preferred Qualifications

• Experience with Microsoft Entra Admin Center, Azure Portal, Microsoft 365 Admin Center, Intune, Microsoft Defender, Microsoft Sentinel, PowerShell, Microsoft Graph API, GitHub/Azure DevOps, Terraform/Bicep, Power Automate/Logic Apps
• Experience with alternate IdPs (Okta, Ping, Keycloak, etc.)

Benefits

• Health Care Plan (Medical, Dental & Vision)
• Retirement Plan (401k, IRA)
• Life Insurance (Basic, Voluntary & AD&D)
• Paid Time Off (Vacation, Sick & Public Holidays)
• Family Leave (Maternity, Paternity)
• Short Term & Long Term Disability
• Training & Development
• Wellness Resources

The pay range for this role is between $130,000 – 155,000 (base). Individual compensation packages are based on various factors unique to each candidate, including skill set, experience, qualifications, location, and other job-related reasons. Stream Data Centers offers annual bonus, benefits, flexible time off (vacation), 401k and a variety of other perks and benefits.

Stream is an equal-opportunity employer and does not discriminate on the basis of ethnicity, race, religion, sex, age, national origin, disability, military status, or any other reason prohibited by law. Note: Nothing in this job description restricts management’s right to assign or reassign duties and responsibilities to this job at any time.