Senior Systems Engineer - Hybrid, MN based

POSITION SUMMARY:  
The Senior Systems Engineer provides senior technical leadership across two core areas: Identity & Access Management (IAM) and IT Productivity & Collaboration services. The position designs, implements, administers, and supports Identity Governance & Administration (IGA) and enterprise identity services (directory services, SSO/federation, MFA/conditional access alignment, and privileged access) using Okta, Active Directory, and Microsoft Entra. 
As a Senior Systems Engineer you will identity lifecycle processes (joiner/mover/leaver; provisioning and deprovisioning) and implement access models, policies, and governance that strengthen authentication/authorization, enable least-privilege access, and reduce identity-based risk. In addition, the position serves as technical owner for Microsoft 365 (Teams, SharePoint/OneDrive, Exchange Online) and key adjacent SaaS platforms, delivering secure and reliable operations through monitoring, incident/problem management and on-call participation, change/ITSM execution, and continuous improvement. 
The Senior role leads application onboarding and integrations, supports audits, access reviews, penetration testing and vulnerability remediation with evidence and corrective actions, delivers migrations and modernization efforts, manages vendor/licensing optimization and escalations, and maintains documentation, runbooks, and knowledge transfer to ensure sustainable support and a strong employee experience.

Our team has a solid local presence so local, MN based candidates with easy access to our World Headquarters in downtown Minneapolis are preferred.

ACCOUNTABILITIES:  
Engineering solutions, design, and administration:
•    Design, implement, and maintain IAM/IGA capabilities (directory services, SSO/federation, and privileged access) using Okta, Active Directory, and Microsoft Entra to deliver secure, reliable access.
•    Lead discovery and solution delivery for IAM initiatives (requirements, design, build, testing, and rollout); evaluate options and recommend best-fit approaches with internal teams and vendors.
•    Automate identity lifecycle (joiner/mover/leaver; provisioning/deprovisioning) and related administration using scripting and modern tooling to reduce manual effort and risk.
•    Define and enforce access governance (RBAC/ABAC), policies, workflows, and secure access patterns (SSO/MFA/conditional access alignment and least-privilege role design), including periodic access reviews.
•    Support security and compliance by remediating identity-related vulnerabilities and supporting audits, penetration tests, and access reviews with evidence, reporting, and corrective actions.
•    Onboard and integrate applications and platforms (SaaS and Microsoft 365) using standards-based connectors/integrations; partner with application owners to validate requirements, data flows, and security controls.
•    Own and administer Microsoft 365 and collaboration services (Teams, SharePoint/OneDrive, Exchange Online) and adjacent SaaS tools, including hybrid identity/access integrations and roadmap execution.
•    Operate and improve services through monitoring, dashboards/alerts, incident and problem management (RCA/post-incident reviews), and on-call participation; troubleshoot authentication/authorization/provisioning issues to restore service.
•    Plan, test, and deliver changes using NMDP change management and ITSM practices; validate outcomes and transition to steady-state support.
•    Create and maintain documentation and enablement (standards, runbooks, procedures, and knowledge articles); support tiered support and knowledge transfer with Service Desk/L2.
•    Support privileged access practices using approved vaulting and secrets management (e.g., Delinea Secret Server) for administrative accounts, service accounts, and automation credentials.
•    Partner with Procurement/Vendor Management on renewals, licensing optimization, and vendor escalations; identify cost-saving opportunities through usage analysis and right-sizing.
•    Evaluate and adopt new features and products (including collaboration AI capabilities) via pilots, guardrails, and measured rollouts.
•    Other duties as assigned.

REQUIRED QUALIFICATIONS:
Knowledge of: 
•    IAM/IGA concepts and practices, including identity lifecycle (joiner/mover/leaver), provisioning/deprovisioning, and access recertification.
•    Identity standards and protocols (SAML, OAuth/OIDC, SCIM) and how they are used for SSO/federation and application integrations.
•    Okta, Active Directory, and Microsoft Entra ID administration and configuration concepts (tenant/directory structure, groups, app assignments, conditional access/access policies).
•    Privileged access management principles and controls (least privilege, role-based access, privileged roles/accounts, access request/approval workflows).
•    Security and compliance practices related to identity services, including logging/monitoring, vulnerability remediation, audit evidence collection, and access reviews.
•    Enterprise IT operations practices (incident/problem management, change control) and creating/supporting technical documentation such as procedures and runbooks.

Ability to: 
•    Demonstrate strong interpersonal and organizational skills, demonstrated success in working both independently and in a team environment.  
•    Demonstrate above-average written and oral communication skills.  
•    Demonstrate strong analytical and creative problem solving, and the ability to manage multiple and rapidly changing priorities.
•    Work effectively both independently and collaboratively across technical and non-technical teams.
•    Communicate clearly in writing and verbally, including translating technical concepts for varied audiences.
•    Analyze complex issues, solve problems systematically, and manage multiple priorities in a fast-changing environment.
•    Hands-on experience with the relevant technologies and solutions for fulfilling the activities in the accountabilities section.
Education and/or Experience:
•    Bachelor’s degree in computer science, Management Information Systems, Computer Science, Information Security or related field (or equivalent related experience and/or education).
•    Minimum of five or more years of experience in engineering and supporting solutions in a heterogeneous enterprise IT environment.

PREFERRED QUALIFICATIONS: (Additional qualifications that may make a person even more effective in the role, but are not required for consideration) 
•    Modern Workplace/Automation: Defines and completes project tasks, including scripting, related to workplace automation, leveraging Intune, SharePoint (including migrations), Viva, PowerApps, Power Automate, Microsoft Power Platform, etc.
•    Strong experience with Okta tenant configuration and core components (policies, claims, scopes, access policies) beyond day-to-day administration.
•    Experience partnering with application developers and using Okta APIs to automate integrations and workflows.
•    Experience with log management and reporting tools (e.g., Varonis, Okta reporting) for monitoring and investigation.
 #LI-DNI