Optum is a global organization that delivers care, aided by technology to help millions of people live healthier lives. The work you do with our team will directly improve health outcomes by connecting people with the care, pharmacy benefits, data and resources they need to feel their best. Here, you will find a culture guided by inclusion, talented peers, comprehensive benefits and career development opportunities. Come make an impact on the communities we serve as you help us advance health optimization on a global scale. Join us to start **Caring. Connecting. Growing together.** We are looking for a hands-on IAM Engineer to own and operate our Microsoft Entra ID (Azure AD) cloud identity estate and adjacent identity infrastructure across Azure. You will handle day-to-day identity operations (joiner/mover/leaver access, privileged access, troubleshooting, hardening) and drive continuous improvement(automation, security controls, audit readiness, governance, and lifecycle management) for workforce and workload identities. **Primary Responsibilities:** + Operate and support Microsoft Entra ID (users, groups, roles, RBAC assignments, administrative units) and Azure identity controls + Implement and maintain Conditional Access (MFA policies, risk-based access, device compliance, location controls, session controls) + Manage Privileged Identity Management (PIM) (role eligibility, approvals, activation policies, alerting, break-glass controls) + Run Identity Governance capabilities (Access Reviews, Entitlement Management, Lifecycle Workflows) to reduce access sprawl + Manage application identities: App registrations, Enterprise Apps, service principals, SSO integrations (SAML or OIDC), SCIM provisioning + Secure workload identities: Managed identities, federated credentials (OIDC or workload identity federation), Key Vault integration, secret or cert rotation + Support hybrid identity where applicable: Entra Cloud Sync or Azure AD Connect, AD DS dependencies, password hash sync or PTA or federation considerations + Troubleshoot authentication and authorization issues using Entra audit or sign-in logs, Azure Activity logs + Create or maintain runbooks, SOPs, change records, incident playbooks; participate in on-call or incident response as needed + Automate operations using PowerShell or Graph API or Terraform/Bicep with Git-based workflows and idempotent patterns + Comply with the terms and conditions of the employment contract, company policies and procedures, and any and all directives (such as, but not limited to, transfer and/or re-assignment to different work locations, change in teams and/or work shifts, policies in regards to flexibility of work benefits and/or work environment, alternative work arrangements, and other decisions that may arise due to the changing business environment). The Company may adopt, vary or rescind these policies and directives in its absolute discretion and without any limitation (implied or otherwise) on its ability to do so **Required Qualifications:** + Undergraduate degree or equivalent practical experience + 6+ years in enterprise Microsoft Entra ID or Azure IAM engineering or operations + Hands-on experience with PIM, role-based administration, privileged access design, and break-glass standards + Experience with SSO and app onboarding (SAML, OIDC), Enterprise Apps, SCIM provisioning, and access troubleshooting + Experience securing workload identities: + Service principals or managed identities + App secrets or certificates management + Secret rotation and Key Vault practices + Delegated vs application permissions, consent governance + Solid understanding of Zero Trust identity controls (MFA, Conditional Access, least privilege, phishing-resistant auth patterns) + Working knowledge of Microsoft Graph (permissions, API usage) and automation at scale + Proficient in PowerShell (error handling, modular scripts, idempotent workflows) and Git (PRs, branching, reviews) + Proven solid documentation and operational discipline: runbooks, audit evidence, post-incident review **Must have Skills** (for Cloud IAM Entry Ops): + Microsoft Entra ID operations (users or groups or roles, RBAC assignment hygiene) + Conditional Access policy design and troubleshooting + PIM administration and privileged role governance (eligibility or activation or approvals) + App onboarding (Enterprise Apps, App Registrations, SAML or OIDC basics) + Workload identity fundamentals (service principals, managed identities, secret or cert rotation using Key Vault) + Log-driven troubleshooting (sign-in logs, audit logs, Azure activity logs) + PowerShell and Microsoft Graph scripting; Git workflows **Preferred Qualifications:** + Experience with Identity Governance (Access Reviews, Entitlement Management, Lifecycle Workflows) + Experience with Defender for Identity or Identity Protection or Defender for Cloud Apps exposure + Experience with Azure landing zone familiarity: management groups, subscription RBAC models, Azure Policy guardrails + Experience with Infrastructure-as-Code: Terraform or Bicep, CI/CD pipelines with secure service connection _At UnitedHealth Group, our mission is to help people live healthier lives and make the health system work better for everyone. We believe everyone-of every race, gender, sexuality, age, location and income-deserves the opportunity to live their healthiest life. Today, however, there are still far too many barriers to good health which are disproportionately experienced by people of color, historically marginalized groups and those with lower incomes. We are committed to mitigating our impact on the environment and enabling and delivering equitable care that addresses health disparities and improves health outcomes - an enterprise priority reflected in our mission._ \#NIC