Active Directory & Identity Engineer

Summary:

The Active Directory & Identity Engineer will serve as the bridge between IT operations and cybersecurity, moving beyond simple account creation to architect a secure, automated, and compliant identity ecosystem. This position will be responsible for implementing next-generation Identity Governance (IGA) and lead our transition to a continuous compliance model, leveraging automation, machine learning, and automated UI interactions to secure every application—even those without standard APIs. The Active Directory & Identity Engineer will be the subject matter expert responsible for ensuring that the right individuals have access to the right resources at the right time—and validating that access through rigorous governance.

Applicants are required to be eligible to lawfully work in the United States immediately. This position is not available for H1-B visa sponsorship.

Responsibilities:

• Serve as the primary owner of our Identity Governance and Administration (IGA) platform. Ensure the system provides 100% visibility into user access across the enterprise, ingesting data accurately from HRIS, Active Directory, and ERPs.
• Utilize machine learning (ML) and peer-group analysis to ensure dynamic group management. Design policies that adapt to business changes and reduce "role explosion."
• Orchestrate monthly and quarterly access certification campaigns. Reduce "reviewer fatigue" by implementing intelligent risk scoring, allowing managers to focus only on high-risk or anomalous access.
• Configure automated workflows to ensure that when access is revoked during a review, the change is immediately executed in the target application or ITSM tool without manual intervention.
• Develop strategies to ingest identity data from "unmanageable" or legacy applications that lack native APIs and bring these isolated systems into the central governance framework using automated UI interactions.
• Establish monitoring to detect unauthorized permission changes ("access drift”) made directly in applications outside of formal approval processes—and trigger automated remediation.
• Lead the technical design for enterprise IAM solutions, ensuring all authentication methods adhere to modern standards (SAML 2.0, OIDC, OAuth).
• Enforce a strict "Identity First" policy for new software. Ensure all SaaS and on-premises applications are integrated into the SSO and IGA platforms before go-live.
• Map and govern granular permissions within cloud infrastructure (AWS/Azure/GCP) to ensure resources are not over-privileged.
• Manage the enterprise Multi-Factor Authentication (MFA) platform to enforce zero-trust access. Serve as the owner of the Public Key Infrastructure (PKI), managing internal Certificate Authorities (CAs) and the lifecycle of digital certificates.
• Manage and support the health of Active Directory (on-prem) and Microsoft Entra ID (Azure AD), ensuring high availability and secure replication.
• Ensure the "Joiner, Mover, Leaver" (JML) processes are optimized and automated to allow immediate access for new hires (Onboarding) and real-time revocation for terminations (Offboarding).
• Utilize PowerShell and API integrations to automate bulk tasks, reporting, and complex attribute syncing between systems.
• Work closely with the Security Operations Center to integrate IAM logs with the SIEM. Proactively tune alerts for identity-based threats such as impossible travel or credential theft.
• Oversee the PAM solution to secure and rotate credentials for high-value administrative accounts.
• Design and enforce strict policies for non-employee identities (contractors, vendors). Ensure external access is time-bound, sponsored by an internal manager, and subject to frequent review cycles.

Qualifications:

Minimum:

• Bachelor’s degree or an equivalent amount of experience.
• 5-7 years of hands-on experience in Identity and Access Management or Systems Engineering.
• Proven experience administering modern IGA platforms.
• Integration Expertise: Experience connecting "disconnected" or legacy applications to identity platforms using JSON, CSV parsing, or automated UI interaction techniques.
• Deep expertise in Active Directory (Group Policy, DNS, Forest/Domain architecture) and Microsoft Entra ID/Azure AD.
• Strong proficiency in PowerShell or Python for automation and data manipulation.
• Experience managing PKI (Public Key Infrastructure) and Certificate Authorities.
• Experience working directly with auditors to prove compliance and explain "who has access to what and why."
• Ability to mentor junior administrators and ServiceDesk staff, raising the technical proficiency of the team.
• Strong analytical and problem-solving skills with the ability to make sound decisions under pressure.
• Strong ability to explain complex security risks to non-technical business stakeholders.

Preferred:

• Bachelor’s degree in computer science, Information Systems, or equivalent experience.
• Experience with Cloud Infrastructure Entitlement Management (CIEM) concepts.
• Certifications: Microsoft Identity and Access Administrator Associate (SC-300).

About NTTA: NTTA is a political subdivision of Texas created to acquire, construct, maintain and operate toll roads in North Texas. As a customer-driven organization, NTTA delivers a safe and reliable toll system for millions of customers each year in one of the fastest growing regions in the United States. NTTA is a vibrant organization with a highly qualified, energized and engaged team focused on achieving Excellence and we are looking for talented individuals to join us.

Our mission: We are committed to providing a safe and reliable toll road system, increase value and mobility options for our customers, operate the Authority in a businesslike manner, protect our bondholders, and partner to meet our region's growing need for transportation infrastructure.