Mid-Level Entra/Active Directory Engineer

Description

TGen, the Translational Genomics Research Institute, is part of City of Hope. We are an Arizona-based, nonprofit medical research institute dedicated to conducting groundbreaking research with life-changing results. No matter the role, every TGen employee contributes to success. Together, we work toward a common goal: improving medicine to enhance a patient's quality of life. It's not all biomarkers and sequencing; it is a mix of humanity improving the human condition. Find your role at TGen, in an environment ignited by a profound purpose.

The work in our laboratories and offices leads to innovative scientific breakthroughs and improved quality of life. Collectively, we offer renewed hope to patients worldwide through our highly-specialized precision medicine approach that places the patient at the heart of all our work. For individuals faced with a dire medical condition, that story can be powerful and transformative. It can pinpoint a diagnosis, and lead to more precise and individual treatments. That's because TGen rapidly translates genomic research into medical practice by collaborating with the most progressive scientific and medical minds worldwide.

We are currently seeking a mid-level Entra/Active Directory Engineer. This role is critical to building and maintaining the identity infrastructure in on-prem Active Directory (AD) and Entra ID (formerly Azure AD) that will better enable secure, frictionless, POSIX-compliant access for external users on the TGen HPC cluster while preserving each organization's security and operational independence. It is a hybrid work location role, with some time in office required.

We are a human-centric organization that translates to our employees. Some of the perks in working for us:

• BC/BS of Arizona health coverage.
• Dental, Vision, Life, Short and Long Term Disability
• Top notch EAP with a full scope of concierge type services
• 401k with 6% match
• Generous time off
• Commuter benefits
• Much, much more!

Key Responsibilities

• Microsoft Entra ID / AD

• Validate existing cloud-based Entra ID to on-prem AD environment and configuration

• Validate existing Entra ID to Okta Implementation, including Office365 and Sharepoint related configuration.

• Ensure compliance with Entra ID best practices for all aspects of TGen Entra ID / O365 environment, including directory services, Exchange configuration, SharePoint, and others.

• Identity and Access Management

• Evaluate existing implementation of, and recommend best practice refinements to, Unix authentication to AD, including distribution of globally unique POSIX UID and GID Information sourced from on-prem AD, Entra ID, or Okta to HPC login and compute nodes (Rocky Linux 9) as well as network-attached or distributed file systems including PowerScale and VAST.

• Work with business partners to identify, define, and implement best-practice-based forest configuration with external business partners which use Entra ID, including possible cross-integrations with TGen Okta identity management platform.

• Administration & Operations

• Manage daily operations of any cross-forest trusts, Entra ID and AD services.

• Monitor trust health, Kerberos ticket flows, LDAP queries, and authentication performance.

• Automate repetitive tasks using Ansible and other scripting languages where appropriate.

• Collaborate with HPC engineers to ensure consistent identity resolution and caching behavior across all HPC login and compute nodes.

• Support the standardization of the installation, configuration, and hardening of SSSD/IdM client configurations for reliable user and group resolution, RBAC rules, sudo policies, and automount on HPC nodes on Linux Rocky 9 and associated infrastructure.

• Support & Troubleshooting:

• Monitor for and troubleshooting Kerberos, SSSD, cross-forest referral issues, as well as Azure connectivity problems.

• Work with external collaborators (Entra ID teams) on trust implementations, maintenance, selective authentication adjustments, and incident resolution.

• Ensure high availability and disaster recovery for IdM trust controllers and related components.

• Security & Compliance:

• Implement least-privilege principles, selective authentication, and auditing for cross-forest access.

• Participate in security reviews, audits, and compliance activities related to the identity infrastructure, including Entra ID-side controls.

• Collaboration:

• Work closely with external partners' Entra ID and IAM teams for trust configuration, network connectivity, and ongoing coordination.

• Collaborate with TGen HPC system engineers managing storage/NFS configuration on PowerScale and VAST, as well as external partners accessing these HPC file systems on edge devices.

• Coordinate with TGen information security team as needed to establish Entra and AD configuration policies that meet TGen requirements

Requirements

Required Qualifications

• Bachelor's degree in Computer Science, Information Technology, or related field (or equivalent experience).
• 5+ years of hands-on experience in enterprise Identity and Access Management, with strong focus on hybrid Windows-Linux and cloud/on-premises environments.
• Deep expertise in Entra ID, On-Prem AD (creating and managing forest/domain trusts, selective authentication, Kerberos, DNS integration, Entra Domain Services forest trusts).
• Track record of clearly documenting architectures, procedures, and runbooks.

Preferred Skills & Experience

• Proven ability to own the end-to-end creation and delivery of the on-premises trust and identity infrastructure while balancing operational support.
• Solid understanding of POSIX UID/GID management, SID-to-POSIX algorithmic mapping, and ensuring consistency for shared filesystem access.
• Proficiency with automation tools (Ansible, PowerShell, Azure CLI).
• Knowledge of Microsoft Entra ID hybrid scenarios, including Entra Domain Services forest trusts.
• Relevant certifications: Microsoft Certified: Identity and Access Administrator Associate (or Entra ID equivalent), or Azure Network Engineer.
• Strong troubleshooting expertise using Microsoft Entra ID tools (Sign-in Logs, Audit Logs, Provisioning Logs, and the Diagnose and Solve Problems blade), Kerberos commands (klist, nltest), packet analysis (Wireshark), Azure connectivity diagnostics (Azure Network Watcher), and Linux identity tools (sssctl, journalctl, SSSD debug logging).
• Practical experience with Rocky Linux 9 / RHEL 9, preferably in cluster environments and large-scale Linux deployments.
• Familiarity with or experience in HPC or scientific computing environments, particularly with identity challenges on login/compute nodes.

Personal Attributes

• Excellent collaboration and communication skills - able to work effectively with teams in the external partner organization managing Entra ID environments and with TGen HPC engineers.
• Strong problem-solving mindset with attention to detail, especially around UID/GID consistency, performance, and network connectivity in hybrid cloud/on-premises systems.
• Proactive, self-motivated, with the demonstrated desire and ability to find, prioritize and complete work across design, administration, and troubleshooting with minimal supervision.