Senior Information Security Risk Analyst

Optum is a global organization that delivers care, aided by technology to help millions of people live healthier lives. The work you do with our team will directly improve health outcomes by connecting people with the care, pharmacy benefits, data and resources they need to feel their best. Here, you will find a culture guided by inclusion, talented peers, comprehensive benefits and career development opportunities. Come make an impact on the communities we serve as you help us advance health optimization on a global scale. Join us to start Caring. Connecting. Growing together.
Hands-on IAM Engineer to own and operate our on-premises Microsoft Active Directory estate and adjacent Identity infrastructure. Work on day-to-day identity operations (provisioning, hardening, troubleshooting) and longer-term improvements (automation, security controls, audits, and lifecycle management) across domains, forests, and tiered admin models.
We are looking for a hands-on IAM Engineer to own and operate our Microsoft Entra ID (Azure AD) cloud identity estate and adjacent identity infrastructure across Azure. You will handle day-to-day identity operations (joiner/mover/leaver access, privileged access, troubleshooting, hardening) and drive continuous improvement(automation, security controls, audit readiness, governance, and lifecycle management) for workforce and workload identities.
Primary Responsibilities:

• Operate and support Microsoft Entra ID (users, groups, roles, RBAC assignments, administrative units) and Azure identity controls
• Implement and maintain Conditional Access (MFA policies, risk-based access, device compliance, location controls, session controls)
• Manage Privileged Identity Management (PIM) (role eligibility, approvals, activation policies, alerting, break-glass controls)
• Run Identity Governance capabilities (Access Reviews, Entitlement Management, Lifecycle Workflows) to reduce access sprawl
• Manage application identities: App registrations, Enterprise Apps, service principals, SSO integrations (SAML/OIDC), SCIM provisioning
• Secure workload identities: Managed identities, federated credentials (OIDC/workload identity federation), Key Vault integration, secret/cert rotation
• Support hybrid identity where applicable: Entra Cloud Sync / Azure AD Connect, AD DS dependencies, password hash sync / PTA / federation considerations
• Troubleshoot authentication and authorization issues using Entra audit/sign-in logs, Azure Activity logs
• Create/maintain runbooks, SOPs, change records, incident playbooks; participate in on-call/incident response as needed
• Automate operations using PowerShell / Graph API / Terraform/Bicep with Git-based workflows and idempotent patterns
• Comply with the terms and conditions of the employment contract, company policies and procedures, and any and all directives (such as, but not limited to, transfer and/or re-assignment to different work locations, change in teams and/or work shifts, policies in regards to flexibility of work benefits and/or work environment, alternative work arrangements, and other decisions that may arise due to the changing business environment). The Company may adopt, vary or rescind these policies and directives in its absolute discretion and without any limitation (implied or otherwise) on its ability to do so

Required Qualifications:

• Undergraduate degree or equivalent practical experience
• 3+ years in enterprise Microsoft Entra ID / Azure IAM engineering or operations
• Experience with SSO and app onboarding (SAML, OIDC), Enterprise Apps, SCIM provisioning, and access troubleshooting
• Experience securing workload identities:
  • Service principals / managed identities
  • App secrets/certificates management
  • Secret rotation and Key Vault practices
  • Delegated vs application permissions, consent governance
• Hands-on with PIM, role-based administration, privileged access design, and break-glass standards
• Working knowledge of Microsoft Graph (permissions, API usage) and automation at scale
• Proficient in PowerShell (error handling, modular scripts, idempotent workflows) and Git (PRs, branching, reviews)
• Solid understanding of Zero Trust identity controls (MFA, Conditional Access, least privilege, phishing-resistant auth patterns)
• Solid documentation and operational discipline: runbooks, audit evidence, post-incident review
• Skills (for Cloud IAM Entry Ops)
• Microsoft Entra ID operations (users/groups/roles, RBAC assignment hygiene)
• Conditional Access policy design + troubleshooting
• PIM administration + privileged role governance (eligibility/activation/approvals)
• App onboarding (Enterprise Apps, App Registrations, SAML/OIDC basics)
• Workload identity fundamentals (service principals, managed identities, secret/cert rotation using Key Vault)
• Log-driven troubleshooting (sign-in logs, audit logs, Azure activity logs)
• PowerShell + Microsoft Graph scripting; Git workflows

Preferred Qualifications:

• Skills:
  • Identity Governance (Access Reviews, Entitlement Management, Lifecycle Workflows)
  • Defender for Identity / Identity Protection / Defender for Cloud Apps exposure
  • Azure landing zone familiarity: management groups, subscription RBAC models, Azure Policy guardrails
  • Infrastructure-as-Code: Terraform / Bicep, CI/CD pipelines with secure service connection

At UnitedHealth Group, our mission is to help people live healthier lives and make the health system work better for everyone. We believe everyone-of every race, gender, sexuality, age, location and income-deserves the opportunity to live their healthiest life. Today, however, there are still far too many barriers to good health which are disproportionately experienced by people of color, historically marginalized groups and those with lower incomes. We are committed to mitigating our impact on the environment and enabling and delivering equitable care that addresses health disparities and improves health outcomes - an enterprise priority reflected in our mission.