Stephen Klein

A PowerShell-based identity lifecycle management system that automates account provisioning and deprovisioning across eight enterprise platforms. Handles onboarding, offboarding, and role changes from a single execution, reducing onboarding time from 44 minutes to 2.5 minutes (94% faster) and offboarding by 93%.

The system uses two separate Entra ID app registrations: one handling delegated authentication for the Entra-gated web interface, and one using application permissions against the Microsoft Graph API for automated lifecycle operations. This separation follows least privilege principles — the web app operates in user context while the automation layer runs with scoped application permissions independent of any signed-in user.

Features stage-based orchestration, multi-system verification, and dry-run support for safe testing.

A PowerShell tool that queries local Active Directory for accounts with expiring passwords, then automatically generates Sherpadesk helpdesk tickets by matching user UPNs to their Sherpadesk accounts. Tickets are assigned to the user's building-specific technician, ensuring the right tech is notified before passwords expire. Eliminates manual tracking and reduces password-related lockouts.

Migrated endpoint protection from Sophos to Microsoft Defender for Endpoint across the district's device fleet, saving the district several thousand dollars in annual licensing fees. Deployed via JAMF Pro using smart groups targeting specific macOS versions to stage the rollout, validate policy parity, and ensure continuous protection coverage throughout the transition.

Migrating approximately 700 staff MacBooks from JAMF Pro to Microsoft Intune for unified endpoint management. The primary challenge is executing the migration without wiping devices, requiring careful planning around MDM profile removal, Intune enrollment, and application redeployment while maintaining user productivity.

Auditing and remediating years of accumulated identity sprawl across the district's Active Directory environment. Identified and disabled 800+ stale device objects, reducing the attack surface from orphaned machine identities and improving the accuracy of directory data used by downstream systems including Entra Connect sync.

Broader scope includes restructuring GPO links to align with proper OU boundaries, eliminating redundant or misapplied policies, and establishing a baseline for ongoing identity governance. This work directly supports the organization's Entra ID hybrid identity posture by ensuring the on-premises AD — the source of authority for synced identities — reflects current, accurate state.

Centralizing identity management by configuring Microsoft Entra ID as the primary identity provider across enterprise platforms using SAML 2.0 and OIDC. Enables single sign-on for staff, reducing password fatigue and improving security posture.

Implemented SAML SSO for Google Workspace, configuring the ACS URL, entity ID, and attribute claims on the Entra enterprise app side, then mapping the Entra-issued Name ID claim to existing staff Google accounts across mismatched domain namespaces. Currently researching macOS Platform SSO to sync local Mac accounts with Entra credentials for self-service password resets without requiring district network connectivity.

A web-based status feed aggregator monitoring real-time health across 26 vendor platforms with color-coded severity cards, live WAN throughput graphs for dual ISP links via the FortiGate API, and a firewall health panel showing firmware, uptime, CPU, and memory utilization. Designed for a wall-mounted display with auto-refresh and glanceable status visible from across the room.

A locally hosted web application that allows building technicians to view and manage district print queues on the Windows print server without requiring access to the Print Management MMC console.

Authentication is handled via a dedicated Entra ID app registration using MSAL with delegated permissions, restricting access to assigned building tech accounts. A separate app registration using application permissions handles backend Graph API calls independent of the signed-in user context. The backend polls the print server via PowerShell on a 30-second cache cycle, exposing a REST API for viewing, canceling, pausing, and resuming print jobs. Deployed as a Windows service on the print server using NSSM.

A PowerShell utility that streamlines device offboarding by automating the removal of devices from multiple management platforms. Handles Active Directory, SCCM, Intune, and Azure cleanup in a single execution, reducing the risk of orphaned device objects. Paused for future development when bandwidth allows.

Initiated the deployment of a self-hosted district-wide knowledge base with role-based access controls via Entra ID integration. Designed to centralize documentation for staff, students, and technicians. Project has been handed off to another team member for continued development.

A shell-based automation tool for deploying and managing self-hosted services via Docker Compose. Features a menu-driven interface for spinning up media servers, download clients, and monitoring solutions. Includes encrypted secrets management and cross-platform support for Linux, macOS, and Windows (WSL2).

Website management for a seasonal vacation rental business operating five lakefront cabins on Long Lake in Harrison, Maine. The site provides cabin information, rates, amenities, and contact details for prospective guests looking for lakeside retreats.