← Back to Portfolio

Stephen Klein

IAM Engineer
Pittsburgh, PA | skier@canadabot.net | canadabot.net | LinkedIn | GitHub
01

Summary

IAM Engineer with hands-on experience designing and automating identity lifecycle systems across Microsoft Entra ID, Active Directory, and hybrid cloud environments. Specializes in Joiner-Mover-Leaver (JML) lifecycle management, SSO integrations (SAML 2.0, OIDC), and access governance aligned to least privilege and zero trust principles. Builds PowerShell automation against the Microsoft Graph API to eliminate manual identity workflows — reducing onboarding time by 94% and offboarding by 93%. Background in healthcare data management provides a foundation in compliance, data accuracy, and regulatory requirements.

02

Experience

Infrastructure Specialist

Questeq · Pittsburgh, PA · Sep 2025 – Present
  • Manage Microsoft 365, Azure, and Entra ID environments for a K-12 school district
  • Built a PowerShell-based staff lifecycle system automating provisioning across eight platforms, reducing onboarding from 44 minutes to 2.5 minutes (94% faster)
  • Built automated offboarding workflow that disables and relocates the AD account to a dedicated OU (breaking Entra Connect sync), uses the Graph API to block Entra sign-in, revoke group memberships, and remove licenses, and suspends the Google Workspace account via GAM — with a 30-day retention window for account recovery, reducing offboarding time by 93%
  • Built an internal web portal authenticated via Microsoft Entra ID, restricting access to automation tooling through Entra group membership — replacing ad-hoc access with identity-bound, role-controlled authorization
  • Completed Sophos to Microsoft Defender endpoint protection migration across the district device fleet, saving the district several thousand dollars in annual licensing fees; deployed via JAMF Pro smart groups targeting specific macOS versions
  • Contributing to JAMF Pro to Microsoft Intune migration for approximately 700 staff MacBooks
  • Conducting access certification and identity governance remediation across Active Directory — disabled and documented 800+ stale computer objects to date, with broader scope covering user accounts, groups, and service accounts; work directly supports least privilege posture and Entra Connect hybrid identity accuracy
  • Configured SAML 2.0 SSO integrations via Microsoft Entra ID for Google Workspace and Sherpadesk, including ACS URL and attribute claim mapping with MFA enforcement
  • Designed Entra ID app registration architecture separating delegated user-context authentication for the staff portal from scoped application permissions on a dedicated service principal for backend automation, following least privilege principles
  • Built automated password expiration tracking that generates helpdesk tickets assigned to building-specific technicians via Sherpadesk API
  • Migrated Microsoft 365 licensing from A1 to A3 using a role-based dynamic group model driven by extensionAttribute1 synced from on-premises AD, with per-role service plan assignment replacing direct licensing
  • Redesigning Conditional Access policies to replace per-user MFA (deprecated by Microsoft) with a policy-driven model, including decommissioning legacy MFA groups

Computer Technician

North Hills School District · Pittsburgh, PA · May 2023 – Sep 2025
  • Provided technical support for district staff and students across multiple buildings
  • Managed device deployments and imaging via SCCM and PXE boot
  • Administered Active Directory, Google Workspace, and Microsoft 365 accounts
  • Deployed Fortinet networking hardware across district buildings
  • Developed PowerShell automation to manage third-party software updates for Adobe and AutoCAD applications across the district device fleet

Medical Records Technician

Allegheny Health Network · 2021 – Apr 2023
  • Maintained patient records in compliance with HIPAA regulations
  • Ensured data accuracy and confidentiality across healthcare information systems

Front End Associate

Walmart · 2018 – 2021
  • Delivered customer service in high-volume retail environments

Technical Support Specialist

MSAD #17 · Maine · 2013 – 2014
  • Provided IT support for school district staff and students
  • Troubleshot hardware and software issues across the district
03

Skills

Cloud & Identity

Microsoft Entra ID, Active Directory, Microsoft 365, Azure, Exchange Online, Google Workspace, SAML 2.0, OIDC, OAuth 2.0, Conditional Access, Access Reviews, SSPR, Zero Trust

Automation

PowerShell, Microsoft Graph API, REST APIs

Endpoint Management

Microsoft Intune, JAMF Pro, SCCM, PXE Imaging

Security

Microsoft Defender, Sophos, SpamTitan

Networking

Ubiquiti UniFi, Fortinet

Virtualization & Hosting

VMware vSphere, Docker, Caddy

Monitoring

Prometheus, Grafana

04

Certifications

SC-300: Microsoft Identity and Access Administrator (In Progress) CompTIA A+ Google IT Support Professional Certificate
05

Education

Oxford Hills Technical School — Computer Technology 2009 – 2012