Senior IAM Engineer and Security Architect

Tavis Mitchell

919-***-**** ************@*****.*** LinkedIn Projects

WORK EXPERIENCE

Lead IAM Engineer — Novo Nordisk

Novo Nordisk Jan 2025 – Present

• Lead IAM operations across Azure AD / Entra ID, enforcing Zero Trust, Conditional Access, RBAC, MFA, PIM, and enterprise identity hygiene.

• Designed and implemented enterprise Conditional Access policies, reducing high-risk sign-ins by 40% and blocking non-compliant devices across multiple sites.

• Performed hybrid identity troubleshooting using Azure AD Connect, Cloud Sync, Kerberos tokens, GPO conflicts, and AD replication issues across global forests.

• Conducted quarterly access reviews for high-privilege roles and app owners, reducing excessive permissions by 35%.

• Led account compromise response using Identity Protection, reviewing risky sign-ins, token misuse, impossible travel, and authentication anomalies (4625/50126 events).

• Federated apps using SAML/OIDC, built SCIM provisioning integrations, and managed lifecycle automation for enterprise SaaS platforms.

• Built PowerShell-based identity reporting to identify stale accounts, unused roles, shadow admin rights, and misconfigured service accounts (reduced risk exposure 25%).

• Owned directory hardening efforts: secure admin tiers, GPO lockdown, passwordless rollout planning, and privileged access redesign aligned with Zero Trust.

• Ensured HIPAA-aligned Modern Workplace security posture across all cloud endpoints, implementing identity rules, endpoint compliance, and cloud governance controls. IT & Security Operations Manager (IAM Lead) — INE

Internetwork Expert (INE) Nov 2023 - Dec 2024

• Directed IAM program for a multi-cloud environment (Azure AD, AWS IAM, Okta, Google Workspace), owning user lifecycle, MFA enforcement, RBAC, SSO, and governance.

• Implemented Okta SSO + MFA across internal and external SaaS applications, achieving 98% MFA enrollment and eliminating legacy password-based access.

• Managed Okta user lifecycle and delegated admin models; used SCIM integrations for automated provisioning and deprovisioning.

• Built domain-wide identity dashboards to monitor authentication failures, suspicious sign-ins, and dormant administrators using Splunk and Elastic.

• Conducted SOC 2 access governance audits using Drata; automated evidence collection reducing audit prep time by 50%

• Led identity incident response for compromised accounts, OAuth token misuse, malicious inbox rules, and MFA fraud.

• Hardened AWS IAM: enforced least privilege roles, removed unmanaged access keys, and built CloudTrail-based monitoring for identity events.

• Documented IAM runbooks, SSO onboarding guides, and identity governance procedures in Confluence.

Senior Systems Engineer (Modern Workplace & Identity) Legacy Healthcare Services Jan 2023 - Dec 2023

• Owned Azure AD lifecycle management for 4,000+ users: provisioning, deprovisioning, access updates, role assignments, and license governance.

• Implemented Conditional Access, reducing unauthorized legacy authentication by 70% and enforcing MFA universally.

• Built automation for user onboarding/offboarding using PowerShell, Graph API, and Azure AD workflows.

• Managed Intune app deployments, compliance policies, Autopilot enrollments, device governance, and zero-touch provisioning.

• Supported Exchange Online identity needs: mailbox permissions, delegated access, OAuth app authentication, and role-based access controls.

• Led phishing remediation and configuration reviews using Exchange Admin + AppRiver.

• Configured and maintained identity settings in Microsoft 365 Security Center and Azure Identity Protection.

Systems Engineer — Johnston County Public Schools

Johnston County Public Schools Jan 2022 – Jan 2023

• Managed on-prem Active Directory lifecycle for 15,000+ student/staff identities: OU admin, group design, workstation joins, GPO enforcement, and identity cleanup.

• Used Event Viewer (4624/4625) for authentication troubleshooting, lockout analysis, and brute-force detection.

• Administered identity and access policies for Windows endpoints, laptops, and lab imaging using MDT/SCCM.

• Managed Google Workspace IAM for student and staff identity lifecycle.

• Enforced MFA, password resets, access recovery, and identity hygiene processes school-wide.

• Hardened workstations using GPO, baseline policies, and restricted local admin privileges.

• Configured DNS/DHCP and troubleshot directory-related network issues. IT Systems Support – Cloud App Access & Identity Support Wake County Public Schools Jan 2021 – Jan 2022

• Performed identity troubleshooting using ADUC, Group Policy, and secure access provisioning for staff and faculty.

• Managed Chromebook fleet and Google Workspace IAM tasks (user provisioning, password resets, delegated access).

• Enforced device policies and deprovisioning compliance across thousands of devices.

• Conducted MFA and password reset support aligned with district security standards.

• Supported Windows imaging, workstation deployment, and secure configuration controls.

• Managed access permissions for shared drives, groups, and faculty staff roles. IT Support Specialist – Multi-Site Windows Support City of Raleigh Parks Jan 2012 – Jan 2021

• Managed AD accounts, group memberships, and access requests for municipal staff.

• Performed identity-related troubleshooting for login issues, authentication failures, and locked accounts.

• Supported workstation builds, secure configuration, antivirus enforcement, and user access controls.

• Conducted device lifecycle management and ensured compliance with local government access policies.

SKILLS

Identity & Access Management (IAM): Azure AD / Entra ID, Active Directory, Group Policy, Azure AD Connect, Entra Cloud Sync, RBAC, ABAC, Identity Lifecycle (JML), Conditional Access, MFA, Passwordless Auth, Azure Identity Protection, PIM, SCIM Provisioning, Identity Governance, Access Reviews, Role Design, Least Privilege Enforcement

SSO / Federation & Authentication: Okta, SAML, OAuth2, OIDC, WS-Fed, Application Federation, Claims Mapping, SCIM, Certificate-based Authentication, Service Principals, App Registrations Privileged Access & Governance: PIM, Break-Glass Accounts, Service Account Governance, Access Recertifications, Quarterly Reviews, Audit Evidence Packaging, Zero Trust, Segregation of Duties (SoD), HIPAA/SOX/ISO/GDPR Alignment

Security Monitoring & IR (Identity-Focused): Event Viewer (4624/4625/4768/4769), Entra Identity Protection, Audit Logs, Sign-In Logs, Risky Users, Splunk, Elastic, Threat Hunting (Identity), BEC/Account Compromise Response, Authentication Anomalies, Directory Sync Failures, Conditional Access Triage Automation & Scripting: PowerShell (Identity Automation, Access Cleanup, Bulk Updates), Azure CLI, JSON, Bash, Automated Access Reviews, Identity Reporting Dashboards Cloud IAM: Azure AD, AWS IAM, Google Workspace IAM, SaaS Identity Governance, SCIM for SaaS Lifecycle, OAuth App Integrations, Conditional Access for SaaS Platforms Tools & Platforms: ServiceNow, Okta, Splunk, Elastic, Jamf, Azure Portal, Microsoft 365 Admin, Admin Exchange, Drata (SOC2), Confluence, Jira

CERTIFICATIONS

Microsoft CompTIA SC-Splunk AZ-Linux GCP Microsoft CompTIA 900 800 Associate Essentials Core – – Security, Administering Security+ CySA+ Identity Azure Certified Cloud Data (in Compliance and progress) Engineer Fundamentals Power Access Windows User Administrator & Identity Server Hybrid Fundamentals Core Infrastructure EDUCATION

Western Governors University

Master of Science – Information Technology Management St. Augustine’s University

Bachelor of Science – Exercise Science

Contact this candidate