Principal Authentication Services Engineer

Principal Authentication Services Engineer

The Principal Authentication Services Engineer is a senior technical leader and subject matter expert within the Identity & Access Management organization. This role owns the architecture, engineering, and lifecycle management of enterprise authentication platforms across a complex global environment and plays a meaningful role in shaping the IAM authentication roadmap, organization-wide standards, and how authentication capabilities evolve alongside the broader Zero Trust security strategy.

• Own the engineering design, implementation, and operational health of Microsoft Entra , Active Directory, and federated identity services across the enterprise
• Architect and maintain SSO integrations (SAML, OIDC, OAuth 2.0) across SaaS, on-prem, and hybrid application portfolios
• Engineer and manage MFA policies, authentication method configurations, and phishing-resistant credential adoption (FIDO2, Windows Hello for Business, certificate-based auth)
• Lead Conditional Access policy development, testing, and lifecycle governance
• Define authentication standards, patterns, and reference architectures for new and existing applications and own keeping them current
• Evaluate emerging authentication technologies and drive proof‑of‑concept efforts that inform roadmap decisions
• Maintain technical documentation including architecture diagrams, decision records, and runbooks

• Partner with Security Architecture to align authentication controls with Zero Trust principles and enterprise security policy
• Support audit and compliance activities by providing technical evidence, control narratives, and remediation guidance
• Identify gaps in authentication posture and lead engineering remediation efforts

• Serve as escalation point for complex authentication incidents and engineering challenges
• Mentor and uplift mid-level engineers on the Authentication Services team
• Engage with application teams, infrastructure engineering, and security operations as a trusted IAM authority

• Bachelor’s degree or higher (completed and verified prior to start)
• Eight (8) years of experience designing, deploying, and managing enterprise Identity and Access Management (IAM) authentication solutions (e.g., Entra , Ping Identity, Active Directory) in a private, public, government or military environment
• Five (5) years of experience working with modern authentication protocols, including SAML, OAuth 2.0, OpenID Connect (OIDC), and FIDO2 in a private, public, government or military environment
• Five (5) years of experience leading complex architectural initiatives, conditional access hardening, or Zero Trust security programs in a private, public, government or military environment

• Maplewood, MN or Austin, TX (Hybrid – at least 3 days per week onsite)

May include up to 10%.

May be authorized.

Must be legally authorized to work in the country of employment without sponsorship for employment visa status (e.g., H1B).

The expected compensation range for this position is $145,676 – $178,049, which includes base pay plus variable incentive pay if eligible. Benefits include Medical, Dental & Vision, Health Savings Accounts, Health Care & Dependent Care Flexible Spending Accounts, Disability Benefits, Life Insurance, Voluntary Benefits, Paid Absences, and Retirement Benefits. For additional information visit

3M does not discriminate in hiring or employment on the basis of race, color, sex, national origin, religion, age, disability, veteran status, or any other characteristic protected by applicable law.