What you'd actually do

Define the architecture for Conditional Access at identity-platform scale

Own the technical strategy for the CA evaluation engine — today processing millions of policy evaluations per second inside ESTS with sub-millisecond latency budgets

Design the next-generation policy model: portable, data-driven policies that evaluate at token-time and at the data plane (GSA, MISE, resource providers)

Lead the CA-for-Agents technical vision

Architect how CA evaluates agent identities as first-class actors — spanning OBO, S2S, CUA, and agentic chaining scenarios

Skills

Required

Bachelor's Degree in Computer Science or related technical field AND 6+ years technical engineering experience with coding in languages including, but not limited to, C, C++, C#, Java, JavaScript, or Python OR equivalent experience.
Ability to meet Microsoft, customer and/or government security screening requirements

Nice to have

Deep expertise in distributed systems, high-performance runtime engines, or policy/rules engines operating at extreme scale
Strong background in identity, authentication, authorization, or security infrastructure — you understand OAuth2/OIDC, token semantics, and Zero Trust principles
Fluency in C# and large-scale .NET service development; experience with ESTS or equivalent identity platforms is a strong plus
Architectural leadership
Track record of defining and driving multi-year technical strategies that span teams and organizations
Ability to make pragmatic tradeoffs between architectural purity and shipping velocity
Experience designing systems that evolve incrementally

Overview

Security represents the most critical priorities for our customers in a world awash in digital threats, regulatory scrutiny, and estate complexity. Microsoft Security aspires to make the world a safer place for all. We want to reshape security and empower every user, customer, and developer with a security cloud that protects them with end to end, simplified solutions. The Microsoft Security organization accelerates Microsoft’s mission and bold ambitions to ensure that our company and industry is securing digital technology platforms, devices, and clouds in our customers’ heterogeneous environments, as well as ensuring the security of our own internal estate. Our culture is centered on embracing a growth mindset, a theme of inspiring excellence, and encouraging teams and leaders to bring their best each day. In doing so, we create life-changing innovations that impact billions of lives around the world.

The Opportunity Conditional Access is the real-time Zero Trust policy engine at the heart of Microsoft Entra ID. Every sign-in, every token, every agent request across Microsoft's identity platform flows through the system you'll shape. We're evolving CA from a human-centric access control layer into a universal policy engine for users, workloads, and AI agents — and we need a Principal Engineer to drive that architectural transformation. You'll own the technical vision for how Conditional Access scales to meet the next generation of identity: autonomous agents, continuous authorization, data-plane enforcement, and policy portability across authentication and runtime boundaries.

Microsoft’s mission is to empower every person and every organization on the planet to achieve more. As employees we come together with a growth mindset, innovate to empower others, and collaborate to realize our shared goals. Each day we build on our values of respect, integrity, and accountability to create a culture of inclusion where everyone can thrive at work and beyond.

#MSFTSecurity, #IDENTITY

Responsibilities

What You'll Do Define the architecture for Conditional Access at identity-platform scale
Own the technical strategy for the CA evaluation engine — today processing millions of policy evaluations per second inside ESTS with sub-millisecond latency budgets
Design the next-generation policy model: portable, data-driven policies that evaluate at token-time and at the data plane (GSA, MISE, resource providers)
Drive convergence of token-time CA and Continuous Access Evaluation into a unified enforcement architecture
Lead the CA-for-Agents technical vision
Architect how CA evaluates agent identities as first-class actors — spanning OBO, S2S, CUA, and agentic chaining scenarios
Drive cross-org technical alignment Partner with Identity Protection, Defender, Intune, Graph, GSA, and Azure networking to integrate risk signals, device posture, and network context into CA evaluation
Represent CA engineering in cross-IDNA architecture reviews, security design reviews, and partner alignment forums
Influence the ESTS roadmap for protocol-level changes required for agent governance (FIC, token exchange, CAE for OBO) Raise the engineering bar
Set standards for safe rollout of policy evaluation changes in a Tier 0 service — feature flags, canary-first deployment, blast-radius analysis
Drive testability and validation strategy: policy correctness proofs, synthetic tenant replay, and agent-driven test automation
Mentor senior engineers across the CA and ESTS stack; build the technical bench for the team's next chapter

Other

Embody our Cultureand Values

Qualifications

Required/minimum qualifications

Bachelor's Degree in Computer Science or related technical field AND 6+ years technical engineering experience with coding in languages including, but not limited to, C, C++, C#, Java, JavaScript, or Python OR equivalent experience.

Other Requirements: Ability to meet Microsoft, customer and/or government security screening requirements are required for this role. These requirements include, but are not limited to the following specialized security screenings:

• Microsoft Cloud Background Check: This position will be required to pass the Microsoft Cloud background check upon hire/transfer and every two years thereafter.

**Preferred Qualifications: **

Deep expertise in distributed systems, high-performance runtime engines, or policy/rules engines operating at extreme scale
Strong background in identity, authentication, authorization, or security infrastructure — you understand OAuth2/OIDC, token semantics, and Zero Trust principles
Fluency in C# and large-scale .NET service development; experience with ESTS or equivalent identity platforms is a strong plus Architectural leadership
Track record of defining and driving multi-year technical strategies that span teams and organizations -
Ability to make pragmatic tradeoffs between architectural purity and shipping velocity — you know when to invest in the long-term and when to ship the 80% solution
Experience designing systems that evolve incrementally under production load with zero downtime

Software Engineering IC5 - The typical base pay range for this role across the U.S. is USD $139,900 - $274,800 per year. There is a different range applicable to specific work locations, within the San Francisco Bay area and New York City metropolitan area, and the base pay range for this role in those locations is USD $188,000 - $304,200 per year.

Certain roles may be eligible for benefits and other compensation. Find additional benefits and pay information here: https://careers.microsoft.com/us/en/us-corporate-pay

This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about **requesting accommodations.**