Sr. CIAM Engineer

We’re looking for problem solvers, innovators, and dreamers who are searching for anything but business as usual. Like us, you’re a high performer who’s an expert at your craft, constantly challenging the status quo. You value inclusivity and want to join a culture that empowers you to show up as your authentic self. You know that success hinges on commitment, that our differences make us stronger, and that the finish line is always sweeter when the whole team crosses together.

Sr. Professional, CIAM Engineer (Azure AD B2C / Microsoft Entra External ID)

Role Overview We are seeking an experienced engineer to support our CIAM platform. The ideal candidate will have experience with Microsoft Azure AD B2C and a solid understanding of identity management systems. You will own OIDC/SAML relying‑party integrations to our apps, design and maintain Identity Experience Framework (IEF) custom policies, build light extension services (e.g., Azure Functions/REST APIs) for claims enrichment and risk checks, and implement observability and security controls using Azure‑native services.

Responsibilities CIAM Platform & Policy Engineering

· Author, review, and maintain IEF custom policies (claims schema, technical profiles, claims transformations, orchestration steps, REST API callouts, token issuance).

· Configure and operate B2C as IdP to our apps: app registrations, reply URLs, token lifetimes, session settings, scopes/permissions, claims mapping, and MSAL integration patterns for SPA, web, and native clients.

· Build/operate custom REST endpoints (typically Azure Functions) for IEF (risk signals, progressive profiling, consent/eligibility checks, user migration, profile enrichment).

· Manage policy versioning, source control, and CI/CD (Gitlab/Azure DevOps) with automated validation, pre-prod testing, and blue/green deployments.

· Define multi-environment strategy (dev/test/stage/prod), data isolation, rollback procedures, and release cadences.

Observability, Security & Compliance

· Instrument auth flows; collect logs/metrics to Application Insights and Log Analytics; build workbooks and define alert rules using KQL.

· Integrate signals with Microsoft Sentinel/Defender for Cloud Apps (as applicable) for threat detection and investigation.

· Harden the edge with Azure Front Door/WAF (managed and custom rules, rate limiting, bot protections) and ensure reliable DNS/SSL practices.

· Own certificate and secret rotation (Key Vault), signing key rollover strategies, and metadata refresh where applicable.

· Partner with Legal/Sec/Privacy on consent, data retention/DSRs (GDPR/CCPA), auditability, and least-privilege access.

Cross-Functional Enablement

· Provide integration kits and documentation (attribute/claims maps, sample requests/responses, guidelines for redirect URIs/scopes/PKCE/nonce/state).

· Collaborate with app teams to integrate MSAL/SDKs, align scopes and claims, and ensure telemetry coverage.

· Write clear docs and runbooks; conduct training and readiness sessions.

Qualifications

· 4+ years in Identity/CIAM engineering (customer‑facing identity), including 2+ years building IEF custom policies in Entra External ID (Azure AD B2C).

· Deep practical knowledge of OIDC/OAuth2 and SAML 2.0 from an IdP perspective (auth code + PKCE, nonce/state, issuer/audience, NameID/Subject, scopes/claims, token lifetimes).

· Hands‑on IEF policy authoring: claims schema, technical profiles (e.g., REST, AAD, Self‑Asserted, Orchestration, TokenIssuance), claims transformations, JWT/SAML issuance, troubleshooting.

· Experience building Azure Functions/REST services (C# or Python or Node) to integrate with IEF; familiarity with Microsoft Graph for user/profile operations.

· Azure observability: Application Insights, Log Analytics, Workbooks, KQL; creating dashboards and alerting for auth flows.

· Security fundamentals: certificate/key lifecycle management, token security, replay protections, threat modeling, Azure Front Door/WAF and bot mitigations.

Nice to Haves

· User migration patterns (bulk import, just‑in‑time via REST, password reset campaigns) and experience with social identity providers (Google, Apple, etc.).

· Risk‑based controls and fraud signals; experience with Identity Protection or third‑party risk engines.

· Infrastructure as Code (Terraform/Bicep) for B2C, Key Vault, Front Door, App Insights, and pipelines.

· Localization/branding of B2C pages; accessibility best practices.

· End‑to‑end testing for auth flows (Playwright/Cypress) and synthetic monitoring.

· Enterprise federation (partner IdPs such as Okta/Ping/ADFS/Entra) — bonus for potential future support; not in current scope.

Compensation:

Alteryx is committed to fair, equitable, and transparent compensation. Final compensation will be determined by various factors such as your relevant work experience, education, certifications, skills, and geographic location. 

The base salary range for this role in the United States is $140,000 - $160,000.

In addition, you may be eligible for additional compensation. Employees may also be eligible for a wide range of other benefits, including medical, retirement, financial, wellness, time off, employee discounts, and others.

Find yourself checking a lot of these boxes but doubting whether you should apply? At Alteryx, we support a growth mindset for our associates through all stages of their careers. If you meet some of the requirements and you share our values, we encourage you to apply. As part of our ongoing commitment to a diverse, equitable, and inclusive workplace, we’re invested in building teams with a wide variety of backgrounds, identities, and experiences.

Benefits & Perks:

Alteryx has amazing benefits for all Associates which can be viewed here.

This position involves access to software/technology that is subject to U.S. export controls. Any job offer made will be contingent upon the applicant’s capacity to serve in compliance with U.S. export controls.