Roles and resource access control

When planning your access control strategy, it's best to assign users the least privileged role required to access resources. The following table describes the primary resources in your Azure AD B2C tenant and the most suitable administrative roles for the users who manage them.

Resource	Description	Role
Application registrations	Create and manage all aspects of your web, mobile, and native application registrations within Azure AD B2C.	Application Administrator
Tenant Creator	Create new Microsoft Entra ID or Azure AD B2C tenants.	Tenant Creator
Identity providers	Configure the local identity provider and external social or enterprise identity providers.	External Identity Provider Administrator
API connectors	Integrate your user flows with web APIs to customize the user experience and integrate with external systems.	External ID User Flow Administrator
Company branding	Customize your user flow pages.	Global Administrator
User attributes	Add or delete custom attributes available to all user flows.	External ID User Flow Attribute Administrator
Manage users	Manage consumer accounts and administrative accounts as described in this article.	User Administrator
Roles and administrators	Manage role assignments in Azure AD B2C directory. Create and manage groups that can be assigned to Azure AD B2C roles. Note that the Azure AD custom roles feature is currently not available for Azure AD B2C directories.	Global Administrator, Privileged Role Administrator
User flows	For quick configuration and enablement of common identity tasks, like sign-up, sign-in, and profile editing.	External ID User Flow Administrator
Custom policies	Create, read, update, and delete all custom policies in Azure AD B2C.	B2C IEF Policy Administrator
Policy keys	Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords used in custom policies.	B2C IEF Keyset Administrator