This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 14.000000000000002%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
What is the simplest method of enabling self-service user account deletion for Azure AD B2C phone sign-up/sign-in flow with local accounts only?
This is only for development purposes, so it can be quick-and-dirty. The solution does not need to be exposed to the end-users directly, but rather for developers to be able to iterate on the sign-up process i.e. sign-up, delete account - rinse and repeat.
I did find a custom policy sample here https://github.com/azure-ad-b2c/samples/tree/master/policies/delete-my-account, but that solution brings far too many unnecessary dependencies along with it - which I have no interest in reviewing and maintaining. Only local accounts and phone sign-up/sign-in need to be considered - and merely extend that with some possibility to delete an account without having direct access to the Azure portal. No existing flows/policies are in need of modification.
Hello @Veli-Jussi Raitila , in order to delete an Azure AD B2C local consumer account, you can leverage the Microsoft Graph API and/or one of its SDK. Take a look to the Delete a user operation. Ensure the sign-up user journey outputs the User's Object ID claim so that you can pass it to the MS Graph call. Also, you will need to Register a Microsoft Graph application, expose the required permissions and, optionally and as replacement for tenant-wide consent, provide fine-grained consent.
For more information about what can be done trough Microsoft Graph, take a look to Manage Azure AD B2C with Microsoft Graph.
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
Thank you for your response. I am/was indeed considering relying on the Graph API for this. However, these requirements for the Delete a user operation threw me off:
Those feel a bit too broad for my taste. A currently signed-in user cannot be given a delegated permission to delete his/her own account without being an administator?
Hello , deleting a user is a privileged operation and thus requires elevated permissions. The aforementioned applies to both work and consumer accounts. More importantly, and due to their nature, consumer accounts do not have access to call the Microsoft Graph API. Developers will have to use their work accounts with the required role or you may develop a light API/function that authenticates as an application so that the elevated permissions are not given to more than one security principal. Security rules should be in place to ensure usage is as intended.