Hi all:
We have an Azure AD B2C directory tied to our Azure subscription, and we have added a number of B2C tenants under it. Up until now our DevOps/IT people have managed membership in both the AD B2C directory and the other B2C tenant directories by means of their "Global Administrator" roles.
Despite the documentation inferring that the only way to manage B2C directories is having the "Global Administrator" role (https://learn.microsoft.com/en-us/azure/active-directory-b2c/faq?WT.mc_id=Portal-Microsoft_AAD_B2CAdmin&tabs=app-reg-ga#general), we are wondering if there isn't a better, least privileges approach to allowing users designated as "user administrators" to both be able to visit B2C directories under the AD B2C directory that they are members of, and to create, read, update and delete (i.e. CRUD) users in those B2C directories?
Giving everyone "Global Administrator" seems to work, but it feels like giving everyone the root password: Too many opportunities for things to go wrong.
Thanks