Applying least privileges for managing Azure AD B2C

Question

Hi all:

We have an Azure AD B2C directory tied to our Azure subscription, and we have added a number of B2C tenants under it. Up until now our DevOps/IT people have managed membership in both the AD B2C directory and the other B2C tenant directories by means of their "Global Administrator" roles.

Despite the documentation inferring that the only way to manage B2C directories is having the "Global Administrator" role (https://learn.microsoft.com/en-us/azure/active-directory-b2c/faq?WT.mc_id=Portal-Microsoft_AAD_B2CAdmin&tabs=app-reg-ga#general), we are wondering if there isn't a better, least privileges approach to allowing users designated as "user administrators" to both be able to visit B2C directories under the AD B2C directory that they are members of, and to create, read, update and delete (i.e. CRUD) users in those B2C directories?

Giving everyone "Global Administrator" seems to work, but it feels like giving everyone the root password: Too many opportunities for things to go wrong.

Thanks

Answer 1

Giving everyone global admin is definitely not recommended. You can view the roles here and see which specific permissions you want to give each user: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task#external-identitiesb2c:~:text=Application%20Administrator-,External%20Identities/B2C,Expand%20table,-Task

E.g tenant creator can Create new Microsoft Entra ID or Azure AD B2C tenants. You can use a combination of them for the different roles.

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola