Azure AD B2C user role assignment permission issue

Question

Azure AD B2C user role assignment permission issue

Jaydip Pal 0

Hi,

We have a B2C tenant on which we have users and some users need elevated roles. As we do not have that permission we are unable to complete this

Please help us fix this

Jaydip Pal 0 Reputation points

2026-03-24T09:54:01.4866667+00:00

current logged in user does not have the permission to assign a role to a user. So how can we assign role to even a new user?
Jaydip Pal 0 Reputation points

2026-03-24T10:00:02.66+00:00

I am the global admin for the corporate tenant . Another tenant was created by a user who has not given me sufficient permission and that use does not exist in this tenant anymore. So I can't assign roles to any user
Sridevi Machavarapu 27,395 Reputation points Microsoft External Staff Moderator

2026-03-24T10:12:02.0866667+00:00
Hello Jaydip Pal,

Before proceeding, please confirm whether anyone in your tenant still has an admin role (such as Global Administrator).

You can check this by going to:

Microsoft Entra admin center → Roles & administrators → Global Administrator → Assignments, or

Users → select a user → Assigned roles

If at least one user has Global Admin or Privileged Role Admin, they can assign roles or grant you the required access.

If no users have any admin roles, then role assignment won’t be possible from your side. Once admin access is available, you should be able to proceed.

1 answer

Your answer

Jaydip Pal 0 Reputation points

2026-03-24T09:54:01.4866667+00:00

current logged in user does not have the permission to assign a role to a user. So how can we assign role to even a new user?
Jaydip Pal 0 Reputation points

2026-03-24T10:00:02.66+00:00

I am the global admin for the corporate tenant . Another tenant was created by a user who has not given me sufficient permission and that use does not exist in this tenant anymore. So I can't assign roles to any user
Sridevi Machavarapu 27,395 Reputation points Microsoft External Staff Moderator

2026-03-24T10:12:02.0866667+00:00

Hello Jaydip Pal,

Before proceeding, please confirm whether anyone in your tenant still has an admin role (such as Global Administrator).

You can check this by going to:

Microsoft Entra admin center → Roles & administrators → Global Administrator → Assignments, or

Users → select a user → Assigned roles

If at least one user has Global Admin or Privileged Role Admin, they can assign roles or grant you the required access.

If no users have any admin roles, then role assignment won’t be possible from your side. Once admin access is available, you should be able to proceed.

Answer 1

In an Azure AD B2C tenant, only users with appropriate administrator roles can assign elevated roles to other users. If current accounts do not have those permissions, a higher-privileged administrator must grant them.

Use the following approaches, depending on what is missing:

Verify tenant creation/administration restrictions (if you also need to create or manage tenants)
- Sign in to the Azure portal.
- Go to Microsoft Entra ID → User settings.
- Under Default user role permissions, check Restrict non-admin users from creating tenants.
- If this setting is No and elevated access is still needed, an existing administrator must assign the Tenant Creator or other appropriate admin roles. If the setting is greyed out, the signed-in account is not an administrator and cannot change it; an existing admin must do this.
Use an administrator to assign roles in the B2C tenant
- An account with at least Privileged Role Administrator (or another role that can manage directory roles) must:
  1. Sign in to the Azure portal and switch to the Azure AD B2C tenant via Directories + subscriptions.
  2. Go to Azure AD B2C → Users.
  3. Select the user that needs an elevated role.
  4. Select Assigned roles → Add assignments.
  5. Choose the required role (for example, Application administrator, External Identity Provider Administrator, B2C User Flow Administrator, etc.) and select Add.
If the elevated role is for a service or tool account
- Create or use a dedicated directory user in the B2C tenant and assign the specific roles needed for that tool:
  1. In Microsoft Entra ID → Users, select New user → Create user.
  2. Provide username and name, save the initial password.
  3. Under the user’s role settings, assign roles such as External Identity Provider Administrator and B2C User Flow Administrator as required.
If role assignment is blocked in the Azure portal (IAM)
- When trying to assign Azure roles (for example, to manage resource groups for monitoring or integrations), and Add role assignment is disabled or fails:
  - Ensure the signed-in account has a role that includes Microsoft.Authorization/roleAssignments/write (for example, Role Based Access Control Administrator) at the relevant scope (subscription, resource group, or resource).
  - If the account lacks this, a higher-privileged admin at that scope must grant the necessary role first.

If no one in the organization has a global/admin-level account for the tenant, or all such accounts are inaccessible, the only resolution path is to contact Microsoft support (for example, via a billing or existing subscription) to recover or re-establish an administrator, and then use that account to assign the required roles.

References:

Share via

Azure AD B2C user role assignment permission issue

1 answer

Your answer