Roles and resource access control

When planning your access control strategy, it's best to assign users the least privileged role required to access resources. The following table describes the primary resources in your Azure AD B2C tenant and the most suitable administrative roles for the users who manage them.

Resource Description Role
Application registrations Create and manage all aspects of your web, mobile, and native application registrations within Azure AD B2C. Application Administrator
Tenant Creator Create new Microsoft Entra ID or Azure AD B2C tenants. Tenant Creator
Identity providers Configure the local identity provider and external social or enterprise identity providers. External Identity Provider Administrator
API connectors Integrate your user flows with web APIs to customize the user experience and integrate with external systems. External ID User Flow Administrator
Company branding Customize your user flow pages. Global Administrator
User attributes Add or delete custom attributes available to all user flows. External ID User Flow Attribute Administrator
Manage users Manage consumer accounts and administrative accounts as described in this article. User Administrator
Roles and administrators Manage role assignments in Azure AD B2C directory. Create and manage groups that can be assigned to Azure AD B2C roles. Note that the Azure AD custom roles feature is currently not available for Azure AD B2C directories. Global Administrator, Privileged Role Administrator
User flows For quick configuration and enablement of common identity tasks, like sign-up, sign-in, and profile editing. External ID User Flow Administrator
Custom policies Create, read, update, and delete all custom policies in Azure AD B2C. B2C IEF Policy Administrator
Policy keys Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords used in custom policies. B2C IEF Keyset Administrator