Roles and resource access control
When planning your access control strategy, it's best to assign users the least privileged role required to access resources. The following table describes the primary resources in your Azure AD B2C tenant and the most suitable administrative roles for the users who manage them.
Resource | Description | Role |
---|---|---|
Application registrations | Create and manage all aspects of your web, mobile, and native application registrations within Azure AD B2C. | Application Administrator |
Tenant Creator | Create new Microsoft Entra ID or Azure AD B2C tenants. | Tenant Creator |
Identity providers | Configure the local identity provider and external social or enterprise identity providers. | External Identity Provider Administrator |
Company branding | Customize your user flow pages. | Global Administrator |
User attributes | Add or delete custom attributes available to all user flows. | External ID User Flow Attribute Administrator |
Manage users | Manage consumer accounts and administrative accounts as described in this article. | User Administrator |
Roles and administrators | Manage role assignments in Azure AD B2C directory. Create and manage groups that can be assigned to Azure AD B2C roles. Note that the Azure AD custom roles feature is currently not available for Azure AD B2C directories. | Global Administrator, Privileged Role Administrator |
User flows | For quick configuration and enablement of common identity tasks, like sign-up, sign-in, and profile editing. | External ID User Flow Administrator |
Custom policies | Create, read, update, and delete all custom policies in Azure AD B2C. | B2C IEF Policy Administrator |