Microsoft Entra ID · B2C & External Identity
B2C IEF Keyset Administrator
Manages policy keys and secrets used for token encryption, token signing, and claim encryption/decryption in Azure AD B2C.
Scope: Full control over B2C Identity Experience Framework keysets and secrets
Permissions
- Create and manage policy keys
- Manage encryption secrets
- Add keys to key containers
- View complete secret details
- Manage token signing keys
Common use cases
- Token signing key rotation
- Encryption key management
- Secret rollover operations
- Policy key configuration
- SAML certificate management
Best practices
- Rotate keys regularly
- Document key purposes
- Plan key rollovers carefully
- Monitor key expiration
- Use separate keys for different purposes
Security considerations
- PRIVILEGED: Access to all encryption secrets
- Can view secret values after creation
- Key access enables token forgery
- Should be tightly controlled