Microsoft Entra ID · B2C & External Identity

B2C IEF Keyset Administrator

Manages policy keys and secrets used for token encryption, token signing, and claim encryption/decryption in Azure AD B2C.

Scope: Full control over B2C Identity Experience Framework keysets and secrets

Permissions

  • Create and manage policy keys
  • Manage encryption secrets
  • Add keys to key containers
  • View complete secret details
  • Manage token signing keys

Common use cases

  • Token signing key rotation
  • Encryption key management
  • Secret rollover operations
  • Policy key configuration
  • SAML certificate management

Best practices

  • Rotate keys regularly
  • Document key purposes
  • Plan key rollovers carefully
  • Monitor key expiration
  • Use separate keys for different purposes

Security considerations

  • PRIVILEGED: Access to all encryption secrets
  • Can view secret values after creation
  • Key access enables token forgery
  • Should be tightly controlled

Common questions

When should I assign the B2C IEF Keyset Administrator role?

Assign B2C IEF Keyset Administrator when you need to: Token signing key rotation; Encryption key management; Secret rollover operations; Policy key configuration; and SAML certificate management. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the B2C IEF Keyset Administrator role do?

The B2C IEF Keyset Administrator role grants permissions including: Create and manage policy keys; Manage encryption secrets; Add keys to key containers; View complete secret details; and Manage token signing keys. See the Permissions section above for the full list.

What are the security risks of the B2C IEF Keyset Administrator role?

Key considerations when assigning B2C IEF Keyset Administrator: PRIVILEGED: Access to all encryption secrets; Can view secret values after creation; Key access enables token forgery; and Should be tightly controlled. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →