Microsoft Entra ID · B2C & External Identity
B2C IEF Keyset Administrator
Manages policy keys and secrets used for token encryption, token signing, and claim encryption/decryption in Azure AD B2C.
Scope: Full control over B2C Identity Experience Framework keysets and secrets
Permissions
- Create and manage policy keys
- Manage encryption secrets
- Add keys to key containers
- View complete secret details
- Manage token signing keys
Common use cases
- Token signing key rotation
- Encryption key management
- Secret rollover operations
- Policy key configuration
- SAML certificate management
Best practices
- Rotate keys regularly
- Document key purposes
- Plan key rollovers carefully
- Monitor key expiration
- Use separate keys for different purposes
Security considerations
- PRIVILEGED: Access to all encryption secrets
- Can view secret values after creation
- Key access enables token forgery
- Should be tightly controlled
Common questions
When should I assign the B2C IEF Keyset Administrator role?
Assign B2C IEF Keyset Administrator when you need to: Token signing key rotation; Encryption key management; Secret rollover operations; Policy key configuration; and SAML certificate management. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the B2C IEF Keyset Administrator role do?
The B2C IEF Keyset Administrator role grants permissions including: Create and manage policy keys; Manage encryption secrets; Add keys to key containers; View complete secret details; and Manage token signing keys. See the Permissions section above for the full list.
What are the security risks of the B2C IEF Keyset Administrator role?
Key considerations when assigning B2C IEF Keyset Administrator: PRIVILEGED: Access to all encryption secrets; Can view secret values after creation; Key access enables token forgery; and Should be tightly controlled. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.