Microsoft Entra ID · B2C & External Identity

B2C IEF Policy Administrator

Creates and manages custom policies in Azure AD B2C Identity Experience Framework including user flows and federation.

Scope: Full control over B2C custom policies and Identity Experience Framework

Permissions

  • Create and manage custom policies
  • Configure identity providers
  • Manage user flows
  • Edit directory schema
  • Create new users
  • Send data to external systems

Common use cases

  • Custom user journey development
  • External IdP federation setup
  • Claims transformation configuration
  • Multi-step authentication flows
  • Progressive profiling implementation

Best practices

  • Use policy versioning
  • Test in non-production first
  • Document all customizations
  • Follow least privilege in claims
  • Audit policy changes

Security considerations

  • PRIVILEGED: Can modify all authentication flows
  • Can access and migrate user data
  • Changes affect all B2C users
  • Federation changes are sensitive

Common questions

When should I assign the B2C IEF Policy Administrator role?

Assign B2C IEF Policy Administrator when you need to: Custom user journey development; External IdP federation setup; Claims transformation configuration; Multi-step authentication flows; and Progressive profiling implementation. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the B2C IEF Policy Administrator role do?

The B2C IEF Policy Administrator role grants permissions including: Create and manage custom policies; Configure identity providers; Manage user flows; Edit directory schema; Create new users; and Send data to external systems. See the Permissions section above for the full list.

What are the security risks of the B2C IEF Policy Administrator role?

Key considerations when assigning B2C IEF Policy Administrator: PRIVILEGED: Can modify all authentication flows; Can access and migrate user data; Changes affect all B2C users; and Federation changes are sensitive. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →