Microsoft Entra ID · B2C & External Identity

External Identity Provider Administrator

Can configure identity providers for direct federation with external organizations for B2B collaboration.

Scope: External identity provider configuration for B2B federation

Permissions

  • Manage identity providers
  • Create identity providers
  • Delete identity providers
  • Read identity provider properties
  • Update identity provider settings
  • Configure SAML/WS-Fed identity providers
  • Configure social identity providers (Google, Facebook, etc.)
  • Manage domain federation settings
  • Configure direct federation for B2B

Common use cases

  • B2B direct federation setup
  • Partner identity provider integration
  • Social login configuration for B2C
  • SAML federation with external organizations
  • Workforce identity provider configuration
  • Multi-tenant collaboration setup

Best practices

  • Document all federation configurations
  • Test federation before production use
  • Coordinate with partner IT teams
  • Implement certificate expiration monitoring
  • Review federation settings periodically
  • Use PIM for just-in-time access
  • Maintain federation documentation
  • Plan for certificate rotation

Security considerations

  • Federation trusts external identity providers
  • Misconfigured federation can allow unauthorized access
  • Certificate management is critical
  • Monitor federation authentication events
  • Alert on federation configuration changes
  • Review federated user access regularly
  • Consider MFA requirements for federated users

Common questions

When should I assign the External Identity Provider Administrator role?

Assign External Identity Provider Administrator when you need to: B2B direct federation setup; Partner identity provider integration; Social login configuration for B2C; SAML federation with external organizations; and Workforce identity provider configuration. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the External Identity Provider Administrator role do?

The External Identity Provider Administrator role grants permissions including: Manage identity providers; Create identity providers; Delete identity providers; Read identity provider properties; Update identity provider settings; and Configure SAML/WS-Fed identity providers. See the Permissions section above for the full list.

What are the security risks of the External Identity Provider Administrator role?

Key considerations when assigning External Identity Provider Administrator: Federation trusts external identity providers; Misconfigured federation can allow unauthorized access; Certificate management is critical; and Monitor federation authentication events. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →