How to migrate from Azure AD B2C to Microsoft Entra External ID

If you're reading this, you've probably heard the news: Azure AD B2C is being phased out. As of May 1, 2025, Microsoft stopped offering Azure AD B2C to new customers. While existing tenants will continue to be supported until at least May 2030, all new feature development has shifted to Microsoft Entra External ID.

This guide walks you through a practical migration path from Azure AD B2C to Entra External ID, with a focus on maintaining a secure, user-friendly authentication experience throughout the transition.

‍

Understanding the migration landscape

Before diving into the technical steps, let's clarify what we're building toward.

What is Entra External ID?

Microsoft Entra External ID is the next-generation Customer Identity and Access Management (CIAM) platform. Microsoft Entra External ID builds on Azure AD B2C with these additions:

• Unified management for both customer (B2C) and partner (B2B) identities
• Simplified administration interface
• Native support for modern authentication protocols
• Enhanced security with risk-based authentication
• Better developer experience with improved APIs and SDKs

Custom policies

One important thing to know upfront: Entra External ID uses a different approach than Azure AD B2C's XML-based custom policies. If you've built complex authentication flows with custom policies, you'll need to rebuild them using:

1. Entra External ID's user flows and custom authentication extensions
2. OIDC federation with a dedicated authentication provider

Microsoft is working on migration tools to help with this transition. The second approach can simplify your migration by using pre-built authentication flows that integrate via standard OIDC.

‍

Step-by-step migration guide

Microsoft's official migration planning guide provides a comprehensive overview of the migration process. This guide focuses on the practical implementation steps.

‍

Phase 1: Planning and setup

‍

1. Audit your current B2C setup

Start by documenting everything you're using today:

# Document these elements from your B2C tenant:
- User flows (sign-up, sign-in, profile edit, password reset)
- Custom policies (if any)
- User attributes (standard and custom)
- Identity providers (social, enterprise)
- API connectors and integrations
- Application registrations
- User counts and activity patterns
- MFA configurations

‍

2. Create your Entra External ID tenant

Navigate to the Azure Portal and create a new External ID tenant. For detailed instructions, see Microsoft's tenant creation guide.

1. Go to Microsoft Entra ID → Overview → Manage tenants
2. Click Create and select External tenant
3. Choose Use Entra External ID for customers
4. Configure your tenant domain and region

3. Configure authentication methods

In your new Entra External ID tenant, configure how users will authenticate:

1. Navigate to External Identities → All identity providers
2. Choose your authentication methods:
   • Email with one-time passcode (built-in)
   • Email with password (built-in)
   • Social providers (Google, Facebook, Apple, Microsoft)
   • Custom OIDC providers (for advanced authentication needs)

For basic migrations, the built-in email authentication works well. If you need more advanced features like passkeys, biometric authentication, or sophisticated MFA flows, you'll want to consider a dedicated authentication provider through OIDC federation.

‍

Phase 2: Set up user flows

‍

4. Create sign-up and sign-in flow

1. Go to External Identities → User flows
2. Click New user flow
3. Select Sign up and sign in
4. Name it (e.g., SignUpSignIn)

Configure the flow:

• Identity providers: Select your authentication methods
• User attributes: Choose what to collect during sign-up
• Application claims: Define what's included in tokens

5. Configure user attributes

Select the attributes you need:

Commonly collected attributes:
- Email Address (required)
- Display Name
- Given Name
- Surname
- Custom attributes (create as needed)

These attributes will be available in your application's ID tokens after successful authentication.

‍

Phase 3: User Migration

‍

This is the most critical phase. You have two main approaches for migrating users. For detailed technical implementation, see Microsoft's user migration guide.

Microsoft provides an official migration toolkit with three components:

• Export tool: Reads users from B2C and saves to Azure blob storage in batches
• Import tool: Loads users from blob storage into Entra External ID
• Azure Function: Handles just-in-time password validation and migration

The toolkit handles Graph API throttling automatically and processes users in configurable batches. Both migration approaches below can leverage these tools.

Option 1: Bulk Import + SSPR (Simplest)

Best for: Smaller user bases, low-frequency apps

The Microsoft migration toolkit provides tools to handle this approach:

1. Export users from Azure AD B2C to blob storage in batches (handles Graph API throttling)
2. Import users from blob storage into Entra External ID with random passwords
3. Enable Self-Service Password Reset (SSPR) in your tenant
4. Notify users to reset passwords on first login via SSPR

The toolkit can transform B2C email/password accounts to Entra External ID email/OTP accounts during migration. Note that the toolkit currently supports local accounts only - social and federated accounts need to be handled separately (users will need to re-authenticate with their social provider after migration).

Pros: Simple to implement, toolkit handles Graph throttling and batchingCons: Users must reset passwords, currently limited to local accounts only

Option 2: Just-in-Time (JIT) Migration (Recommended)

Best for: Large user bases, critical applications

This approach migrates users seamlessly on their first login. Microsoft provides official guidance for implementing Just-in-Time password migration.

Using the Microsoft migration toolkit:

1. Export/Import users using the toolkit's blob storage approach (same as Option 1)
2. Set a custom extension property (migration flag) on each user account
3. Azure Function validates credentials against B2C using ROPC (Resource Owner Password Credentials) with the NCA = 1 flag
4. On successful validation, the password is migrated to Entra External ID and the migration flag is cleared
5. Subsequent logins authenticate directly against Entra External ID

Password policy enforcement: You can configure an Entra External ID password policy. Any password that doesn't meet this policy will force the user to change their password during migration.

The Azure Function integrates via custom authentication extensions. Microsoft provides a JIT migration toolkit on GitHub with all three components: export, import, and the Azure Function.

Pros: Seamless user experience, no password resets needed (unless policy requires)Cons: More complex setup, requires Azure Function deployment and custom auth extension configuration

‍

Phase 4: Application migration

‍

6. Update application registrations

For each application currently using B2C:

1. Create a new app registration in Entra External ID
2. Configure redirect URIs (copy from your B2C app)
3. Note the new Client ID and generate a new Client Secret

7. Update application code

The code changes are minimal. You're primarily updating endpoints:

Before (Azure AD B2C):

‍

const msalConfig = {
  auth: {
    clientId: "YOUR_B2C_CLIENT_ID",
    authority: "https://YOUR_TENANT.b2clogin.com/YOUR_TENANT.onmicrosoft.com/B2C_1_signupsignin",
    knownAuthorities: ["YOUR_TENANT.b2clogin.com"],
    redirectUri: "https://yourapp.com/callback",
  }
};

After (Entra External ID):

const msalConfig = {
  auth: {
    clientId: "YOUR_EXTERNAL_ID_CLIENT_ID",
    authority: "https://YOUR_TENANT.ciamlogin.com/YOUR_TENANT.onmicrosoft.com",
    redirectUri: "https://yourapp.com/callback",
  }
};

Note: Verify the exact authority URL format in Microsoft's developer documentation for your specific SDK version and platform.

‍

Not ready to migrate yet? Improve your authentication flows

If you're still on Azure AD B2C and planning to migrate in the coming months or years, you don't have to wait to improve your authentication experience. You can enhance your current B2C setup with modern authentication capabilities today.

‍

Why upgrade authentication before migration?

Give users modern auth sooner. Your users don't care about your backend infrastructure. They want passwordless login, passkeys, and smooth MFA flows. You can deliver these features now, regardless of your migration timeline.

Test and iterate without risk. Adding authentication capabilities to B2C lets you roll out new features gradually, get user feedback, and refine the experience before the pressure of a full platform migration.

‍

Enhancing Azure AD B2C with better authentication

Azure AD B2C supports custom policies and integrations, which means you can add specialized authentication capabilities without major code changes. For example, Authsignal's Azure AD B2C integration provides:

• Passkey support with WebAuthn
• Pre-built authentication UI
• Multi-factor authentication (SMS, email, authenticator apps, biometrics)
• Step-up authentication for sensitive operations
• Risk-based authentication policies

The integration works through B2C's custom policies, so your applications continue working with B2C as they do today. Users just get a better authentication experience.

‍

Advanced authentication for External ID

Once your basic migration is complete, you'll want to think about the authentication experience itself. This is where many teams realize that Entra External ID, while excellent for identity management, might benefit from a dedicated authentication layer.

Entra External ID handles identity management well, but many teams use dedicated authentication platforms for modern features like passkeys, biometric login, risk-based MFA, and pre-built authentication UI. This separation lets Entra External ID focus on what it does best (identity and access control) while specialized platforms handle the login experience.

Platforms to Consider

If you're looking for a modern authentication experience, consider platforms like:

• Authsignal: Specializes in MFA, passkeys, and step-up authentication. Has documented Azure AD B2C integration if you're currently on B2C.
• Auth0: Full-featured identity platform with extensive customization
• Okta: Enterprise-focused with strong compliance features
• Other OIDC providers: Any provider supporting standard OIDC can integrate

‍

Conclusion

Migrating from Azure AD B2C to Entra External ID is straightforward if you plan ahead. The process involves setting up your new tenant, migrating users, and updating your applications. Whether you use the simple password reset approach or the more seamless JIT migration depends on your user base size and tolerance for friction.

You don't have to wait until migration to improve your authentication experience. If you're still on Azure AD B2C, you can enhance it today with modern authentication capabilities. Then, when you migrate to External ID, your authentication layer can remain consistent - giving users a seamless experience regardless of what's happening on the backend.

‍

Additional resources from official Microsoft docs

• Plan and execute migration to Entra External ID - Primary migration planning guide
• Migrating users to Entra External ID - User data migration guide
• Just-in-time password migration - JIT migration implementation guide
• Microsoft Entra External ID overview
• Custom OIDC federation setup