If you're reading this, you've probably heard the news: Azure AD B2C is being phased out. As of May 1, 2025, Microsoft stopped offering Azure AD B2C to new customers. While existing tenants will continue to be supported until at least May 2030, all new feature development has shifted to Microsoft Entra External ID.
This guide walks you through a practical migration path from Azure AD B2C to Entra External ID, with a focus on maintaining a secure, user-friendly authentication experience throughout the transition.
Understanding the migration landscape
Before diving into the technical steps, let's clarify what we're building toward.
What is Entra External ID?
Microsoft Entra External ID is the next-generation Customer Identity and Access Management (CIAM) platform. Microsoft Entra External ID builds on Azure AD B2C with these additions:
- Unified management for both customer (B2C) and partner (B2B) identities
- Simplified administration interface
- Native support for modern authentication protocols
- Enhanced security with risk-based authentication
- Better developer experience with improved APIs and SDKs
The custom policy reality
Here's the most important thing to understand upfront: Entra External ID does not support Azure AD B2C's XML-based custom policies.
If you've built complex authentication flows using the Identity Experience Framework, you cannot simply port them over. You'll need to rebuild using:
- Entra External ID's user flows and custom authentication extensions (limited to specific events)
- OIDC federation with an external authentication provider that supports the authentication patterns you need
Microsoft is working on migration paths for custom policies, but there's no timeline yet.
Step-by-step migration guide
Microsoft's official migration planning guide provides a comprehensive overview of the migration process. This guide focuses on the practical implementation steps.
Phase 1: Planning and setup
1. Audit your current B2C setup
Start by documenting everything you're using today:
# Document these elements from your B2C tenant:
- User flows (sign-up, sign-in, profile edit, password reset)
- Custom policies (if any)
- User attributes (standard and custom)
- Identity providers (social, enterprise)
- API connectors and integrations
- Application registrations
- User counts and activity patterns
- MFA configurations
2. Create your Entra External ID tenant
Navigate to the Azure Portal and create a new External ID tenant. For detailed instructions, see Microsoft's tenant creation guide.
- Go to Microsoft Entra ID → Overview → Manage tenants
- Click Create and select External tenant
- Choose Use Entra External ID for customers
- Configure your tenant domain and region
3. Configure authentication methods
In your new Entra External ID tenant, configure how users will authenticate:
- Navigate to External Identities → All identity providers
- Choose your authentication methods:
- Email with one-time passcode (built-in)
- Email with password (built-in)
- Social providers (Google, Facebook, Apple, Microsoft)
- Custom OIDC providers (for advanced authentication needs)
For basic migrations, the built-in email authentication works well. If you need advanced features, you can integrate external authentication providers via OIDC.
Phase 2: Set up user flows
4. Create sign-up and sign-in flow
- Go to External Identities → User flows
- Click New user flow
- Select Sign up and sign in
- Name it (e.g.,
SignUpSignIn)
Configure the flow:
- Identity providers: Select your authentication methods
- User attributes: Choose what to collect during sign-up
- Application claims: Define what's included in tokens
5. Configure user attributes
Select the attributes you need:
Commonly collected attributes:
- Email Address (required)
- Display Name
- Given Name
- Surname
- Custom attributes (create as needed)These attributes will be available in your application's ID tokens after successful authentication.
Phase 3: User migration
This is the most critical phase. You have two options for migrating users. For detailed technical implementation, see Microsoft's user migration guide.
Option 1: Bulk import + SSPR (simplest)
Best for: Smaller user bases, low-frequency apps
- Export users from Azure AD B2C using Microsoft Graph API
- Import users into Entra External ID with random passwords
- Enable Self-Service Password Reset (SSPR) in your tenant
- Notify users to reset passwords on first login via SSPR
Pros: Simple to implement, no custom code requiredCons: Users must reset passwords, potential support burden
Option 2: Just-in-time (JIT) migration (recommended)
Best for: Large user bases, critical applications
This approach migrates users seamlessly on their first login. Microsoft provides official guidance for implementing Just-in-Time password migration.
- Bulk import users with a custom extension property (migration flag)
- On first login, validate credentials against B2C via a custom Azure Function
- If valid, migrate password to Entra External ID and clear migration flag
- Subsequent logins authenticate directly against Entra External ID
Microsoft provides a JIT migration toolkit on GitHub that implements this pattern.
Pros: Seamless user experience, no password reset requiredCons: Requires custom code and Azure Function deployment
Phase 4: Application migration
6. Update application registrations
For each application currently using B2C:
- Create a new app registration in Entra External ID
- Configure redirect URIs (copy from your B2C app)
- Note the new Client ID and generate a new Client Secret
7. Update application code
The code changes are minimal. You're primarily updating endpoints:
Before (Azure AD B2C):
const msalConfig = {
auth: {
clientId: "YOUR_B2C_CLIENT_ID",
authority: "https://YOUR_TENANT.b2clogin.com/YOUR_TENANT.onmicrosoft.com/B2C_1_signupsignin",
knownAuthorities: ["YOUR_TENANT.b2clogin.com"],
redirectUri: "https://yourapp.com/callback",
}
};After (Entra External ID):
const msalConfig = {
auth: {
clientId: "YOUR_EXTERNAL_ID_CLIENT_ID",
authority: "https://YOUR_TENANT.ciamlogin.com/YOUR_TENANT.onmicrosoft.com",
redirectUri: "https://yourapp.com/callback",
}
};Note: Verify the exact authority URL format in Microsoft's developer documentation for your specific SDK version and platform.
Not ready to migrate yet? Improve your authentication flows
If you're still on Azure AD B2C and planning to migrate in the coming months or years, you don't have to wait to improve your authentication experience. You can enhance your current B2C setup with modern authentication capabilities today.
Why improve authentication before migration?
Give users modern auth sooner. Your users don't care about your backend infrastructure. They want passwordless login, passkeys, and smooth MFA flows. You can deliver these features now, regardless of your migration timeline.
Test and iterate without risk. Adding authentication capabilities to B2C lets you roll out new features gradually, get user feedback, and refine the experience before the pressure of a full platform migration.
Enhancing Azure AD B2C with better authentication
Azure AD B2C supports custom policies and integrations, which means you can add specialized authentication capabilities without major code changes. For example, Authsignal's Azure AD B2C integration provides:
- Passkey support with WebAuthn
- Pre-built authentication UI
- Multi-factor authentication (SMS, email, authenticator apps, biometrics)
- Step-up authentication for sensitive operations
- Risk-based authentication policies
The integration works through B2C's custom policies, so your applications continue working with B2C as they do today. Users just get a better authentication experience.
Advanced authentication for External ID
Once you've migrated to Entra External ID, you may discover that certain authentication experiences require additional capabilities beyond what's built in. This is where OIDC federation becomes useful - the same approach that works with Azure AD B2C.
Entra External ID supports integrating with external authentication providers via standard OIDC protocols. This allows you to delegate specific authentication flows (like sophisticated MFA, passkeys, or risk-based policies) to specialized platforms while keeping Entra External ID as your identity provider.
When this makes sense:
- You need authentication features External ID doesn't yet support natively
- Your B2C custom policies can't be replicated in External ID's current capabilities
- You want consistent authentication UX across your B2C and External ID tenants during migration
How it works:Your application authenticates through Entra External ID, which can federate to an external OIDC provider for the actual authentication step, then External ID issues the tokens your app needs.
Conclusion
Migrating from Azure AD B2C to Entra External ID is straightforward if you plan ahead. The process involves setting up your new tenant, migrating users, and updating your applications. Whether you use the simple password reset approach or the more seamless JIT migration depends on your user base size and tolerance for friction.
You don't have to wait until migration to improve your authentication experience. If you're still on Azure AD B2C, you can enhance it today with modern authentication capabilities. Then, when you migrate to External ID, your authentication layer can remain consistent - giving users a seamless experience regardless of what's happening on the backend.
Additional resources from official Microsoft docs
- Plan and execute migration to Entra External ID - Primary migration planning guide
- Migrating users to Entra External ID - User data migration guide
- Just-in-time password migration - JIT migration implementation guide
- Microsoft Entra External ID overview
- Custom OIDC federation setup
.svg)
.png)
