Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
Azure AD B2C
Entra External ID
Migration

How to migrate from Azure AD B2C to Microsoft Entra External ID

Ashutosh Bhadauriya
⬤
February 19, 2026
Share
How to migrate from Azure AD B2C to Microsoft Entra External ID

If you're reading this, you've probably heard the news: Azure AD B2C is being phased out. As of May 1, 2025, Microsoft stopped offering Azure AD B2C to new customers. While existing tenants will continue to be supported until at least May 2030, all new feature development has shifted to Microsoft Entra External ID.

This guide walks you through a practical migration path from Azure AD B2C to Entra External ID, with a focus on maintaining a secure, user-friendly authentication experience throughout the transition.

‍

Understanding the migration landscape

Before diving into the technical steps, let's clarify what we're building toward.

What is Entra External ID?

Microsoft Entra External ID is the next-generation Customer Identity and Access Management (CIAM) platform. Microsoft Entra External ID builds on Azure AD B2C with these additions:

  • Unified management for both customer (B2C) and partner (B2B) identities
  • Simplified administration interface
  • Native support for modern authentication protocols
  • Enhanced security with risk-based authentication
  • Better developer experience with improved APIs and SDKs

Custom policies

One important thing to know upfront: Entra External ID uses a different approach than Azure AD B2C's XML-based custom policies. If you've built complex authentication flows with custom policies, you'll need to rebuild them using:

  1. Entra External ID's user flows and custom authentication extensions
  2. OIDC federation with a dedicated authentication provider

Microsoft is working on migration tools to help with this transition. The second approach can simplify your migration by using pre-built authentication flows that integrate via standard OIDC.

‍

Step-by-step migration guide

Microsoft's official migration planning guide provides a comprehensive overview of the migration process. This guide focuses on the practical implementation steps.

‍

Phase 1: Planning and setup

‍

1. Audit your current B2C setup

Start by documenting everything you're using today:

# Document these elements from your B2C tenant:
- User flows (sign-up, sign-in, profile edit, password reset)
- Custom policies (if any)
- User attributes (standard and custom)
- Identity providers (social, enterprise)
- API connectors and integrations
- Application registrations
- User counts and activity patterns
- MFA configurations

‍

2. Create your Entra External ID tenant

Navigate to the Azure Portal and create a new External ID tenant. For detailed instructions, see Microsoft's tenant creation guide.

  1. Go to Microsoft Entra ID → Overview → Manage tenants
  2. Click Create and select External tenant
  3. Choose Use Entra External ID for customers
  4. Configure your tenant domain and region

3. Configure authentication methods

In your new Entra External ID tenant, configure how users will authenticate:

  1. Navigate to External Identities → All identity providers
  2. Choose your authentication methods:
    • Email with one-time passcode (built-in)
    • Email with password (built-in)
    • Social providers (Google, Facebook, Apple, Microsoft)
    • Custom OIDC providers (for advanced authentication needs)

For basic migrations, the built-in email authentication works well. If you need more advanced features like passkeys, biometric authentication, or sophisticated MFA flows, you'll want to consider a dedicated authentication provider through OIDC federation.

‍

Phase 2: Set up user flows

‍

4. Create sign-up and sign-in flow

  1. Go to External Identities → User flows
  2. Click New user flow
  3. Select Sign up and sign in
  4. Name it (e.g., SignUpSignIn)

Configure the flow:

  • Identity providers: Select your authentication methods
  • User attributes: Choose what to collect during sign-up
  • Application claims: Define what's included in tokens

5. Configure user attributes

Select the attributes you need:

Commonly collected attributes:
- Email Address (required)
- Display Name
- Given Name
- Surname
- Custom attributes (create as needed)

These attributes will be available in your application's ID tokens after successful authentication.

‍

Phase 3: User Migration

‍

This is the most critical phase. You have two main approaches for migrating users. For detailed technical implementation, see Microsoft's user migration guide.

Microsoft provides an official migration toolkit with three components:

  • Export tool: Reads users from B2C and saves to Azure blob storage in batches
  • Import tool: Loads users from blob storage into Entra External ID
  • Azure Function: Handles just-in-time password validation and migration

The toolkit handles Graph API throttling automatically and processes users in configurable batches. Both migration approaches below can leverage these tools.

Option 1: Bulk Import + SSPR (Simplest)

Best for: Smaller user bases, low-frequency apps

The Microsoft migration toolkit provides tools to handle this approach:

  1. Export users from Azure AD B2C to blob storage in batches (handles Graph API throttling)
  2. Import users from blob storage into Entra External ID with random passwords
  3. Enable Self-Service Password Reset (SSPR) in your tenant
  4. Notify users to reset passwords on first login via SSPR

The toolkit can transform B2C email/password accounts to Entra External ID email/OTP accounts during migration. Note that the toolkit currently supports local accounts only - social and federated accounts need to be handled separately (users will need to re-authenticate with their social provider after migration).

Pros: Simple to implement, toolkit handles Graph throttling and batchingCons: Users must reset passwords, currently limited to local accounts only

Option 2: Just-in-Time (JIT) Migration (Recommended)

Best for: Large user bases, critical applications

This approach migrates users seamlessly on their first login. Microsoft provides official guidance for implementing Just-in-Time password migration.

Using the Microsoft migration toolkit:

  1. Export/Import users using the toolkit's blob storage approach (same as Option 1)
  2. Set a custom extension property (migration flag) on each user account
  3. Azure Function validates credentials against B2C using ROPC (Resource Owner Password Credentials) with the NCA = 1 flag
  4. On successful validation, the password is migrated to Entra External ID and the migration flag is cleared
  5. Subsequent logins authenticate directly against Entra External ID

Password policy enforcement: You can configure an Entra External ID password policy. Any password that doesn't meet this policy will force the user to change their password during migration.

The Azure Function integrates via custom authentication extensions. Microsoft provides a JIT migration toolkit on GitHub with all three components: export, import, and the Azure Function.

Pros: Seamless user experience, no password resets needed (unless policy requires)Cons: More complex setup, requires Azure Function deployment and custom auth extension configuration

‍

Phase 4: Application migration

‍

6. Update application registrations

For each application currently using B2C:

  1. Create a new app registration in Entra External ID
  2. Configure redirect URIs (copy from your B2C app)
  3. Note the new Client ID and generate a new Client Secret

7. Update application code

The code changes are minimal. You're primarily updating endpoints:

Before (Azure AD B2C):

‍

const msalConfig = {
  auth: {
    clientId: "YOUR_B2C_CLIENT_ID",
    authority: "https://YOUR_TENANT.b2clogin.com/YOUR_TENANT.onmicrosoft.com/B2C_1_signupsignin",
    knownAuthorities: ["YOUR_TENANT.b2clogin.com"],
    redirectUri: "https://yourapp.com/callback",
  }
};

After (Entra External ID):

const msalConfig = {
  auth: {
    clientId: "YOUR_EXTERNAL_ID_CLIENT_ID",
    authority: "https://YOUR_TENANT.ciamlogin.com/YOUR_TENANT.onmicrosoft.com",
    redirectUri: "https://yourapp.com/callback",
  }
};

Note: Verify the exact authority URL format in Microsoft's developer documentation for your specific SDK version and platform.

‍

Not ready to migrate yet? Improve your authentication flows

If you're still on Azure AD B2C and planning to migrate in the coming months or years, you don't have to wait to improve your authentication experience. You can enhance your current B2C setup with modern authentication capabilities today.

‍

Why upgrade authentication before migration?

Give users modern auth sooner. Your users don't care about your backend infrastructure. They want passwordless login, passkeys, and smooth MFA flows. You can deliver these features now, regardless of your migration timeline.

Test and iterate without risk. Adding authentication capabilities to B2C lets you roll out new features gradually, get user feedback, and refine the experience before the pressure of a full platform migration.

‍

Enhancing Azure AD B2C with better authentication

Azure AD B2C supports custom policies and integrations, which means you can add specialized authentication capabilities without major code changes. For example, Authsignal's Azure AD B2C integration provides:

  • Passkey support with WebAuthn
  • Pre-built authentication UI
  • Multi-factor authentication (SMS, email, authenticator apps, biometrics)
  • Step-up authentication for sensitive operations
  • Risk-based authentication policies

The integration works through B2C's custom policies, so your applications continue working with B2C as they do today. Users just get a better authentication experience.

‍

Advanced authentication for External ID

Once your basic migration is complete, you'll want to think about the authentication experience itself. This is where many teams realize that Entra External ID, while excellent for identity management, might benefit from a dedicated authentication layer.

Entra External ID handles identity management well, but many teams use dedicated authentication platforms for modern features like passkeys, biometric login, risk-based MFA, and pre-built authentication UI. This separation lets Entra External ID focus on what it does best (identity and access control) while specialized platforms handle the login experience.

Platforms to Consider

If you're looking for a modern authentication experience, consider platforms like:

  • Authsignal: Specializes in MFA, passkeys, and step-up authentication. Has documented Azure AD B2C integration if you're currently on B2C.
  • Auth0: Full-featured identity platform with extensive customization
  • Okta: Enterprise-focused with strong compliance features
  • Other OIDC providers: Any provider supporting standard OIDC can integrate

‍

Conclusion

Migrating from Azure AD B2C to Entra External ID is straightforward if you plan ahead. The process involves setting up your new tenant, migrating users, and updating your applications. Whether you use the simple password reset approach or the more seamless JIT migration depends on your user base size and tolerance for friction.

You don't have to wait until migration to improve your authentication experience. If you're still on Azure AD B2C, you can enhance it today with modern authentication capabilities. Then, when you migrate to External ID, your authentication layer can remain consistent - giving users a seamless experience regardless of what's happening on the backend.

‍

Additional resources from official Microsoft docs

  • Plan and execute migration to Entra External ID - Primary migration planning guide
  • Migrating users to Entra External ID - User data migration guide
  • Just-in-time password migration - JIT migration implementation guide
  • Microsoft Entra External ID overview
  • Custom OIDC federation setup
Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
Azure AD B2C
Entra External ID
Migration

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies