Teams lose the ability to reuse embedded login logic, exception handling, and step-up flows exactly as they existed before. That can expose undocumented dependencies in the old tenant, so migration should begin with a policy inventory and an explicit decision on whether each rule is rebuilt, replaced, or retired.
Why This Matters for Security Teams
Azure AD B2C custom policies are often treated as portable configuration, but they usually encode business logic, exception paths, and trust assumptions that are tied to one tenant’s history. When those policies cannot be carried forward as-is, migration becomes a security redesign exercise, not a simple lift-and-shift. That matters because hidden dependencies can break step-up authentication, recovery journeys, and account linking in ways that are easy to miss during testing.
For security teams, the real issue is not just functional drift. It is exposure drift: a policy that once enforced a narrow access path may have accumulated exceptions over time, and those exceptions can become hard to see outside the old environment. NHI Mgmt Group’s research on the Top 10 NHI Issues shows how often identity controls fail when visibility is incomplete, and that pattern applies here too. Current guidance in NIST Cybersecurity Framework 2.0 still points teams back to asset understanding, control mapping, and risk-based change management rather than assuming identity logic survives platform change intact. In practice, many security teams discover undocumented policy dependencies only after users are locked out or high-risk fallback paths have already been triggered.
How It Works in Practice
The first step is policy inventory, but that inventory needs to go beyond filenames and XML versioning. Each custom policy should be mapped to the authentication journey it supports, the claims it consumes, the exceptions it triggers, and the downstream systems that depend on its output. That includes password reset flows, federation handoffs, conditional step-up logic, and any branching that depends on claims transformation.
Migration teams should then classify each rule into one of three outcomes: rebuild, replace, or retire. Rebuild is appropriate when the logic is still necessary and can be expressed in the target identity platform. Replace applies when the old policy is really compensating for a missing product feature, such as a brittle exception workflow that should be redesigned with clearer controls. Retire is the right answer when the rule exists only because of historical tenant behavior, duplicated journey logic, or a control that no longer matches business need. That decision process should be documented as part of change governance, not left to implementation shortcuts.
Two control ideas help here. First, treat identity policy as governed configuration with explicit owners and test cases. Second, validate every high-risk path with scenario testing, not just happy-path sign-in. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs reinforces that identity controls need lifecycle discipline, and the same principle applies to B2C policy migration. For teams looking for a broader incident lens, the Microsoft Azure Key Breach illustrates how overlooked identity dependencies can become security events when old assumptions are left in place. These controls tend to break down when the legacy tenant contains years of undocumented exceptions because there is no reliable source of truth for what the policy is actually doing.
Common Variations and Edge Cases
Tighter identity migration controls often increase project cost and timeline, requiring organisations to balance continuity against the risk of preserving insecure logic. That tradeoff is especially visible when custom policies are intertwined with partner federation, regulated customer journeys, or bespoke UI fragments that were never designed for portability.
Some environments can preserve most logic by re-implementing the policy structure in the target service, but current guidance suggests that teams should not assume behavioural equivalence just because the XML or configuration looks similar. Claims transformations, localization rules, and self-service recovery flows often behave differently across platforms. In regulated environments, auditability becomes part of the migration requirement, which makes the Ultimate Guide to NHIs — Regulatory and Audit Perspectives relevant even when the immediate question is functional. The safest pattern is to assign each policy a control owner, a business owner, and a clear retirement date if it is no longer justified.
There is no universal standard for this yet, but best practice is evolving toward explicit policy decomposition, staged parity testing, and rapid rollback plans. That is particularly important when legacy custom policies depend on external REST calls or brittle error handling, because those integrations often fail first during migration and produce confusing authentication errors for users. When that happens, the problem is usually not the target platform itself but the hidden complexity inherited from the old tenant.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Policy migration can expose hidden identity dependencies and weak lifecycle control. |
| NIST CSF 2.0 | GV.RM-01 | Risk management should drive whether policy logic is rebuilt, replaced, or retired. |
| NIST AI RMF | GOVERN | Governance is needed to manage identity logic changes and accountability. |
| NIST Zero Trust (SP 800-207) | SA-2 | Identity flows must be revalidated under zero trust assumptions during migration. |
| OWASP Agentic AI Top 10 | LLM-01 | Dynamic decision logic and hidden dependencies mirror brittle autonomous workflow failures. |
Inventory each custom policy, assign an owner, and retire logic that no longer has a justified business purpose.