TL;DR: Azure AD B2C is no longer open to new customers and Microsoft has shifted new feature development to Entra External ID, creating a migration path that spans tenant setup, user migration, app reconfiguration, and authentication redesign, according to Authsignal. The practical issue is not just moving identities, but deciding which auth controls belong in the CIAM layer versus a dedicated authentication layer.
At a glance
What this is: This is a migration guide for moving from Azure AD B2C to Microsoft Entra External ID, with emphasis on tenant setup, user migration methods, and auth experience changes.
Why it matters: It matters because CIAM migrations affect identity lifecycle, authentication strength, and application continuity, which makes the transition a governance issue as much as a technical one.
👉 Read Authsignal's migration guide for Azure AD B2C to Entra External ID
Context
Azure AD B2C is entering a managed transition period, with Microsoft stopping new sales and shifting new development to Entra External ID. For identity teams, that turns a platform upgrade into a governed migration across users, applications, authentication methods, and operational ownership.
The practical challenge is not only re-pointing applications. Teams need to decide whether user flows, custom policies, and step-up controls stay in the identity layer or move into a dedicated authentication service, while preserving a stable customer login experience throughout the cutover.
Key questions
Q: How should teams migrate users from Azure AD B2C to Entra External ID without breaking login flows?
A: Start by mapping user flows, custom policies, identity providers, and application registrations, then choose between bulk import with password reset or JIT migration based on user volume and tolerance for friction. The safest path is to validate password policy, federation, and re-authentication requirements in a test tenant before switching production traffic.
Q: What should organisations do when their CIAM platform no longer fits their authentication needs?
A: They should separate the identity system of record from the authentication experience, then decide which controls belong in each layer. That usually means keeping account and access governance in the CIAM platform while moving passkeys, step-up, and risk-based decisions into a dedicated authentication service when needed.
Q: What breaks when Azure AD B2C custom policies cannot be carried forward as-is?
A: Teams lose the ability to reuse embedded login logic, exception handling, and step-up flows exactly as they existed before. That can expose undocumented dependencies in the old tenant, so migration should begin with a policy inventory and an explicit decision on whether each rule is rebuilt, replaced, or retired.
Q: Who should own the authentication boundary after an Entra External ID migration?
A: Ownership should sit with the IAM or CIAM team that governs assurance, policy, and failure handling, even if a separate product provides advanced auth features. The boundary matters because identity records, authentication steps, and user experience can no longer be treated as one undifferentiated control surface.
Technical breakdown
User flow rebuilds and custom policy replacement
Azure AD B2C and Entra External ID are not interchangeable at the policy layer. B2C custom policies are XML-heavy and often encode deep login logic, while External ID pushes teams toward user flows, custom authentication extensions, and OIDC federation with a separate provider for advanced scenarios. That means migration is partly a policy translation exercise and partly an architecture decision about where authentication logic should live. The main risk is assuming endpoints can be swapped without reworking the control model behind them.
Practical implication: inventory every custom policy and decide whether it should be rebuilt in External ID or offloaded to a separate OIDC-based authentication layer.
Just-in-time user migration and password validation
The article describes a JIT migration path where users are validated against the legacy tenant at first login, then moved into External ID. That pattern depends on temporary credential checking, migration flags, and an Azure Function that coordinates the handoff. Operationally, this is identity lifecycle control under load, not a simple bulk import. The design must account for throttling, password policy mismatches, and the fact that local, social, and federated accounts do not all migrate the same way.
Practical implication: test JIT migration against password policy, throttling, and account-type differences before you move production traffic.
Authentication experience versus identity platform boundary
The article draws a sharp line between identity management and the login experience. External ID can handle tenant and access control, but many teams still need passkeys, risk-based authentication, biometrics, and step-up logic that sit closer to the user-facing auth layer. In practice, that creates a split architecture where the identity platform remains the system of record while a specialised auth service handles stronger interaction patterns. For IAM teams, the key question is whether that separation reduces complexity or adds another governance boundary.
Practical implication: define which auth capabilities must stay in the CIAM platform and which should be owned by a dedicated authentication layer.
NHI Mgmt Group analysis
Platform migration is an identity governance problem before it is a technical one. The article treats Azure AD B2C retirement as a migration guide, but the real work is lifecycle control over users, policies, and applications. The switch to Entra External ID forces teams to re-establish ownership for user flows, custom policies, and auth methods in a new control plane. Practitioners should treat the move as a governed identity change programme, not a lift-and-shift exercise.
CIAM migrations expose the hidden cost of policy entanglement. Complex B2C custom policies are often where teams embedded business rules, step-up decisions, and exception handling. When those policies cannot be carried forward unchanged, the migration reveals how much authentication logic was coupled to the old platform. The implication is that future CIAM design should separate portable identity controls from tenant-specific policy logic.
Authentication and identity management are converging, but not collapsing into one layer. The article shows a pattern many programmes now face: the core identity system handles accounts and access, while a separate layer delivers passkeys, risk-based authentication, and user interaction controls. That split can be useful, but only if governance clearly defines who owns assurance, step-up policy, and failure handling across the boundary.
Migration planning should be driven by the hardest identity objects first. Local accounts, federated identities, API connectors, and application registrations do not migrate with equal effort. The hardest cases determine the real schedule, because they reveal where policy translation, user re-authentication, or application refactoring will occur. Practitioners should model the transition around the most constrained identity paths, not the easiest ones.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- The Ultimate Guide to NHIs , The NHI Market is a useful forward reference for teams that want to place CIAM migration choices inside a broader identity tooling landscape.
What this signals
Identity migrations are increasingly a control-design exercise, not a platform swap. When authentication logic sits in tenant-specific policy files, moving to a new CIAM service forces teams to rethink where assurance, step-up, and exception handling actually live. That governance work becomes more urgent when migrations are paired with modern auth expectations such as passkeys and risk-based authentication.
Teams that split identity management from authentication need explicit ownership boundaries. The new model can be sensible, but only if the programme assigns clear accountability for token issuance, step-up decisions, and fallback behaviour across both layers. Otherwise, migration simply relocates complexity instead of reducing it.
For practitioners
- Inventory all B2C dependencies before setting the cutover plan Document user flows, custom policies, identity providers, API connectors, app registrations, user counts, activity patterns, and MFA configurations so the migration scope is visible before implementation starts.
- Separate portable identity logic from platform-specific policy logic Identify which authentication rules can move into External ID user flows and custom authentication extensions, and which must be rebuilt or replaced through OIDC federation.
- Test migration paths by account type, not by tenant alone Validate local accounts, social accounts, and federated accounts separately because the bulk import and JIT approaches do not treat them the same way.
- Run a password policy compatibility check before JIT migration Compare legacy password behaviour with the new External ID password policy so forced resets do not appear unexpectedly during first login.
- Decide where step-up and risk controls will live after migration If you need passkeys, biometrics, or risk-based authentication, define whether those controls remain in the CIAM platform or move to a dedicated authentication layer.
Key takeaways
- Azure AD B2C to Entra External ID is a governance migration as much as a technical one.
- The hardest parts are policy translation, account-type differences, and preserving authentication assurance during cutover.
- Teams should decide now whether modern auth belongs inside the CIAM platform or in a separate authentication layer.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control sit behind the migration path. |
| NIST SP 800-63 | SP 800-63C | Federation and assertion handling matter where OIDC providers are introduced. |
| NIST Zero Trust (SP 800-207) | The migration changes trust boundaries and authentication dependencies. | |
| NIST SP 800-53 Rev 5 | AC-2 | Account lifecycle and provisioning changes are central to the migration. |
Map migration checkpoints to access control ownership and verify no user flow is left unmanaged.
Key terms
- Customer identity and access management: Customer identity and access management is the set of controls used to register, authenticate, and govern external users such as customers or partners. In this migration context, it also includes policy translation, app integration, and assurance decisions that must survive a platform change.
- Just-in-time user migration: Just-in-time user migration moves a user account only when the user next authenticates, rather than in one bulk cutover. It reduces visible disruption, but it also depends on temporary validation paths, migration flags, and clean handling of password policy and account type differences.
- Custom authentication extension: A custom authentication extension is a programmable way to insert extra logic into the login flow. It is useful when the base identity platform does not provide a needed control, but it also creates a governance boundary that must be documented, tested, and owned.
- OIDC federation: OIDC federation lets one identity system rely on another through standard OpenID Connect trust and token exchange. In migration work, it can simplify advanced authentication by moving selected login functions to a dedicated provider while keeping the main identity platform as the source of record.
What's in the full article
Authsignal's full guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step tenant creation and configuration guidance for Entra External ID
- Microsoft migration toolkit workflow details for export, import, and JIT password validation
- Exact application registration and redirect URI changes for moved applications
- Practical examples of passkey, MFA, and risk-based authentication integration options
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org