Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Azure AD B2C migration to Entra External ID: what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Azure AD B2C is no longer open to new customers and Microsoft has shifted new feature development to Entra External ID, creating a migration path that spans tenant setup, user migration, app reconfiguration, and authentication redesign, according to Authsignal. The practical issue is not just moving identities, but deciding which auth controls belong in the CIAM layer versus a dedicated authentication layer.

NHIMG editorial — based on content published by Authsignal: How to migrate from Azure AD B2C to Microsoft Entra External ID

Questions worth separating out

Q: How should teams migrate users from Azure AD B2C to Entra External ID without breaking login flows?

A: Start by mapping user flows, custom policies, identity providers, and application registrations, then choose between bulk import with password reset or JIT migration based on user volume and tolerance for friction.

Q: What should organisations do when their CIAM platform no longer fits their authentication needs?

A: They should separate the identity system of record from the authentication experience, then decide which controls belong in each layer.

Q: What breaks when Azure AD B2C custom policies cannot be carried forward as-is?

A: Teams lose the ability to reuse embedded login logic, exception handling, and step-up flows exactly as they existed before.

Practitioner guidance

  • Inventory all B2C dependencies before setting the cutover plan Document user flows, custom policies, identity providers, API connectors, app registrations, user counts, activity patterns, and MFA configurations so the migration scope is visible before implementation starts.
  • Separate portable identity logic from platform-specific policy logic Identify which authentication rules can move into External ID user flows and custom authentication extensions, and which must be rebuilt or replaced through OIDC federation.
  • Test migration paths by account type, not by tenant alone Validate local accounts, social accounts, and federated accounts separately because the bulk import and JIT approaches do not treat them the same way.

What's in the full article

Authsignal's full guide covers the operational detail this post intentionally leaves for the source:

  • Step-by-step tenant creation and configuration guidance for Entra External ID
  • Microsoft migration toolkit workflow details for export, import, and JIT password validation
  • Exact application registration and redirect URI changes for moved applications
  • Practical examples of passkey, MFA, and risk-based authentication integration options

👉 Read Authsignal's migration guide for Azure AD B2C to Entra External ID →

Azure AD B2C migration to Entra External ID: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Platform migration is an identity governance problem before it is a technical one. The article treats Azure AD B2C retirement as a migration guide, but the real work is lifecycle control over users, policies, and applications. The switch to Entra External ID forces teams to re-establish ownership for user flows, custom policies, and auth methods in a new control plane. Practitioners should treat the move as a governed identity change programme, not a lift-and-shift exercise.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: Who should own the authentication boundary after an Entra External ID migration?

A: Ownership should sit with the IAM or CIAM team that governs assurance, policy, and failure handling, even if a separate product provides advanced auth features. The boundary matters because identity records, authentication steps, and user experience can no longer be treated as one undifferentiated control surface.

👉 Read our full editorial: Azure AD B2C to Entra External ID migration and auth tradeoffs



   
ReplyQuote
Share: