Skip to main content
Modern 42 Logo
Advisory & Strategy

CIAM Migration Readiness Assessment

A fixed-scope engagement that gives your organisation a clear migration plan, risk register, and implementation roadmap for moving from Azure AD B2C to Microsoft Entra External ID. Delivered in two to three weeks.

Request an assessment View all advisory services
Why an assessment first

Migration planning before migration engineering.

Azure AD B2C environments accumulate complexity over time. Custom policies, social identity providers, schema extensions, and tightly coupled application integrations build up in ways that are difficult to unpick. A migration to Entra External ID is not a lift-and-shift. It is a rebuild of your customer identity platform, and the decisions you make at the start determine the cost, risk, and timeline of the entire programme.

This assessment gives you the complete picture before you commit to implementation. You get a documented inventory of your current state, a recommended migration approach tailored to your environment, and a management-ready deliverable your team can use to build a business case and brief engineering.

Advisory team presenting migration readiness findings
Industry Research
2030

is the end-of-support date for Azure AD B2C. B2C P2 Identity Protection was retired in March 2026. Organisations still on B2C are already losing capability.

Start your assessment
Assessment scope

What we assess and deliver.

A comprehensive inventory and analysis of your B2C environment, producing the artefacts you need to plan and approve a migration programme.

B2C tenant inventory

Complete inventory of user flows, custom policies, identity providers (social and enterprise federation), schema extensions, custom attributes, and application registrations.

User population analysis

User volume, profile complexity, credential state, external identity links, and MFA configuration. Identifies populations that require special migration handling.

Credential strategy recommendation

Assessment of password migration approaches including just-in-time, bulk reset, parallel run, and passwordless. Includes a recommendation tailored to your user base and risk tolerance.

Implementation roadmap

Phased migration plan with indicative timelines, dependencies, and sequencing. Structured so your team can plan resourcing and budget with confidence.

Risk register

Documented risks with likelihood, impact, and mitigation strategies. Covers technical risks (custom policy complexity, application dependencies) and operational risks (user disruption, support load).

Regulatory compliance mapping

Migration decisions mapped against the Australian regulatory frameworks relevant to your sector, including APRA CPS 234, Privacy Act 1988, Digital ID Act 2024, and ASD ISM requirements.
How we deliver

A structured engagement in three phases.

The assessment follows a repeatable methodology. You know what you are getting, when you are getting it, and what it costs before we start.

Week 1

Discovery

Kickoff and tenant discovery

We conduct discovery workshops with your identity and application teams, establish read-only access to your B2C tenant, and begin the technical inventory. We map user flows, custom policies, identity providers, schema extensions, and application registrations.

Week 2

Analysis

Technical analysis and approach design

We analyse the inventory against Entra External ID capabilities, identify gaps and risks, design the recommended migration approach, and draft the credential strategy. Application integration dependencies are mapped and sequenced.

Week 3

Delivery

Deliverable handover and briefing

We deliver the complete assessment pack: tenant inventory, migration approach document, risk register, regulatory compliance mapping, and implementation roadmap. A management briefing session walks your stakeholders through the findings and recommendations.

Australian regulatory context

CIAM migration in an Australian regulatory landscape.

Every user profile in your Entra External ID tenant is subject to Australian regulatory obligations. We ensure your migration approach is compliant from the start, not retrofitted after the fact.

Financial services

APRA CPS 234 requirements on identity governance for customer-facing systems. AUSTRAC obligations around customer verification and identity proofing. We ensure your CIAM architecture meets prudential standards for information security and customer identity management.

Healthcare

My Health Record API integration requirements, the Australian Digital Health Agency's identity standards, and FHIR-based patient identity flows. Your CIAM platform must handle healthcare identity with the sensitivity and compliance rigour the sector demands.

Government

The Digital ID Act 2024, the Australian Government Digital Identity System (AGDIS), myID federation requirements, and ASD ISM controls for citizen-facing identity platforms. We align your migration approach to the frameworks your agency is measured against.

All sectors: Privacy Act 1988

The Australian Privacy Principles (APPs) apply to every consumer identity profile you store and process. CIAM migrations involve moving personal information between identity platforms. Your approach must address APP obligations around collection, use, disclosure, and cross-border transfer of personal data.

100% Australian-owned. Sovereign delivery.

Modern 42 is a 100% Australian-owned and operated identity consultancy. Our consultants hold AGSVA security clearances and deliver from Australia. Your CIAM migration assessment is conducted by engineers who understand the Australian regulatory landscape because they work in it every day. Not by an offshore team applying a generic migration playbook.

This matters because CIAM is not just a technical migration. It is a change to how your organisation stores, processes, and governs customer identity data. The decisions made during migration have direct implications for your obligations under the Privacy Act, your sector-specific regulatory requirements, and your organisation's data sovereignty posture.

Deliverables

What you receive

A management-ready deliverable pack your team can use to build a business case and brief engineering.

  • Complete B2C tenant inventory (user flows, custom policies, identity providers, schema extensions, app registrations)
  • User population analysis and credential state assessment
  • Migration approach recommendation with trade-off analysis
  • Credential strategy document (JIT, bulk reset, parallel run, or passwordless)
  • Risk register with likelihood, impact, and mitigation strategies
  • Australian regulatory compliance mapping for your sector
  • Phased implementation roadmap with indicative timelines and dependencies
  • Management briefing session with your stakeholders
Team reviewing CIAM migration assessment deliverables
FAQ

Common questions

We need read-only access to your Azure AD B2C tenant, including user flows, custom policies, app registrations, and identity provider configurations. We also review your application integration layer to understand token dependencies. No changes are made to your environment during the assessment.
The assessment is delivered in two to three weeks from kickoff to final deliverable. This includes discovery workshops, technical analysis, and the production of all deliverables. Timelines can vary slightly for environments with a very large number of custom policies or application integrations.
The assessment covers your primary B2C tenant. Additional tenants can be included in the scope. We confirm pricing during scoping based on the number of tenants and their complexity.
Yes. The assessment produces a deliverable you can take to any implementation partner. Many clients choose to continue with our engineering team because the advisory team has already built deep context about the environment, but you are never obligated to do so.
Yes. The assessment is specifically designed to produce a management-ready deliverable. The implementation roadmap, risk register, and cost indicators give your procurement and leadership teams the information they need to approve the migration programme.
Yes. We map migration decisions against the Australian regulatory frameworks relevant to your sector, including APRA CPS 234 for financial services, the Privacy Act 1988 and Australian Privacy Principles for all sectors, the Digital ID Act 2024 for government, and ASD ISM requirements. This ensures your migration approach is compliant from day one.

Get a clear migration plan before you commit to implementation

A two to three week assessment that gives your team the inventory, roadmap, and business case to move forward with confidence.

Request an assessmentView migration engineering

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.