Skip to main content
Modern 42 Logo
Engineering & Delivery

Azure B2C replacement. Seamless migration to Entra External ID.

Microsoft Entra External ID is the Azure B2C replacement, but it is not a simple upgrade. Modern 42 is experienced in rebuilding your CIAM channel on the new platform. We combine deep engineering expertise with our own Identity Observability platform and Apporetum CIAM tooling to deliver faster, lower-risk migrations. We don't just plan it. We build it.

Talk to our team All engineering services
200+IAM & PAM projects
2025B2C closed to new customers
1M+Customer identities migrated
100%Microsoft Cloud Security Partner
Industry Research
2026

B2C P2 (Identity Protection) was retired in March 2026. If you relied on risk-based Conditional Access or risky sign-in detection, that functionality is already gone. Full B2C end of support follows in May 2030.

Plan your migration
Platform comparison

Azure B2C replacement: how Entra External ID compares.

Understanding the Azure B2C replacement is the first step in planning your migration. Entra External ID is not a rebrand of B2C. It is a fundamentally different platform built on the core Entra ID infrastructure.

Azure AD B2C
Entra External ID
Platform foundation
Standalone B2C directory, separate from Entra ID
Built on core Entra ID infrastructure with full platform parity
Authentication flows
User flows and custom XML policies (Identity Experience Framework)
Native authentication APIs, custom authentication extensions, and built-in flows
Customisation model
Complex XML policy language with steep learning curve
Standard Entra ID extensibility, Azure Functions, and Microsoft Graph
Identity Protection
B2C P2 tier retired March 2026
Full Entra ID Protection with risk-based Conditional Access
Conditional Access
Limited policy options, no integration with Entra ID Protection
Full Conditional Access engine with MFA, device, location, and risk signals
MFA and passwordless
Phone-based MFA, limited options
Authenticator, FIDO2, passkeys, phone, and email OTP
Social and federation
Built-in social providers, custom OIDC/SAML
Built-in social providers, Apple Sign In, custom OIDC, SAML, and WS-Federation
Developer experience
Custom policy XML, limited SDK support
Microsoft Graph API, MSAL SDKs, native mobile authentication
Microsoft investment
No new features. End of support May 2030
Active development with regular feature releases
Migration scope

What we migrate.

A B2C to Entra External ID migration is not a lift-and-shift. Custom policies must be rebuilt, passwords cannot be exported, and every application integration needs to be updated. We cover the full scope.

  • User directory including profiles, custom attributes, extension properties, and external identity links
  • Credentials including password migration strategy (JIT, bulk reset, parallel run, or passwordless)
  • Authentication flows with custom policies reverse-engineered and rebuilt as native Entra External ID flows
  • Application integrations including OIDC/OAuth configuration, token endpoints, session management, and claims mapping
  • Federation and identity providers including social logins, enterprise federation, and SAML/OIDC providers
  • MFA configuration including migration from phone-based MFA to Authenticator, FIDO2, or passkeys
  • Conditional Access and security policies
The password problem

Password migration approaches.

B2C passwords are one-way hashed and cannot be exported. There are four approaches, each with different trade-offs.

Bulk migration with forced password reset

01

Export user profiles via Microsoft Graph API, import to Entra External ID, and require users to reset passwords on first login.

  • Straightforward to implement
  • Best for under 10,000 users or internal applications
  • Not suitable for large consumer-facing applications

Just-in-time migration

Recommended
02

A custom authentication extension validates credentials against B2C on first login and migrates the password silently. Users experience no disruption.

  • Zero user friction, passwords migrate transparently
  • Preferred approach for enterprise migrations at any scale
  • Custom Azure Function validates against B2C in real time

Parallel run

03

Run both platforms simultaneously, routing users to Entra External ID progressively over time.

  • Controlled, gradual migration with lowest cutover risk
  • Best for very large or sensitive user populations
  • Requires managing two live identity platforms during transition

Go passwordless

Security uplift
04

Eliminate passwords entirely. Enrol users in passkeys, FIDO2, or Authenticator during their first sign-in to Entra External ID.

  • No password migration problem to solve
  • Upgrades security posture as part of the migration
  • Passkeys and FIDO2 are phishing-resistant by design
How we deliver

A structured approach to every migration.

Every engagement follows a proven four-phase delivery model. Timelines are indicative and adjusted based on your B2C complexity, user volume, and number of integrated applications.

01

Discovery & Architecture (2 to 4 weeks)

Current-state inventory of B2C tenants, applications, custom policies, and identity providers. We produce a migration architecture document, credential strategy, and risk register.

02

Build & Pilot (4 to 8 weeks)

Stand up the Entra External ID tenant, implement JIT migration infrastructure, rebuild custom authentication flows, and pilot with one or two applications.

03

Migration & Cutover (varies by user volume)

Phased user migration, application cutover, monitoring dashboards, and runbooks. We migrate progressively to manage risk and validate at each stage.

04

Stabilisation & Handover (2 to 4 weeks)

Post-migration support, edge case resolution, team knowledge transfer, and decommission planning for the B2C tenant.

Timeline

The clock is ticking.

Microsoft's investment in CIAM is now entirely in Entra External ID. Organisations still on B2C are already losing functionality.

March 2026

B2C P2 retired

Identity Protection, risk-based Conditional Access, and risky sign-in detection are no longer available in B2C. This has already happened.

May 2030

Full B2C end of support

Microsoft will end all support for Azure AD B2C. No security patches, no bug fixes, no SLA.

Now

All new CIAM investment

Every new CIAM feature, integration, and security capability from Microsoft is being built exclusively for Entra External ID.

Australian delivery

Built for Australian regulatory requirements.

Every CIAM migration touches identity data subject to Australian regulation. We are 100% Australian-owned with AGSVA-cleared engineers and we build compliance into the migration from day one.

Financial services

APRA & AUSTRAC

APRA CPS 234 requires regulated entities to maintain identity governance controls for customer-facing systems. AUSTRAC obligations around customer verification apply to every sign-up and authentication flow. We design Entra External ID configurations that satisfy both from the outset.

Healthcare

Digital Health Agency & My Health Record

Patient identity flows must meet Australian Digital Health Agency requirements. We have experience integrating Entra External ID with My Health Record APIs and FHIR-based patient identity standards, ensuring compliant consumer health identity across your digital channels.

Government

Digital ID Act & ASD ISM

The Digital ID Act 2024, the Australian Government Digital Identity System (AGDIS), and myID federation create specific requirements for citizen-facing identity platforms. We build Entra External ID environments that align with ASD ISM controls for public-facing authentication.

All sectors

Privacy Act & APPs

Every user profile in an Entra External ID tenant is subject to the Privacy Act 1988 and the Australian Privacy Principles. We ensure your CIAM migration addresses APP obligations around collection, storage, use, and disclosure of consumer identity data. This includes cross-border data flow considerations for Azure tenancies.

FAQ

Common questions

Everything you need to know about migrating from Azure AD B2C to Microsoft Entra External ID.

Microsoft Entra External ID is the Azure AD B2C replacement. It is not a rebrand or an upgrade. Entra External ID is a new platform built on the core Entra ID infrastructure with native Conditional Access, modern authentication APIs, and full identity protection. Microsoft closed Azure AD B2C to new customers in 2025 and will end all support in May 2030.
Azure AD B2C is a standalone directory with its own custom policy XML language, limited Conditional Access, and no active development from Microsoft. Entra External ID is built on the core Entra ID platform and provides full Conditional Access, native authentication APIs, Microsoft Graph integration, passwordless support including passkeys and FIDO2, and active feature development. The key difference is that Entra External ID gives your CIAM environment the same security and extensibility as your workforce Entra ID tenant.
Azure AD B2C was a separate, standalone directory designed specifically for customer-facing identity. Entra ID (formerly Azure AD) is the workforce identity platform for employees and internal users. With the introduction of Entra External ID, Microsoft has brought customer identity into the core Entra ID platform. This means your external (CIAM) tenant now shares the same infrastructure, security capabilities, and management tools as your workforce tenant, rather than operating as a separate product with its own limitations.
Azure CIAM (Customer Identity and Access Management) is Microsoft's approach to managing customer, consumer, and citizen identities. Azure AD B2C was the original Azure CIAM platform. Microsoft Entra External ID is the current Entra CIAM solution and the direct successor to B2C. When people refer to Entra ID CIAM or Entra CIAM, they are referring to Entra External ID. All new CIAM investment from Microsoft is in this platform.
Claims mapping policies must be rebuilt as part of the migration. Azure AD B2C uses custom XML policies in the Identity Experience Framework to define claims transformations, input validation, and token enrichment. Entra External ID uses a different model based on custom authentication extensions, token issuance policies, and claims mapping policies configured through Microsoft Graph. We reverse-engineer your existing B2C claims logic and rebuild it using native Entra External ID capabilities, ensuring your applications receive the same token claims they depend on.
Yes, with the just-in-time migration approach. Users log in with their existing B2C password and the migration happens silently on first login. From the user's perspective, nothing changes.
Depends significantly on B2C complexity. A straightforward migration with no custom policies is typically 8 to 12 weeks. A complex migration with custom policies, multiple user flows, and a large user base can be 4 to 6 months.
We recommend maintaining the B2C tenant in read-only mode for a period after migration to allow for any edge cases. Once confirmed complete, the tenant can be decommissioned.
Azure AD B2C P2 was retired in March 2026. If your B2C tenant relied on Identity Protection features such as risk-based Conditional Access, risky sign-in detection, or user risk policies, that functionality is no longer available. Migrating to Entra External ID restores and upgrades these capabilities through native Entra ID Protection integration.
Microsoft identity access management for external users in Entra External ID works differently from B2C. External users are managed within a dedicated Entra External ID tenant with full Conditional Access, identity protection, and Microsoft Graph API support. You get the same identity governance, access reviews, and audit logging that you use for workforce identities, applied to your customer population. This brings customer identity management into the same operational model as your internal Microsoft identity access management.
Yes. We use our Apporetum platform to deliver closed community CIAM solutions for organisations that need invite-only access for trusted vendors, partners, and suppliers. This provides governed external identity management integrated with your Entra External ID environment.
Yes. We bring our Identity Observability platform and Apporetum CIAM tooling to every engagement. This means faster delivery, lower cost, and proven approaches rather than building from scratch. If we have existing IP that covers your requirements, we use it and the price reflects that.

Plan your CIAM migration now

B2C P2 is already retired. Starting your migration now gives you the most options and the least risk before full end of support in 2030.

Get in touchView all services

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.