CIAM migration: Azure AD B2C to Entra External ID for Customers

On May 15 2024, Microsoft released Entra External ID into general availability. This is Microsoft’s next generation customer identity and access management (CIAM) solution. A new platform that aims to extend the capabilities of Entra ID to external identities.

And we’re already starting to see its potential with frequent feature updates helping the platform quickly evolve.

Now you might be asking what this means for Azure AD B2C. After all, this has been the ‘go to’ CIAM solution for many organisations.

In this blog, we’ll explore the pathway from Azure AD B2C to Entra External ID. The steps and considerations you need to take to ensure you keep pace with changing customer identity trends. And to ensure that your CIAM solution is equipped for future challenges.

So, what’s happening with Azure AD B2C?

Well, Azure AD B2C remains a mature, robust solution for login and registration journeys, supporting multiple authentication methods and extensive user experience customisations. And, for the foreseeable future, Microsoft have committed to supporting this popular platform.

However, mastering Azure AD B2C’s proprietary XML format to build custom policies can be challenging.

And, with Microsoft now shifting its focus to Entra External ID, the older platform hasn’t seen any significant updates of late.

The reality is the future of Microsoft’s customer identity management is with Entra External ID.

Comparing Azure AD B2C and Entra External ID

At Kocho we’ve got a long track record of building CIAM solutions with Azure AD B2C. We know its intricacies, capabilities, and features. And, as a leading Microsoft identity partner we’ve also been fortunate enough to have had advance insight into Microsoft Entra External ID for Customers.

Placing us in the ideal position to offer a comparison of the two platforms.

For instance, Azure AD B2C offers:

• Custom JavaScript and CSS: Azure AD B2C supports extensive user interface customisation, making it possible to address specific client needs with advanced UI tweaks and design consistency. At present, Entra External ID doesn’t fully support these capabilities in its browser-delegated journeys.
• Flow Control Logic: The platform allows you to tailor user journeys based on various attributes, creating a bespoke experience for users. This nuanced control is currently not available in Entra External ID’s browser-delegated flows.
• Custom User Journey Steps: With Azure AD B2C, you can build sophisticated multi-step processes using custom policies. Entra External ID offers only default step options at this point.
• Support for Various UI Controls: Different input types and form controls can be utilised extensively and further customised through JavaScript in Azure AD B2C. Entra External ID currently supports basic inputs like text, radio buttons, and checkboxes.
• Custom OIDC Identity Providers: Integrating external identity providers via OIDC is straightforward with Azure AD B2C, while Entra External ID is still catching up in this regard, currently supporting only SAML/WS-Fed.

As you can see, Azure AD B2C still has a range of features not yet released into the new Entra product. However, changes and new releases are happening fast, so watch this space.

And, as we’ll highlight below, Entra External ID for Customers also offers fresh capabilities that promise to redefine customer-facing identity and access management.

Native authentication in Entra External ID

CIAM experiences built on Azure AD B2C are bound to a browser which is used to render the user journey and redirect the user back to the application in the end. While Entra External ID also offers browser-delegated CIAM journeys, it is now introducing a new approach which changes the way in which applications interact with the identity provider.

This authentication strategy, currently in preview in Entra External ID, gives full control over the design of the user journeys.

CIAM experiences are built within the application, and interaction with the Entra External ID tenant is performed via an SDK (MSAL) or via the native authentication APIs.

The CIAM journey no longer needs to be loaded on a browser. Instead, it’s integrated within the application.

This is the most flexible way to build CIAM journeys in Entra External ID.

It’s currently limited to email/OTP and email/password authentication with support for self-service password reset, but more authentication methods are likely to be added soon.

In our view, this is a level of flexibility that’s superior to that offered by Azure AD B2C because it’s completely under the control of the application.

Planning a migration strategy from Azure AD B2C to Entra External ID for Customers

Microsoft have committed to supporting Azure AD B2C for years to come, so there’s no rush for existing users to make the migration just yet.

However, Entra External ID is on a fast upward trajectory. And given the rate at which new features are being added, it’s advisable to consider your strategy for a future transition.

Let’s examine some of the options.

Tenant migration

Ideally, migrating an entire Azure AD B2C tenant to a new Entra External ID tenant, including users, applications, and custom policies, would be automated.

While it’s a capability being considered by Microsoft, it unfortunately appears unlikely any time soon.

So, we must consider other approaches.

Phased migration

A phased migration is more realistic. This approach involves running both Azure AD B2C and Entra External ID tenants in parallel until Azure AD B2C can be phased out:

• User Data: Store user data in either or both tenants using a combination of methods.
• User Journeys: Use Azure AD B2C for highly customised CIAM journeys, authenticating users in Entra External ID at the end.
• Gradual Transition: Gradually move CIAM journey steps to Entra External ID as more features become available, transitioning part of the journey from Azure AD B2C to Entra External ID seamlessly.
• User Migration: Migrate users from Azure AD B2C to Entra External ID via Graph API, either through batch processes or just-in-time.

Via ROPC from Azure AD B2C to Entra External ID

Resource Owner Password Credentials (ROPC) is an OAuth 2.0 flow which allows an application to verify the username and password of a user account directly on the destination directory.

This approach is risky because it requires a high level of trust in the calling application and is limited to just username/password authentication.