Microsoft Entra External ID: The Future of Customer Identity

Part 1: Introduction and Feature Comparison

Microsoft Entra External ID represents the next generation of customer identity and access management (CIAM) from Microsoft. If you're currently using Azure AD B2C or evaluating CIAM solutions, this series will guide you through what External ID offers, how to migrate from B2C, and what the future holds.

⚠️ Important Notice: As of May 1, 2025, Azure AD B2C is no longer available for purchase by new customers. Existing customers can continue using B2C, but Microsoft recommends migrating to External ID for new projects.

What is Microsoft Entra External ID?

External ID is Microsoft's unified platform for managing external identities - both consumer customers and business partners. It consolidates B2B collaboration and B2C consumer scenarios under a single umbrella with a modern architecture.

Diagram

External ID vs Azure AD B2C: Feature Parity

✅ Available in External ID

Feature	Status	Notes
Email + Password sign-up	✅ GA	Primary authentication method
Email OTP (Passwordless)	✅ GA	One-time passcode via email
Social Identity Providers	✅ GA	Google, Facebook, Apple, Microsoft Account
Custom Branding	✅ GA	Full company branding support
Custom Domains	✅ GA	Use your own domain for sign-in
Sensitivity Labels	✅ GA	Data classification support
Native Authentication	✅ GA	Full control over mobile UI
Custom Authentication Extensions	✅ GA	Add external claims, validate attributes
JIT Password Migration	✅ Preview	Transparent password migration from B2C
SAML/WS-Fed Federation	✅ GA	Enterprise identity federation
OpenID Connect	✅ GA	Standard OIDC flows
OAuth 2.0	✅ GA	Authorization code, implicit, client credentials

⚠️ Limitations Compared to B2C

Feature	B2C	External ID	Notes
ID Protection	✅	❌	Risk-based Conditional Access not available
ID Governance	✅	❌	Access reviews, entitlements not available
Custom Policies (IEF)	✅	❌	Use Custom Auth Extensions instead
ROPC Flow	✅	❌	Use Native Authentication for mobile
Custom Banned Passwords	✅	✅	Same as workforce — custom banned password lists are supported
User Flows (legacy)	✅	❌	New user flow model
Self-Service Password Reset	Email/Phone/MFA	Email OTP only	Limited SSPR options
Groups Support	Full	Limited	Being phased in

Key Architecture Differences

B2C Architecture

┌─────────────────────────────────────────────┐
│ Azure AD B2C Tenant                         │
├─────────────────────────────────────────────┤
│ Custom Policies (Identity Experience)       │
│ ├── SignUpOrSignIn.xml                      │
│ ├── ProfileEdit.xml                         │
│ ├── PasswordReset.xml                       │
│ └── Custom journey definitions              │
├─────────────────────────────────────────────┤
│ User Flows (built-in policies)              │
└─────────────────────────────────────────────┘

External ID Architecture

┌─────────────────────────────────────────────┐
│ Microsoft Entra External Tenant             │
├─────────────────────────────────────────────┤
│ User Flows (new model)                      │
│ ├── Sign-up and sign-in                     │
│ ├── Self-service password reset             │
│ └── Profile editing                         │
├─────────────────────────────────────────────┤
│ Custom Authentication Extensions            │
│ ├── OnAttributeCollectionStart              │
│ ├── OnAttributeCollectionSubmit             │
│ ├── TokenIssuanceStart                      │
│ ├── OnOtpSend (custom email)                │
│ └── OnPasswordSubmit (JIT migration)        │
├─────────────────────────────────────────────┤
│ Native Authentication (mobile)              │
└─────────────────────────────────────────────┘

Authentication Methods Comparison

Primary Authentication

Method	B2C	External ID
Email + Password	✅	✅
Email OTP	✅	✅
Phone/SMS	✅	✅ (MFA only)
Username / Alias + Password	✅	⚠️ Preview
Social (Google, FB, Apple)	✅	✅
SAML Federation	✅	✅
OIDC Federation	✅	✅

Multi-Factor Authentication

Method	B2C	External ID
Email OTP	✅	✅
SMS OTP	✅	✅
Authenticator App	✅	❌ (coming)
FIDO2	✅	❌ (coming)

URL and Endpoint Changes

B2C Endpoints

Login: https://yourtenant.b2clogin.com
Graph: https://graph.microsoft.com (B2C tenant)
Issuer: https://yourtenant.b2clogin.com/{tenant-id}/v2.0

External ID Endpoints

Login: https://yourtenant.ciamlogin.com
Custom: https://login.yourdomain.com (custom URL domain)
Graph: https://graph.microsoft.com (External ID tenant)
Issuer: https://yourtenant.ciamlogin.com/{tenant-id}/v2.0

Note: External ID uses .ciamlogin.com instead of .b2clogin.com. Applications must be updated to use the new authority URL.

When to Choose External ID

✅ Choose External ID For:

New projects - B2C is no longer available for new customers
Modern mobile apps - Native Authentication provides better UX
Simple consumer scenarios - Email/social sign-up flows
Need custom branding - Full UI customization
API-first architecture - Custom Auth Extensions via webhooks

⚠️ Consider Staying on B2C For:

Complex identity journeys - Custom policies (IEF) not yet replaceable
Risk-based authentication - ID Protection not in External ID
Identity governance requirements - Access reviews, entitlements
Existing investments - Heavy custom policy development

Migration Considerations

If you're planning to migrate from B2C to External ID, Microsoft provides official tooling through the B2C to External ID Migration Kit. This toolkit supports:

Bulk user export from B2C
Bulk user import to External ID
Just-In-Time password migration during first sign-in
Attribute mapping and transformation

We'll cover the migration process in detail in Part 2 of this series.

What's Next

Part 2: Migrating from B2C to External ID - Step-by-step migration using Microsoft's toolkit
Part 3: Future of External ID - Roadmap, best practices, and recommendations

Resources

Next: Part 2 - Migration Tools and Process →

Microsoft Entra External ID: The Future of Customer Identity - Part 1