Azure AD B2C to Entra External ID Migration: The Login Evaluation Process

When migrating from Azure AD B2C to Entra External ID (EEID), the first user login represents a critical moment in the migration journey. After successfully completing the import/export process, users face their initial authentication attempt with EEID using their existing B2C credentials. This moment triggers a sophisticated evaluation process that determines whether users can seamlessly continue with their current passwords or need to update them.

The Initial Login Scenario

During the migration process, each user is assigned a random password when their account is imported into EEID. When these users attempt their first login using their original B2C credentials, two key conditions are present: the password differs from what's currently stored in EEID, and a migration flag is set on the user account. These conditions activate a call to an Azure function that handles the Just-In-Time (JIT) migration process.

The authentication flow begins with the username and password being encrypted when the function is called, then decrypted within the function for processing. The system authenticates these credentials against the original B2C environment using the Resource Owner Password Credentials (ROPC) flow, which allows direct username and password validation.

The Authentication Decision Tree

The core of the migration logic resides in the ProcessResponse function, which evaluates the authentication outcome and password strength to determine the appropriate action. The function can return four distinct responses:

1. MigratePassword - When authentication succeeds and the password meets complexity requirements
2. UpdatePassword - When authentication succeeds but the password is weak
3. Retry - When authentication fails
4. Block - When a system error occurs

The decision-making process is straightforward yet comprehensive. If the user successfully authenticates against B2C and their password satisfies the configured complexity policy, the system returns MigratePassword. This allows EEID to update the password and clear the migration attribute automatically. However, if the password fails to meet the complexity requirements, the system returns UpdatePassword, prompting the user to create a stronger password before proceeding.

Password Policy Configuration

The migration kit allows administrators to define password complexity requirements through a JSON configuration file. The default policy enforces:

• Minimum length of 8 characters
• At least one uppercase letter
• At least one lowercase letter
• At least one digit
• At least one special character

This policy ensures that migrated passwords meet modern security standards. If a user's existing B2C password doesn't satisfy these requirements, they're required to update it during their first EEID login, enhancing the overall security posture of the migrated user base.

Technical Implementation Details

The migration process relies on several key configuration settings stored in the local.settings.json file within the B2CMigrationKit.Function project. These settings include Azure AD B2C tenant information, application registration details, and JIT authentication parameters.

A critical component is the RSA private key used for encrypting and decrypting credentials during the migration process. The key must be formatted as a single-line string with \n characters representing line breaks, making it JSON-safe for configuration storage. The provided PowerShell script automates this conversion process, reading a PEM-encoded private key file and transforming it into the required format.

The script reads the entire PEM file, replaces actual newlines with the literal string \n, copies the formatted string to the clipboard, and displays it for verification. This ensures the private key can be safely embedded in the JSON configuration without breaking the file structure.

The User Experience

From the user's perspective, the migration process is designed to be as seamless as possible. When a user logs in for the first time with their B2C credentials, the system transparently handles the authentication and migration behind the scenes. If their password meets the complexity requirements, they're immediately granted access to EEID without any additional steps.

However, if their password is deemed too weak, the user is prompted to create a new, stronger password. This approach balances security requirements with user convenience, ensuring that all migrated accounts meet the organization's password standards without forcing users to reset their passwords proactively.

The logging output provides clear visibility into the migration process, showing successful credential validation, password complexity checks, and the final action taken. This transparency helps administrators monitor the migration progress and troubleshoot any issues that may arise.

The Azure AD B2C to Entra External ID migration kit's login evaluation process demonstrates a thoughtful approach to user migration, combining security best practices with user experience considerations. By handling password validation and migration automatically during the first login, organizations can transition their user base to the new identity platform with minimal disruption while maintaining strong security standards.