Migrating External Users to Azure B2C

What is Azure B2C?

If you’re not already familiar with Azure B2C, it is a business-to-customer identity service for secure user management. It offers both pre-built and custom user login and password reset experiences, including the option to authenticate with preferred social and enterprise identities such as Google, Apple, Facebook, Microsoft Account, etc. Azure B2C can be integrated with one or many applications or websites that your organization hosts. For more details, you should read our previous post on why to use B2C.

Pre migration steps

• Perform a directory cleanup of the existing users in the source system(s) and identify which users to migrate. For example, in order to omit migration of stale accounts, you can migrate only users that have logged into the app(s)/website(s) within 2 years.
• Confirm that the number of users to be migrated will fall within your tenant’s quota.
• Identify which user info to migrate via user attributes. For example, you may want to store permissions or membership info in addition to their username and password.
• Confirm the appropriate password policy to enforce. The policy defaults to a minimum length of 8 and requires uppercase, lowercase, numbers and symbols. This policy can be changed to something stronger or simpler, depending on the business recommendation and security risks.
• Identify if you will migrate the existing user passwords or generate a new one for each user and whether you want users to be forced to generate a new password upon first login. This will depend on the level of encryption in the source user management system(s), security risks and the business recommendations.

Options for migrating external users to Azure B2C

Microsoft does not provide an existing tool for the migration, but provides several migration options. You can work with your Developers and Microsoft Partner to complete these, for example via an Azure Function or Power Automate Flow HTTP Trigger.

• Bulk import users and their existing passwords with the Microsoft Graph API. You can then require end users to change their password on initial login, to enforce your new password security policy.
• Bulk import users with a generated password and then force them to change their password on initial login.
• Seamless migration in combination with a bulk import of users with a generated password. This should be used when plaintext passwords are not available in the source user management system, for example if there is one-way encryption or it is inaccessible to your migration tool.  This approach still allows end users to be able to login with their existing password, with the help of custom policies and a custom REST API that your Developers will create. This is needed to validate existing users’ credentials if they have not yet been migrated and then sets their existing password in Azure B2C. Since this approach involves more custom development, it should only be considered when the existing user passwords are difficult to retrieve and the business recommendation is to allow users to continue logging in with their existing passwords.

Post migration steps

• Perform a delta migration, for new users created since the initial migration began
• Confirm the tenant’s quota again to ensure it allows new users to be created based on expected business growth
• Reconfigure any user password policies that may have been turned off for the initial migration

For more information, you can check out the full document Microsoft has released on these methods.

Reach out to Beringer today!

We love to implement Microsoft Dynamics 365 and Power Platform solutions here at Beringer.  We’ve been working with Microsoft Dynamics since its inception, and we’re always finding innovative ways to implement the latest tools and help automate business processes.

Beringer Technology Group, a Microsoft Solutions Partner for Business Applications,  specializing in Microsoft Dynamics 365 and CRM for Distribution, also provides expert Managed IT Services, Backup and Disaster Recovery.