As of May 1st, 2025, Microsoft has officially stopped the creation of new Azure AD B2C tenants. For those of us who’ve relied on B2C for managing external identities in everything from simple web apps to enterprise-scale platforms, the option to create a new B2C tenant is no longer available in the Azure portal.

Note that existing B2C instances will continue to operate as normal. The changes are only related to the creation of new instances

But as one door closes, another opens. Entra External ID is the new go-to identity platform for external users, built into the Microsoft Entra ecosystem.

To be honest, my first thought was that this is just a rebranding of B2C, but there are some key differences – even if many things are very similar.

There are two main use cases for using Entra External ID.

If you are developing solutions and apps for consumers or business users where you want to have an easy and cost effective way to implement authentication and identity management, also known as Customer Identity and Access Management (CIAM). For this approach you will have to create a new tenant with external configuration inside of External ID. This tenant is completely isolated from the rest of your employees and internal Entra, much like Azure B2C has been in the past.

If your objective is enable your employees to collaborate with other organizations you will have to use External ID for B2B collaboration. This is achieved through workforce configuration in your External ID. With this approach the users you are collaborating with has their own identity and credentials from their own management solution. As illustrated below this will produce guest accounts in your tenant for the users which get invited to your different organization apps.

A tenant with external configuration is likely what you are after in terms of a B2C replacement, and I wanted to highlight some of the new capabilities you now have, and some that you longer don’t.

The dreaded XML policy files are gone and to replace them there are several things in place. We now have greater flexibility and extensibility through something called Custom Authentication Extensions. This allows you to build extensions aka functions (HTTP calls to a configurable endpoint) that have triggers on different configurable events in External ID. As of now, you have four different event types:

• OnAttributeCollectionStart triggers before the attribute collection page renders. So if you have extra attributes you want to collect, or want to block the user from filling the form this is the event to use
• OnAttributeCollectionSubmit triggers after the user has entered attributes and submitted it. In other words where you would like to do validation steps, modifying the information that was entered and stuff like that.
• OnOtpSend allows for adding custom email providers for sending codes for MFA
• OnTokenIssuanceStart is the event which occurs directly before the security tokens are issued, and the event you would want to use if you want to add additional claims to your tokens

What’s great is that these events are triggered on behalf of app registrations, which means that you have much better security due to the possibility to use managed identities on your receiving end.

Visual customization to your sign up forms, and layout is now configured through the user interface in the External ID portal, instead of relying the XML files. You have different pre defined adjustments that can be selected, and options to adjust colors and texts.

The external configuration tenants now have access to several enhanced security features, like conditional access, MFA, and governance which where lacking in Azure B2C tenants and this really helps in terms of keeping both your apps and users secure.

Monitoring and insights on Azure B2C was to be mild – lacking. You could do different things like adding Application Insights inside of your XML files, but it increased complexity. With External ID we have a new set of possibilities with several built in dashboards, and configurable ones which provides us with lots of useful information.

Summary

B2C was a nice product, and it provided us with lots of possibilities in terms of user identity and management, but you would always have to go some extra miles to achieve what you were looking for. It seems that External ID will provide us with a much richer set of features, and a better way for developers and administrators to both build and monitor applications.

There are still requirements that could be solved by B2C policy files, which you won’t be able to solve right now in External ID, but in time I think that all of these will be in place.

In sum, it’s been nice having B2C, but External ID will be better 🚀