Share via

Migrating Azure AD B2C Custom Policy REST API Call on Signup to Microsoft Entra (External ID) – Recommended Architecture?

sandeep bayyam 0 Reputation points
2025-12-26T06:34:07.5033333+00:00

How to replicate Azure AD B2C Custom Policy REST API calls on Signup in Microsoft Entra (External ID)?

I am currently using Azure AD B2C custom policies to implement a post-signup backend integration, and I am planning to migrate to Microsoft Entra External ID as Azure AD B2C custom policies are being deprecated.

I am looking for official Microsoft guidance on how to replicate the same signup flow in Microsoft Entra, including the recommended architecture, step-by-step process, and documentation references.

Current Azure AD B2C Implementation (Working Today)

In Azure AD B2C custom policies, I have implemented the following signup flow:

High-level flow

User completes signup

Azure AD B2C:

Requests an access token using client credentials

  Calls a **backend REST API**
  
  The backend API receives user details and processes registration logic

This logic is implemented using RESTful Technical Profiles in the custom policy and executes during the signup orchestration step.

1. Technical Profile – Get Access Token (Client Credentials)

<TechnicalProfile Id="REST-GetAccessToken">
  <DisplayName>Request Access Token using Client Credentials</DisplayName>
  <Protocol Name="Proprietary"
            Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral" />
  <Metadata>
    <Item Key="ServiceUrl">
      https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/B2C_1A_SIGNUP_SIGNIN/oauth2/v2.0/token
    </Item>
    <Item Key="AuthenticationType">None</Item>
    <Item Key="SendClaimsIn">Form</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="{client-id}" />
    <InputClaim ClaimTypeReferenceId="client_secret" DefaultValue="{client-secret}" />
    <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />
    <InputClaim ClaimTypeReferenceId="scope"
                DefaultValue="https://{tenant}.onmicrosoft.com/{api-client-id}/.default" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="accessToken" PartnerClaimType="access_token" />
  </OutputClaims>
</TechnicalProfile>

2. Technical Profile – Call Backend API After Signup

<TechnicalProfile Id="REST-API-SignUp">
  <DisplayName>Notify backend about user registration</DisplayName>
  <Protocol Name="Proprietary"
            Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral" />
  <Metadata>
    <Item Key="ServiceUrl">
      https://backend-api.example.com/api/user/signup
    </Item>
    <Item Key="AuthenticationType">Bearer</Item>
    <Item Key="UseClaimAsBearerToken">accessToken</Item>
    <Item Key="SendClaimsIn">Body</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" />
    <InputClaim ClaimTypeReferenceId="email" />
    <InputClaim ClaimTypeReferenceId="displayName" />
    <InputClaim ClaimTypeReferenceId="mobilePhone" />
    <InputClaim ClaimTypeReferenceId="referralCode" />
  </InputClaims>
</TechnicalProfile>

This REST API call executes as part of the signup flow and is used to synchronize user data with an external system.

Migration Requirement in Microsoft Entra

I want to replicate the same behavior in Microsoft Entra External ID, including:

Triggering logic when a user signs up

Calling a backend REST API

Using secure authentication (client credentials or managed identity)

Passing user attributes (objectId, email, displayName, etc.)

Using supported, future-proof Microsoft Entra capabilitiesMigration Requirement in Microsoft Entra

I want to replicate the same behavior in Microsoft Entra External ID, including:

  • Triggering logic when a user signs up
  • Calling a backend REST API
  • Using secure authentication (client credentials or managed identity)
  • Passing user attributes (objectId, email, displayName, etc.)
  • Using supported, future-proof Microsoft Entra capabilities

Questions

  1. What is the Microsoft-recommended way to implement this signup-time REST API integration in Microsoft Entra External ID?
  2. Since custom policies are not available in Entra External ID, how should this logic be designed:
    • Is there any way to perform synchronous REST calls during signup, similar to Azure AD B2C?
  3. What is the recommended authentication model for calling backend APIs:
    • OAuth client credentials
    • Managed Identity
    • Other Microsoft-recommended approach
  4. Are there official Microsoft documentation links that describe:
    • Migration from Azure AD B2C custom policies
    • To Microsoft Entra External ID
    • For post-signup backend integrations

Summary

I am looking for official Microsoft guidance on how to migrate post-signup REST API calls implemented in Azure AD B2C custom policies to a supported architecture in Microsoft Entra External ID, including step-by-step instructions and documentation references.

Azure Migrate
Azure Migrate

A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva shunmugam Nadessin 10,820 Reputation points Microsoft External Staff Moderator
    2025-12-26T17:06:40.3733333+00:00

    Hello sandeep bayyam

    Thank you for reaching out to the Microsoft Q&A forum.

    It sounds like you’re looking to migrate your signup process that currently uses Azure AD B2C custom policies to Microsoft Entra External ID. Here’s a comprehensive outline of what you’ll need to do to replicate your setup:

    Understanding Microsoft Entra External ID: Microsoft Entra External ID allows you to manage customer identities and access for your applications, similar to Azure AD B2C, but with some differences, especially since it doesn’t support custom policies. You'll need to leverage user flows and custom authentication extensions.

    Sign-Up Process: Instead of custom policies, you'll create user flows in Microsoft Entra to define how users sign up and what attributes are collected. You can customize these flows to meet your business requirements.

    Calling Backend REST APIs:

    • Unfortunately, synchronous REST API calls during the signup process, as done in Azure AD B2C custom policies, are not directly supported.
    • You can implement a custom authentication extension to call your backend API on user flow completion, which would allow you to replicate some of the necessary integrations.

    Authentication Model: For secure API calls, you have a couple of options:

    • OAuth Client Credentials: This can be used if your backend API supports checking the access tokens issued by Microsoft Entra.
    • Managed Identity: This is ideal for Azure resources where your backend API is hosted, allowing seamless authentication without credential management.

    Required Resources and Documentation:

    Follow-Up Questions:

    To provide more tailored guidance, could you please clarify:

    • What specific attributes do you need to collect from users during the signup?
    • What backend API functionality are you hoping to maintain after migration?
    • Are there any particular security requirements or compliance needs for your current implementation?
    • What is the current architecture of your backend API?

    Hope this helps kickstart the migration process! Feel free to provide any further details so I can assist you better!

     

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.