Paid Support: Guidance on Programmatically Migrating User from B2B to B2c with JUST federated account

Question

Paid Support: Guidance on Programmatically Migrating User from B2B to B2c with JUST federated account

Tim Anderson 145

We are trying to move our users from azure b2b to b2c with no need to re-sign-up (very important). All our users are either members of our existing entra AD or federated through gmail, etc. We are having issues programmatically creating federated accounts in our b2c for users from externalAD -> we cannot locate their original issuerID in our entra, and the b2c graph api will not allow us to create new accts that only have federated identities and NO local acct.

We have exhausted documentation from the Azure help site, etc. Please don't just google and paste unless it is exactly this scenario with an answer.

Sanoop M 4,345 Reputation points Moderator

2025-03-12T20:08:25.9533333+00:00
Hello @Tim Anderson,

Thank you for posting your query on Microsoft Q&A.

I understand that you are trying to migrate users from Azure B2B to Azure B2C tenant and all the users are either members of your existing entra AD or federated through gmail, etc.

1.Could you please provide the error message screenshot when you are trying to programmatically create federated accounts in your Azure B2C tenant.

2.Could you please update us if you are following any documents to programmatically create federated accounts in your Azure AD B2C tenant.

For information about programmatically creating user accounts, see Manage Azure AD B2C user accounts with Microsoft Graph.

Steps to Locate the Original Issuer ID for Federated Users in Entra ID

You can locate the original Issuer ID or the Identity Provider (IdP) identifier for a federated user in Entra ID using the following methods:

Check User’s Authentication Source in Microsoft Entra ID

When a federated user logs in, Microsoft Entra ID records information about the identity provider that authenticated them. The original issuer ID corresponds to the identity provider (IdP) that federated the user.

Using Microsoft Graph API:

To find the original issuer for a federated user, you can use Microsoft Graph API to inspect the sign-in logs and user authentication methods.

Sign-In Logs: The sign-in logs contain details about the authentication method used (which includes the identity provider). The logs will include the Issuer or Identity Provider (which corresponds to the "original issuer").

You need to query the sign-in logs using Graph API.

Example API Request (GET Sign-ins): GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq '{userPrincipalName}' Authorization: Bearer {access_token}

This will return sign-in events for the specified user. Look for the federatedIdentityIssuer field in the response, which represents the original issuer for federated users.

Example Response:

{

    "value": [

        {

            "id": "some-sign-in-id",

            "userId": "some-user-id",

            "userPrincipalName": "user@example.com",

            "federatedIdentityIssuer": "https://sts.windows.net/{tenant-id}/", // This is the original issuer

            "appDisplayName": "Some App",

            "ipAddress": "some-ip",

            "status": {

                "errorCode": 0,

                "failureReason": null

            },

            "createdDateTime": "2025-03-13T12:34:56Z"

        }

    ]

}
Alex Wong 0 Reputation points

2025-03-12T21:27:20.82+00:00

Here is a print of the error we are getting, and the basic structure of the user we are sending to the post request. We were essentially trying to copy over what graph gives back when looking up identities from our main tenant, but with our b2c tenant domain.
Sanoop M 4,345 Reputation points Moderator

2025-03-13T19:06:27.1433333+00:00

Hello @Alex Wong ,

Thank you for your response.

We can connect offline and discuss further on this issue.
Sanoop M 4,345 Reputation points Moderator

2025-03-18T00:17:57.0133333+00:00

Hello @Tim Anderson,

Thank you for your time over the call.

Based on the error screenshot you have provided, I can see that you are getting this error "A password must be specified to create a new user".

The suggestion is to just generate a random password for the users with password characters minimum of 8 and a maximum of 256 characters and forcing the password reset on login.

Please refer to the below Screenshot for the Password requirements.

For additional information, please refer to the below documents for your reference.

Password Generation - MS Graph - Microsoft Q&A

Create User - Microsoft Graph v1.0 | Microsoft Learn

Please let us know if you have any queries.
Alex Wong 0 Reputation points

2025-03-18T18:58:04.4333333+00:00

Hi Sanoop,Yes, that is the error I am getting, but as we discussed over our call, we do not want to create local accounts on our B2C tenant and have to add password profiles. Ideally, we would be able to copy the federated accounts and create users in Our B2C tenant, and the users would be able to login.

If we add a password profile when creating the accounts in the B2C tenant, then they are created as local accounts and not federated accounts.

Creating federated accounts for accounts that have social issuers (ex. Google) work fine without setting a password profile and they are created and can be logged into. However, specifically accounts with the issuer "ExternalAzureAD" shown in my previous post get the error saying they need a password.
SrideviM 5,855 Reputation points Moderator

2025-03-20T08:50:36.8433333+00:00

Hello @Tim Anderson @Alex Wong ,

We are currently investigating this scenario, and we will get back to you with our findings.
SrideviM 5,855 Reputation points Moderator

2025-03-21T02:41:34.3166667+00:00
Hello @Tim Anderson @Alex Wong,

Apologies for the delay and as per my testing and discussion with our support/engineering team, the behavior you're encountering is expected.

When creating a user in Azure AD B2C programmatically, the API requires either a password profile or a federated identity with a known issuer and issuerAssignedId.

For external Azure AD users, the issuerAssignedId is usually null. As a result, the API prompts for a password profile.

Unfortunately, at this time, there is no direct way to create a purely federated user in B2C without a password profile via API.

If the user is normal Microsoft Entra ID user (not an External Azure AD user), you can create a federated user in Azure AD B2C using the following API request:

POST https://graph.microsoft.com/beta/users { "displayName": "DemoExternalB2CUser", "identities": [ { "signInType": "federated", "issuer": "https://login.microsoftonline.com/<federated_AzureAD_tenantID>/v2.0", "issuerAssignedId": "<federated_AzureAD_User_ObjID>" } ] }

But, for ExternalAzureAD users, it's not possible to create a federated user in Azure AD B2C without including a password profile.

Hope this helps!
Tim Anderson 145 Reputation points

2025-03-21T16:18:47.4033333+00:00

Would it be acceptable to create a password for the initial add, then the user when they arrive, can use their federated credentials to sign in and modify the record so they just use federated from now on? I'm fine with adding the password so long as it doesn't demand they use a local account or force a password reset, etc once they sign in after we transition? This is a big blocker if they have to change the process in which they sign in or have to "re-sign up"
SrideviM 5,855 Reputation points Moderator

2025-03-24T05:46:01.6533333+00:00

Hello Tim Anderson,

I am just curious to know why you are looking to migrate when you can directly allow to sign in using Set up sign-in for a Microsoft Entra organization - Azure AD B2C | Microsoft Learn.

That way, users could continue signing in with their existing credentials without needing to go through a migration process.

I tested this approach with an external Azure AD user in my Microsoft Entra ID (Contoso) tenant. I followed this Microsoft article to configure Entra ID as an identity provider in B2C.

Once I ran the user flow, I got the option to sign in with a Microsoft Entra ID account. After signing in with the external Azure AD credentials, the user was automatically created in the Azure AD B2C tenant. Everything worked smoothly, and the user could sign in without any additional steps.

Would this approach work for your scenario? Let me know if there’s something specific preventing you from going this route. Happy to help!
Tim Anderson 145 Reputation points

2025-03-24T16:56:10.4933333+00:00

Hi Srvidevi! Thanks for getting back to us. If i understand what you are saying: just let those users sign-in using the Entra ID button with their external AD accounts, and it will create the user in our b2c tenant at that time.
SrideviM 5,855 Reputation points Moderator

2025-03-24T20:52:15.9833333+00:00

Hello Tim Anderson,

Yes, that’s exactly what I’m saying! When users sign in using the Entra ID button with their external AD accounts, they will be automatically created in your B2C tenant without requiring manual migration.

Could you confirm if this approach works for your scenario? If so, I can provide a more detailed answer outlining the steps to implement it. Let me know your thoughts!
Tim Anderson 145 Reputation points

2025-03-25T16:12:49.46+00:00

I think we can make this work and then just do a JIT migration for them when they sign in after starting the b2c sign-in on our app. Thanks - I think that is an acceptable way to go. You can close this ticket. :)

Answer accepted by question author

0 additional answers

Your answer

Alex Wong 0 Reputation points

2025-03-12T21:27:20.82+00:00

Here is a print of the error we are getting, and the basic structure of the user we are sending to the post request. We were essentially trying to copy over what graph gives back when looking up identities from our main tenant, but with our b2c tenant domain.
Sanoop M 4,345 Reputation points Moderator

2025-03-13T19:06:27.1433333+00:00

Hello @Alex Wong ,

Thank you for your response.

We can connect offline and discuss further on this issue.
Sanoop M 4,345 Reputation points Moderator

2025-03-18T00:17:57.0133333+00:00

Hello @Tim Anderson,

Thank you for your time over the call.

Based on the error screenshot you have provided, I can see that you are getting this error "A password must be specified to create a new user".

The suggestion is to just generate a random password for the users with password characters minimum of 8 and a maximum of 256 characters and forcing the password reset on login.

Please refer to the below Screenshot for the Password requirements.

For additional information, please refer to the below documents for your reference.

Password Generation - MS Graph - Microsoft Q&A

Create User - Microsoft Graph v1.0 | Microsoft Learn

Please let us know if you have any queries.
Alex Wong 0 Reputation points

2025-03-18T18:58:04.4333333+00:00

Hi Sanoop,Yes, that is the error I am getting, but as we discussed over our call, we do not want to create local accounts on our B2C tenant and have to add password profiles. Ideally, we would be able to copy the federated accounts and create users in Our B2C tenant, and the users would be able to login.

If we add a password profile when creating the accounts in the B2C tenant, then they are created as local accounts and not federated accounts.

Creating federated accounts for accounts that have social issuers (ex. Google) work fine without setting a password profile and they are created and can be logged into. However, specifically accounts with the issuer "ExternalAzureAD" shown in my previous post get the error saying they need a password.
SrideviM 5,855 Reputation points Moderator

2025-03-20T08:50:36.8433333+00:00

Hello @Tim Anderson @Alex Wong ,

We are currently investigating this scenario, and we will get back to you with our findings.
SrideviM 5,855 Reputation points Moderator

2025-03-21T02:41:34.3166667+00:00

Hello @Tim Anderson @Alex Wong,

Apologies for the delay and as per my testing and discussion with our support/engineering team, the behavior you're encountering is expected.

When creating a user in Azure AD B2C programmatically, the API requires either a password profile or a federated identity with a known issuer and issuerAssignedId.

For external Azure AD users, the issuerAssignedId is usually null. As a result, the API prompts for a password profile.

Unfortunately, at this time, there is no direct way to create a purely federated user in B2C without a password profile via API.

If the user is normal Microsoft Entra ID user (not an External Azure AD user), you can create a federated user in Azure AD B2C using the following API request:

POST https://graph.microsoft.com/beta/users { "displayName": "DemoExternalB2CUser", "identities": [ { "signInType": "federated", "issuer": "https://login.microsoftonline.com/<federated_AzureAD_tenantID>/v2.0", "issuerAssignedId": "<federated_AzureAD_User_ObjID>" } ] }

But, for ExternalAzureAD users, it's not possible to create a federated user in Azure AD B2C without including a password profile.

Hope this helps!
Tim Anderson 145 Reputation points

2025-03-21T16:18:47.4033333+00:00

Would it be acceptable to create a password for the initial add, then the user when they arrive, can use their federated credentials to sign in and modify the record so they just use federated from now on? I'm fine with adding the password so long as it doesn't demand they use a local account or force a password reset, etc once they sign in after we transition? This is a big blocker if they have to change the process in which they sign in or have to "re-sign up"
SrideviM 5,855 Reputation points Moderator

2025-03-24T05:46:01.6533333+00:00

Hello Tim Anderson,

I am just curious to know why you are looking to migrate when you can directly allow to sign in using Set up sign-in for a Microsoft Entra organization - Azure AD B2C | Microsoft Learn.

That way, users could continue signing in with their existing credentials without needing to go through a migration process.

I tested this approach with an external Azure AD user in my Microsoft Entra ID (Contoso) tenant. I followed this Microsoft article to configure Entra ID as an identity provider in B2C.

Once I ran the user flow, I got the option to sign in with a Microsoft Entra ID account. After signing in with the external Azure AD credentials, the user was automatically created in the Azure AD B2C tenant. Everything worked smoothly, and the user could sign in without any additional steps.

Would this approach work for your scenario? Let me know if there’s something specific preventing you from going this route. Happy to help!
Tim Anderson 145 Reputation points

2025-03-24T16:56:10.4933333+00:00

Hi Srvidevi! Thanks for getting back to us. If i understand what you are saying: just let those users sign-in using the Entra ID button with their external AD accounts, and it will create the user in our b2c tenant at that time.
SrideviM 5,855 Reputation points Moderator

2025-03-24T20:52:15.9833333+00:00

Hello Tim Anderson,

Yes, that’s exactly what I’m saying! When users sign in using the Entra ID button with their external AD accounts, they will be automatically created in your B2C tenant without requiring manual migration.

Could you confirm if this approach works for your scenario? If so, I can provide a more detailed answer outlining the steps to implement it. Let me know your thoughts!
Tim Anderson 145 Reputation points

2025-03-25T16:12:49.46+00:00

I think we can make this work and then just do a JIT migration for them when they sign in after starting the b2c sign-in on our app. Thanks - I think that is an acceptable way to go. You can close this ticket. :)

Answer 1

Hello @Tim Anderson ,

Thanks for your patience and for working through this with us.

Instead of manually migrating external Entra ID users to B2C, you can allow them to sign in using their existing credentials. This avoids the need for re-signing up or setting a local password, which keeps the experience seamless.

I followed this approach by configuring Microsoft Entra ID as an identity provider in a B2C tenant. Once that was set up, the sign-in page provided an option to log in with Microsoft Entra ID.

Here’s how the sign-in option appeared on the login page:

Sign-in option

After selecting it, I was able to authenticate using an external Entra ID account:

Entra ID sign-in

Upon successful authentication, the user was automatically created in the B2C tenant:

User created in B2C

Once created, the user appeared in Azure AD B2C as expected:

Azure AD B2C User Overview

This approach enables Just-In-Time (JIT) user creation, meaning accounts are added dynamically when users sign in through the B2C flow in your app. There’s no need for a separate migration step.

Hope this helps!

If this answer was helpful, please click "Accept the answer" and mark Yes, as this can be beneficial to other community members.

User's image

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.

Share via

Paid Support: Guidance on Programmatically Migrating User from B2B to B2c with JUST federated account

0 additional answers

Your answer