Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,747 questions
Paid Support: Guidance on Programmatically Migrating User from B2B to B2c with JUST federated account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 90%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETA%3C/text%3E%3C/svg%3E)
Tim Anderson
60
Reputation points
We are trying to move our users from azure b2b to b2c with no need to re-sign-up (very important). All our users are either members of our existing entra AD or federated through gmail, etc. We are having issues programmatically creating federated accounts in our b2c for users from externalAD -> we cannot locate their original issuerID in our entra, and the b2c graph api will not allow us to create new accts that only have federated identities and NO local acct.
We have exhausted documentation from the Azure help site, etc. Please don't just google and paste unless it is exactly this scenario with an answer.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sanoop M 1,790 Reputation points Microsoft External Staff2025-03-12T20:08:25.9533333+00:00 Hello @Tim Anderson,
Thank you for posting your query on Microsoft Q&A.
I understand that you are trying to migrate users from Azure B2B to Azure B2C tenant and all the users are either members of your existing entra AD or federated through gmail, etc.
1.Could you please provide the error message screenshot when you are trying to programmatically create federated accounts in your Azure B2C tenant.
2.Could you please update us if you are following any documents to programmatically create federated accounts in your Azure AD B2C tenant.
For information about programmatically creating user accounts, see Manage Azure AD B2C user accounts with Microsoft Graph.
Steps to Locate the Original Issuer ID for Federated Users in Entra ID
You can locate the original Issuer ID or the Identity Provider (IdP) identifier for a federated user in Entra ID using the following methods:
- Check User’s Authentication Source in Microsoft Entra ID
When a federated user logs in, Microsoft Entra ID records information about the identity provider that authenticated them. The original issuer ID corresponds to the identity provider (IdP) that federated the user.
Using Microsoft Graph API:
To find the original issuer for a federated user, you can use Microsoft Graph API to inspect the sign-in logs and user authentication methods.
- Sign-In Logs: The sign-in logs contain details about the authentication method used (which includes the identity provider). The logs will include the Issuer or Identity Provider (which corresponds to the "original issuer").
- You need to query the sign-in logs using Graph API.
This will return sign-in events for the specified user. Look for the
federatedIdentityIssuerfield in the response, which represents the original issuer for federated users.Example Response:
{
"value": [
{
"id": "some-sign-in-id",
"userId": "some-user-id",
"userPrincipalName": "user@example.com",
"federatedIdentityIssuer": "https://sts.windows.net/{tenant-id}/", // This is the original issuer
"appDisplayName": "Some App",
"ipAddress": "some-ip",
"status": {
"errorCode": 0,
"failureReason": null
},
"createdDateTime": "2025-03-13T12:34:56Z"
}
]
}
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 6%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
Alex Wong 0 Reputation points2025-03-12T21:27:20.82+00:00 Here is a print of the error we are getting, and the basic structure of the user we are sending to the post request.
We were essentially trying to copy over what graph gives back when looking up identities from our main tenant, but with our b2c tenant domain.
-
Sanoop M 1,790 Reputation points Microsoft External Staff
2025-03-13T19:06:27.1433333+00:00 Hello @Alex Wong ,
Thank you for your response.
Please send us an email on 'azcommunity@microsoft.com' with Sub - "ATTN: sanoopm" and following details in the email body: Link to this thread/post.
We can connect offline and discuss further on this issue.
-
Sanoop M 1,790 Reputation points Microsoft External Staff
2025-03-18T00:17:57.0133333+00:00 Hello @Tim Anderson,
Thank you for your time over the call.
Based on the error screenshot you have provided, I can see that you are getting this error "A password must be specified to create a new user".
The suggestion is to just generate a random password for the users with password characters minimum of 8 and a maximum of 256 characters and forcing the password reset on login.
Please refer to the below Screenshot for the Password requirements.
For additional information, please refer to the below documents for your reference.
Password Generation - MS Graph - Microsoft Q&A
Create User - Microsoft Graph v1.0 | Microsoft Learn
Please let us know if you have any queries.
-
Alex Wong 0 Reputation points
2025-03-18T18:58:04.4333333+00:00 Hi Sanoop,Yes, that is the error I am getting, but as we discussed over our call, we do not want to create local accounts on our B2C tenant and have to add password profiles. Ideally, we would be able to copy the federated accounts and create users in Our B2C tenant, and the users would be able to login.
If we add a password profile when creating the accounts in the B2C tenant, then they are created as local accounts and not federated accounts.
Creating federated accounts for accounts that have social issuers (ex. Google) work fine without setting a password profile and they are created and can be logged into. However, specifically accounts with the issuer "ExternalAzureAD" shown in my previous post get the error saying they need a password.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SrideviM 1,230 Reputation points Microsoft External Staff2025-03-20T08:50:36.8433333+00:00 Hello @Tim Anderson @Alex Wong ,
We are currently investigating this scenario, and we will get back to you with our findings.
-
SrideviM 1,230 Reputation points Microsoft External Staff
2025-03-21T02:41:34.3166667+00:00 Hello @Tim Anderson @Alex Wong,
Apologies for the delay and as per my testing and discussion with our support/engineering team, the behavior you're encountering is expected.
When creating a user in Azure AD B2C programmatically, the API requires either a password profile or a federated identity with a known issuer and issuerAssignedId.
For external Azure AD users, the
issuerAssignedIdis usually null. As a result, the API prompts for a password profile.
Unfortunately, at this time, there is no direct way to create a purely federated user in B2C without a password profile via API.
If the user is normal Microsoft Entra ID user (not an External Azure AD user), you can create a federated user in Azure AD B2C using the following API request:
POST https://graph.microsoft.com/beta/users { "displayName": "DemoExternalB2CUser", "identities": [ { "signInType": "federated", "issuer": "https://login.microsoftonline.com/<federated_AzureAD_tenantID>/v2.0", "issuerAssignedId": "<federated_AzureAD_User_ObjID>" } ] }
But, for ExternalAzureAD users, it's not possible to create a federated user in Azure AD B2C without including a password profile.
Hope this helps!
-
Tim Anderson 60 Reputation points
2025-03-21T16:18:47.4033333+00:00 Would it be acceptable to create a password for the initial add, then the user when they arrive, can use their federated credentials to sign in and modify the record so they just use federated from now on? I'm fine with adding the password so long as it doesn't demand they use a local account or force a password reset, etc once they sign in after we transition? This is a big blocker if they have to change the process in which they sign in or have to "re-sign up"
Sign in to comment
Sign in to answer