Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,615 questions
Azure AD B2C User Migration: How to Block Legacy User Sign-Up & Handle Secure Password Reset via Custom Policies
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 30%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Ray Garg
0
Reputation points
Hello. I am dealing with a user migration scenario from a legacy system to Azure AD B2C, some guidance is needed on my end regarding handling sign-up and password reset for migrated users. The migration strategy involves pre-migrating users with a random password and using Just-In-Time (JIT) migration in tandem with that to capture any straggler users.
Concerns have arisen regarding the following:
Handling Sign-Up and Password Reset: Specifically, what should happen if a migrated user forgets their password, or a new user attempts to sign up? Some Azure AD B2C experts suggest blocking sign-ups and password resets for migrated users to ensure they authenticate using legacy credentials. However the concept is a bit foreign to me and I am trying to understand how to incorporate these concepts with the least possible user friction.
Proposed Solution for Sign Up: I have already tried this and horribly failed, but am willing to give it a shot again if someone can give me some confidence on this. I have created a custom api called LocalAccountSignUp, and I am currently using a test Postgres database which is acting as my legacy identity provider. My LocalAccountSIgnUp API is just taking one inputClaim right now in my code and that is signInName, password is not required for signup right now, because essentially when a user is signing up, they will enter their email, get an otp code to their email inbox, and enter that code in on the sign in screen, and once that code is verified, then they can enter the rest of the fields (like display name, given name). This is how the localaccounsignupwithlogonemail technical profile (Microsoft provided) internally works in the custom policy. Now my LocalAccountSignUp API logic, is running a sql query to check against the legacy Postgres database with the signInName inputclaim, and if this input claim (signInName) hits a user profile in the sql database where the user has that email address (signInName), then I return a custom claim called userExistsLegacy = true, otherwise I return userExistsLegacy = False. I went ahead and created a technical profile for my LocalAccountSignUp api in my extensions file and included userExistsLegacy as an output claim in the technical profile. Then what I tried doing was, in the localaccountsignupwithlogonemail technical profile, I tried adding LocalAccountSignUp (my technical profile) as the first validation technical profile. Keep in mind that localaccountsignupwithlogonemail is a very particular technical profile. Originally the only validation technical profile is AAD-UserWriteUsingLogonEmail. But when i add My LocalAccountSignUp as the first validation profile, the sign up screen breaks, and the box to enter email and verify email and enter otp code disappears. Im having trouble understanding how to prevent sign up because of this breaking issue since the custom policies are finnicky. I think I have the right approach with creating this api and returning a custom claim to use in my custom policies, but the actual logic of custom policies to enforce this is correctly, is what I need help on.
Proposed Solution for Password Reset: For the forgot password scenario, when we are doing user migration we still have to be able to verify if this user exists in the legacy identity provider. Only then will we want to migrate them. Now since they will not be signing in with their original credentials, because they don't know their password, we cannot verify them. So what's the solution here? My thought goes to, if they don't know their password, what they would need to do is click on forgot my password. Then the forgot password screen needs to ask them for a phone number, or email address, basically something that they have set up as a backup flow for resetting their password in legacy. And when they enter their phone number or email address (signInName), and they get a OTP and they would need to enter that otp for verification on the forgot password screen, after verifying the code, then the screen would pop up for them to reset their password. When they have entered their password info and click continue, an api call would be made behind the scenes to update the password of the user on the legacy identity provider. Once it does that, the user would sign in with their new signInName (email address) and (new) password and these credentials would again be verified against legacy (normal sign in migration flow), and now the random password on the users b2c profile (since we premigrated users from legacy provider to b2c with a random password) would be updated with their new password they they reset with in the forgot password flow. I know this is extremely complicated, but its because its a user migration, and we need a way to verify if its a legacy user before allowing them to reset their password, so that we can update the password for that user in legacy when they reset via b2c sign in screen, then allowing us to verify the credentials as they try to sign in normally, which will then finally replace the random password on their profile (that we set when we ran pre migration in bulk with random passwords). I know this is alot, but I hope I have given enough details for a picture to be painted as to what im trying to solve. Please clarify if im thinking around the right lines for these scenarios or if i need to do something else, and give a suggestion for how to create this type of logic.
Proposed Solution for Email Reset: This i havent even thought of yet… yikes. But lets say a user doesnt know their password and they forgot their email address. Do we need to think of anything in such scenarios? If a user has a username (not an email address) that they are using, then i assume they can reset it with an email address they used. But if the email address is itself the username what is the way to reset that, or is it not possible to reset the email?
For summary, the key points im asking about are:
- Should the B2C sign-in page block sign-up for legacy users that are being migrated to azure b2c, and have custom logic for password reset ?
What messaging should be displayed for users who attempt to sign up or reset their password under these conditions?
Detailed guidance is requested to determine the best practices for these scenarios in a high-stakes production environment. Thank you in advance for any insights provided.
Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 10%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Moosa Khan 260 Reputation points Microsoft External Staff Moderator2025-04-29T06:07:41.0066667+00:00 Hello Ray,
Could you please provide the mentioned details-:
1)Whether you implemented the policies, if yes, can you please share those policies here.2)Any error message you are receiving or screenshots?
-
Moosa Khan 260 Reputation points Microsoft External Staff Moderator
2025-04-30T11:54:55.6133333+00:00 Hello Ray,
I am following up with you to check if you got any chance to review my last comment? If you have any further query do let us know
-
Ray Garg 0 Reputation points
2025-04-30T16:19:23.4433333+00:00 hi @Moosa Khan Thank you for following up about this, i have implemented the policies. right now, the custom policy is able to handle user migration (settting passwordf JIT for the pre migrated users, or perfomring a pure JIT for the users that may have been missed for pre migration). i have also implemented logic to enroll in the authneitcator app for mfa on first logicn for the user, and for very subsequent login, logging in with the mfa code from the authenticator app. one thing i also DID WANT TO ASK, is if i want to enforce session maagement so mfa isnt enforced on every login, or that it should be only enforced based on conditional access (with identity protection capabilities triggering conditional access as well), how do i go about enforcing this becaue right now it enforces mfa every time.
- there is no error message right now but the thing is when i modify the sign up technical profile, the email verification box will disppear. again the purpose of this is to make sure the users dont sign up in azure ad b2c again if their user profile already exists in legacy. this is to ensure only the legacy users will get created in b2c so the password verification can happen.
- for forgot my password, right now i just used microsoft documentation to implementatin password reset sub journey, but that is not verifying the user in legacy system first.
i can provide my trustframeworkextensions file to you but its almost 2000 lines of code and it would be more beneficial for me to provide certain technical profiles from it instead of the whole thing. can you please let me know how we should proceed
-
Ray Garg 0 Reputation points
2025-05-01T14:27:55.5866667+00:00 @Moosa Khan @Moosa Khan @Moosa Khan i didnt know which account is yours so im tagging multiple, esentially the forgot password reset logic has to work for a pure JIT scenario. if a user has been pre migrated, their account has been created in the b2c directory (with a random pwd), so password reset will work in that case. but in the case where the user was not migrated (straggler user), JIT migratiob will be employed, but if they forgot their password, there is no user profile in teh directory and the password reset logic is reall difficult to employ. this is esentially what i need help on.
for sign up, in my mind, during migration, we can just remove the sign up button and that should fix things, and then after migration we can bring sign up back into the policy to allow for sign up so thats easier to get rid of sign up but password reset is whats getting to me for JIT migration (where credentials are verified JIT and the users account is created in b2c directory JIT)
-
Moosa Khan 260 Reputation points Microsoft External Staff Moderator
2025-05-02T18:44:10.61+00:00 Hello Ray,
Thanks for sharing the detailed context — that helps clarify the scenario. You're right that password reset in a pure JIT flow,for users who haven't been pre-migrated, presents some complexity since the user doesn't yet exist in the B2C directory. I’ll need to take a closer look at how this can be handled cleanly within the constraints of JIT migration,I'll circle back once I've reviewed the possible options in a bit more depth.
Moreover, I am sending you my mail id via private message where you can upload the custom policies
-
Ray Garg 0 Reputation points
2025-05-02T19:03:44.7+00:00 @Moosa Khan @Moosa Khan @Moosa Khan
Thank you for your reply. my email is ******@zappsec.com. shoot me an email and i can get over the custom policy files to you.
appreciate you taking the time to review the approach as time is of the essence.
one final question i had is about conditional access. right now ive basically modeled this user journey repo: https://github.com/azure-ad-b2c/samples/blob/master/policies/conditional-access/policy/TrustFrameworkExtensions_ConditionalAccess.xml
i have also implemented mfa (authenticator app sign up on first login, and sign in with auth app code on every other login) by modeling this repo: https://github.com/azure-ad-b2c/samples/blob/master/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml
now to be honest right now the logic is mainly working from the mfa repo, since get available devices is already available. in the custom policy extenesions file (which i will send you over email), i dont think the conditional access logic is running at all. i tried simulating by signing in via tor browser but it did not block my sign in, i also tried signing in via incognito and it did not block. now to be honest the conditional access policy is quite bland, its not using identity protection capabilities, and its also not using azure ad conditional access signals (like location, ip based restriction, etc). im wondering is it incorrect to include conditional access logic in the custom policy and does that have to be rendered through the portal somehow? the MFA repo is really helpful and it allowed that logic to be integrated into the journey.
a final question i had, is if i wanted to enforce mfa for a certain user type on every sign in, but only enforce mfa for a second user type based on conditional access (paired with identity protection signals), how would i go about this approach.
these are really the big things im looking at right now along with password reset with pure JIT migration. i know this is alot of items, but they are all really important to consider and im wondering if you can provide your insights on this. we can definetly look into the approaches for password reset with JIT first, and then it would be extremely helpful if we can go over the other concepts i mentioned in this comment as well.
please shoot me an email, and i will get the custom policies over to you ASAP, im not sure of the private message you were referring to so i drooped my email at the top of this comment.
-
Moosa Khan 260 Reputation points Microsoft External Staff Moderator
2025-05-07T16:44:55.1666667+00:00 Hello Ray,
Shared my findings via private message please let me know if it is helpful or do you have any question on it?
-
Moosa Khan 260 Reputation points Microsoft External Staff Moderator
2025-05-08T19:23:21.8733333+00:00 Hello Ray,
I just wanted to follow up and see if the information I shared was helpful. Let me know if you have any questions!
-
Moosa Khan 260 Reputation points Microsoft External Staff Moderator
2025-05-09T19:24:59.0766667+00:00 Hello Ray,
I just wanted to follow up and see if the information I shared was helpful. Let me know if you have any questions!
Sign in to comment
Sign in to answer