Municipal CIAM: Azure AD B2C to Microsoft Entra External ID Migration

summary

Municipal CIAM: Azure AD B2C to Microsoft Entra External ID Migration

How Mars Innovation Technology migrated a British Columbia municipality from Azure AD B2C to Microsoft Entra External ID with no forced password resets.


Client

Municipal government, British Columbia.

Industry

Municipal Government | Public Sector

Services

CIAM Migration | Azure AD B2C to Microsoft Entra External ID | Just-in-Time Credential Migration | Identity Platform Modernization | Dual-Run Cutover

Technologies

Microsoft Entra External ID | Azure AD B2C | CIAM | Conditional Access | MFA | Risk-Based Sign-In | OAuth 2.0 | OIDC

ProductZero Trust LaunchpadCloud Launchpad
Category

Identity and Access Management

Date

11 Jul 2026


Share:

The Client

Our client is a municipality in one of the fastest growing metro areas in British Columbia. Like most modern municipalities, it runs a portfolio of citizen-facing digital services. Property tax accounts, utility billing, permit applications, recreation registration and more. Behind those services sits an identity platform that residents rarely think about, right up until the day they cannot log in.

That platform was Azure AD B2C. And Microsoft had put it on a clock.

The Challenge

In 2025 Microsoft stopped creating new Azure AD B2C tenants and made it clear that all future CIAM investment would go into Microsoft Entra External ID. Existing B2C tenants keep running under a support window, but no new features are coming. For a public sector organization with audit obligations, security standards to meet, and a growing set of resident-facing services, sitting on a legacy identity platform was not a real option.

The city faced the same problems we see in almost every B2C migration:

Passwords cannot come along for the ride. Credentials in B2C are stored as inaccessible hashes. There is no export button. The default answer, forcing every resident to reset their password, would have meant thousands of confused citizens, a spike in support calls, and abandoned accounts on services people rely on to pay bills and access city programs.

Multiple applications, one tenant. Several city services depended on the same B2C tenant, each with its own token validation logic, custom claims, and user journeys built on B2C's Identity Experience Framework custom policies. Years of XML policy customization does not translate one-to-one into External ID.

No acceptable downtime. Residents pay taxes, book facilities, and submit applications every day. "We are down for identity maintenance" was not a message anyone wanted to send.

Legacy data realities. Like any identity directory that has been in production for years, there were edge cases: old user records, inconsistent attributes, duplicate emails. All of it had to be handled deliberately rather than dragged blindly into the new platform.

The Approach

We treated this as a full system transition, not a tenant configuration exercise. The core decision was to use a seamless just-in-time (JIT) migration rather than forced password resets.

Here is how it worked:

  1. We stood up and configured the new Microsoft Entra External ID tenant, rebuilding the sign-in and sign-up experiences to match the city's branding and existing user journeys.
  2. We built a secure backend migration service that sits inside the authentication flow. When a resident signs in, the flow checks whether their account has already been migrated.
  3. If it has, they authenticate against External ID like normal. If it has not, the service validates their credentials against the legacy B2C tenant, then creates the account and establishes credentials in External ID in the same transaction.
  4. The resident logs in and carries on. No reset email, no new password to invent, no idea anything changed underneath them.

Around that core, we ran a dual-run period where both platforms operated in parallel with a controlled, application-by-application cutover. This gave the city a rollback path at every stage and let us validate token handling in each application before committing.

We also used the migration as a cleanup opportunity. Stale and duplicate records were resolved on the way in rather than copied over, and the new tenant was configured against current Entra security capabilities: conditional access alignment, modern MFA, and risk-based sign-in detection that the legacy B2C setup could not offer.

Results

0

Forced password resets

0

Service outages during cutover

0

Reset emails sent to residents

100%

Cutovers with a rollback path

  • Zero forced password resets. Active residents were migrated transparently as they signed in.
  • No service outages during the migration window. Citizen-facing applications stayed available throughout the cutover.
  • Active resident accounts moved across the connected city applications with no reset emails and nothing for residents to redo.
  • Reduced support impact, with no spike in password reset tickets or account lockout calls.
  • A stronger security posture on a platform Microsoft is actively investing in, with modern MFA, risk detection, and audit-ready identity governance in place.
  • A cleaner directory. Legacy edge cases were resolved during migration instead of being carried forward as technical debt.

Why This Matters If You Are Still on Azure AD B2C

Microsoft supports existing B2C tenants until at least May 2030, and a lot of organizations hear that date and relax. That is a mistake. CIAM migrations routinely take 3 to 12 months or longer, identity is wired deep into application code and customer journeys, and the honest answer from most business stakeholders is "no disruption, no forced resets." Meeting that bar takes planning time, a dual-run window, and engineering work that cannot be compressed into the last year before the deadline.

This engagement proves the seamless path is achievable, even in a public sector environment where downtime and citizen friction are simply not acceptable.

For the full technical background on the platform change, read our article: Microsoft Entra External ID: What You Must Know About Replacing Azure AD B2C.

Work With Us

Mars Innovation Technology has done this migration end to end: strategy, JIT credential migration tooling, application integration, dual-run cutover, and post-migration support. If your organization is still running on Azure AD B2C, we can start with a migration readiness assessment and give you a realistic picture of scope, risk, and timeline.

Contact Mars Innovation Technology to book a strategy session.

About Us

Who We Are

Launched in 2024 by industry veterans, Mars Innovation Technology helps Canadian businesses plan, build, and launch practical AI, cloud, data, and security projects with clear scope and fast delivery.
We focus on measurable business outcomes, like lower costs, faster delivery, and reduced risk, using proven cloud and AI engineering rather than open-ended consulting.

Contact us
Reduced Costs

Our Cloud Launchpad products reduced up to 60% of IT operation and deployment costs

Faster to Market

We reduce the time to market of products in sectors of Education, E-commerce, and Telecom by 90%

Security

Secured data both local and remotely, with the ability to restore and recover in events of disaster

Platforms & Tools

Our Technology Stack

What we use to transform your business

Contact us

Get Free
Infrastructure Assessment

[email protected]

2025 Willingdon Ave #936, Burnaby, BC V5C 3Z3