Municipal CIAM: Azure AD B2C to Microsoft Entra External ID Migration
How Mars Innovation Technology migrated a British Columbia municipality from Azure AD B2C to Microsoft Entra External ID with no forced password resets.
Municipal government, British Columbia.
Municipal Government | Public Sector
CIAM Migration | Azure AD B2C to Microsoft Entra External ID | Just-in-Time Credential Migration | Identity Platform Modernization | Dual-Run Cutover
Microsoft Entra External ID | Azure AD B2C | CIAM | Conditional Access | MFA | Risk-Based Sign-In | OAuth 2.0 | OIDC
Identity and Access Management
Date11 Jul 2026
Our client is a municipality in one of the fastest growing metro areas in British Columbia. Like most modern municipalities, it runs a portfolio of citizen-facing digital services. Property tax accounts, utility billing, permit applications, recreation registration and more. Behind those services sits an identity platform that residents rarely think about, right up until the day they cannot log in.
That platform was Azure AD B2C. And Microsoft had put it on a clock.
In 2025 Microsoft stopped creating new Azure AD B2C tenants and made it clear that all future CIAM investment would go into Microsoft Entra External ID. Existing B2C tenants keep running under a support window, but no new features are coming. For a public sector organization with audit obligations, security standards to meet, and a growing set of resident-facing services, sitting on a legacy identity platform was not a real option.
The city faced the same problems we see in almost every B2C migration:
Passwords cannot come along for the ride. Credentials in B2C are stored as inaccessible hashes. There is no export button. The default answer, forcing every resident to reset their password, would have meant thousands of confused citizens, a spike in support calls, and abandoned accounts on services people rely on to pay bills and access city programs.
Multiple applications, one tenant. Several city services depended on the same B2C tenant, each with its own token validation logic, custom claims, and user journeys built on B2C's Identity Experience Framework custom policies. Years of XML policy customization does not translate one-to-one into External ID.
No acceptable downtime. Residents pay taxes, book facilities, and submit applications every day. "We are down for identity maintenance" was not a message anyone wanted to send.
Legacy data realities. Like any identity directory that has been in production for years, there were edge cases: old user records, inconsistent attributes, duplicate emails. All of it had to be handled deliberately rather than dragged blindly into the new platform.
We treated this as a full system transition, not a tenant configuration exercise. The core decision was to use a seamless just-in-time (JIT) migration rather than forced password resets.
Here is how it worked:
Around that core, we ran a dual-run period where both platforms operated in parallel with a controlled, application-by-application cutover. This gave the city a rollback path at every stage and let us validate token handling in each application before committing.
We also used the migration as a cleanup opportunity. Stale and duplicate records were resolved on the way in rather than copied over, and the new tenant was configured against current Entra security capabilities: conditional access alignment, modern MFA, and risk-based sign-in detection that the legacy B2C setup could not offer.
0
Forced password resets
0
Service outages during cutover
0
Reset emails sent to residents
100%
Cutovers with a rollback path
Microsoft supports existing B2C tenants until at least May 2030, and a lot of organizations hear that date and relax. That is a mistake. CIAM migrations routinely take 3 to 12 months or longer, identity is wired deep into application code and customer journeys, and the honest answer from most business stakeholders is "no disruption, no forced resets." Meeting that bar takes planning time, a dual-run window, and engineering work that cannot be compressed into the last year before the deadline.
This engagement proves the seamless path is achievable, even in a public sector environment where downtime and citizen friction are simply not acceptable.
For the full technical background on the platform change, read our article: Microsoft Entra External ID: What You Must Know About Replacing Azure AD B2C.
Mars Innovation Technology has done this migration end to end: strategy, JIT credential migration tooling, application integration, dual-run cutover, and post-migration support. If your organization is still running on Azure AD B2C, we can start with a migration readiness assessment and give you a realistic picture of scope, risk, and timeline.
Contact Mars Innovation Technology to book a strategy session.
Launched in 2024 by industry veterans, Mars Innovation Technology helps Canadian businesses plan, build, and launch practical AI, cloud, data, and security projects with clear scope and fast delivery.
We focus on measurable business outcomes, like lower costs, faster delivery, and reduced risk, using proven cloud and AI engineering rather than open-ended consulting.
Our Cloud Launchpad products reduced up to 60% of IT operation and deployment costs
We reduce the time to market of products in sectors of Education, E-commerce, and Telecom by 90%
Secured data both local and remotely, with the ability to restore and recover in events of disaster