CerberAuthCerberAuth

Azure AD B2C is being retired: What should you do next?

Azure AD B2C

If your company relies on Azure AD B2C to manage customer identities, you’ve likely heard some noise about Microsoft’s plans. The short version: Azure AD B2C is not disappearing overnight, but it is effectively a dead-end platform. No new features will be added, and Microsoft’s strategic investment has fully shifted elsewhere.

This article explains what’s actually changing, by when, and — most importantly — what your options are.

What Is Actually Happening?

Microsoft is not pulling the plug on Azure AD B2C tomorrow. But the trajectory is clear and the timeline is concrete.

May 1, 2025 — End of sale. New customers can no longer purchase Azure AD External Identities P1 and P2 licenses, and cannot create new B2C tenants. Existing customers are unaffected and can continue creating new tenants under their existing agreements.

March 15, 2026 — Azure AD B2C Premium P2 (Identity Protection) is retired for all customers, including existing ones. If your tenant relies on risk-based Conditional Access or advanced threat detection via P2, you need to act before this date.

May 2030 — Microsoft’s stated end of support for Azure AD B2C. Security patches and SLA commitments are maintained until then. No new features will ship.

The bottom line: Azure AD B2C is in maintenance mode. It still works, but it is no longer evolving. For any organisation planning features, improving authentication UX, adopting passkeys, or scaling their customer base, this matters now — not in 2030.

Why Is Microsoft Making This Move?

Azure AD B2C was built reactively, patched over years to meet customer demands it was never originally designed for. The result is a platform carrying significant technical debt — powerful in some areas, but fragmented and hard to evolve. Microsoft needs a modern foundation to stay competitive in the CIAM market.

Their answer is Microsoft Entra External ID, which reached general availability in May 2024. The ambition is to unify B2B collaboration and B2C CIAM into a single, coherent platform built natively on the Entra stack — with better developer experience, modern security primitives (passkeys, Continuous Access Evaluation), and a cleaner admin surface.

Option 1: Migrate to Microsoft Entra External ID

The path of least resistance is to follow Microsoft and migrate to Entra External ID. This is a reasonable choice for many organisations, but it deserves honest evaluation rather than a reflexive “stay in the Microsoft ecosystem” decision.

What Entra External ID Offers

  • Unified platform: B2B and CIAM scenarios managed from the same Entra admin centre
  • Modern auth: Passkeys, FIDO2, Conditional Access, and Continuous Access Evaluation built-in
  • Social and federated logins: Google, Facebook, Apple, custom OIDC and SAML/WS-Fed providers
  • MAU-based pricing: Free for the first 50,000 monthly active users, competitive at scale
  • Native Microsoft 365 and Azure integration: A natural fit if your stack is already Microsoft-heavy

Current Limitations to Be Aware Of

Entra External ID is a young platform, and enterprise CIAM requirements can quickly expose its rough edges:

  • MFA is limited to OTP — no push notifications or more advanced factors yet
  • Branding is tenant-level only — no per-application UI customisation, which is a blocker for multi-brand or white-label scenarios
  • Custom authentication flows are simplified — the power of B2C’s custom policies (Identity Experience Framework) is not fully replicated yet; a migration path for existing custom policies has been promised but not yet delivered
  • Extension points are still maturing — complex user journey orchestration requires workarounds

Who should choose this path? Organisations that are deeply invested in the Microsoft ecosystem (Azure, M365, Entra ID for workforce), have relatively standard authentication flows, and can afford to wait for the platform to mature. If your B2C implementation is light and your team is comfortable with Entra, this is the low-friction choice.

Who should think twice? Organisations with complex user journeys, strong branding requirements, multi-region data residency constraints, or those who want to avoid continued dependence on a single hyperscaler’s identity stack.

Option 2: Use This Transition as a Strategic CIAM Review

Here is a perspective worth sitting with: your migration is going to require significant effort no matter what. Moving from Azure AD B2C to Entra External ID is not a configuration toggle — it involves re-architecting tenant structure, migrating user directories, adapting application code, and retesting every authentication flow.

If you are going to invest that time and budget, it is worth asking: is the destination we are migrating to actually the best platform for the next five years of our business?

The CIAM market is mature and competitive. This is exactly the moment to run a proper benchmark.

The Main CIAM Alternatives

Here is an honest overview of the leading solutions and where each one makes sense.

Microsoft Entra External ID

Best for: Microsoft-centric organisations with standard authentication needs. As described above. The native choice for teams already on Azure with no complex identity requirements. Watch the roadmap closely before committing — the platform is still catching up to B2C’s feature depth.

Auth0 (Okta Customer Identity Cloud)

Best for: Product teams who want developer-first CIAM with maximum extensibility.

Auth0 is one of the most battle-tested CIAM platforms available. It supports OAuth 2.0, OIDC, and SAML out of the box, with a rich ecosystem of social and enterprise identity providers. Its Rules and Actions system lets development teams customise authentication logic without managing backend infrastructure. The Universal Login provides a polished, brandable experience across all touchpoints.

The tradeoffs: pricing scales with MAU and can become expensive at high volumes. Configuration complexity grows as your flows do. For organisations scaling to tens of millions of users with sophisticated requirements, the cost/complexity ratio deserves scrutiny.

Keycloak

Best for: Organisations that need full control, have strong DevOps capability, and want to avoid per-MAU pricing.

Keycloak is the leading open-source identity platform, backed by Red Hat. It supports OIDC, OAuth 2.0, SAML, LDAP federation, and a highly extensible flow system. For organisations with large user bases, strict data sovereignty requirements, or CIAM scenarios that require deep customisation, Keycloak’s self-hosted model offers significant cost and control advantages.

The tradeoffs: you own the infrastructure. Scaling, failover, patching, and upgrades are your responsibility. The operational overhead is real, and building modern, polished consumer-grade login UX on top of Keycloak requires dedicated investment. It is a strong choice when you have the engineering capability to sustain it.

Other Notable Options

  • PingOne for Customers — enterprise-grade CIAM with strong orchestration, good choice for regulated industries
  • Frontegg — purpose-built for B2B SaaS, excellent multi-tenancy and self-service admin portals
  • FusionAuth — developer-friendly, self-hostable, competitive pricing, growing rapidly

How to Choose: A Decision Framework

Rather than prescribing a single answer, here are the questions that should drive your evaluation:

1. How complex are your current authentication flows? Custom policies in Azure AD B2C can encode significant business logic. If you have invested heavily in the Identity Experience Framework, your migration effort scales accordingly. Evaluate which platforms support equivalent extensibility natively.

2. What are your branding and UX requirements? If customers interact with a branded, white-labelled login experience — or if you operate multiple brands — your platform needs per-application theming at minimum. This rules out Entra External ID today, and limits Cognito.

3. What are your data residency and compliance constraints? GDPR, HIPAA, sector-specific regulations, or client contractual requirements around data location can narrow the field significantly. Self-hosted solutions (Keycloak) or providers with multi-region guarantees and DPAs may be required.

4. What is your cloud ecosystem alignment? If your infrastructure is primarily Azure, Entra External ID has genuine integration advantages. If it is AWS, Cognito fits naturally. If you are multi-cloud or cloud-agnostic, a standalone CIAM platform removes the ecosystem coupling risk entirely.

5. What is your expected user scale, and what does pricing look like at that scale? Run the numbers at your current MAU and at 3x and 10x growth. MAU-based pricing from SaaS CIAM vendors can become significant at consumer scale. Self-hosted solutions have zero marginal cost per user but non-zero operational cost.

6. How much do you want to own? This is ultimately a build-vs-buy decision applied to identity infrastructure. Managed SaaS (Auth0, Entra) minimises operational burden but introduces vendor dependency. Self-hosted (Keycloak, FusionAuth) maximises control but requires ongoing engineering ownership.

Our Recommendation

There is no universal right answer, and anyone who tells you otherwise is selling something. The right platform depends on your current implementation, your team’s capabilities, your regulatory environment, and where your product is heading.

What we do recommend is treating this moment as a strategic decision rather than a tactical migration. The effort is equivalent either way — you may as well arrive somewhere better suited to your next five years.

#azure #azure b2c #azure entra #aws #auth0 #keycloak