Merge to Live

aspnetcore/security/authentication/azure-ad-b2c.md

@@ -1,147 +1,60 @@
 ---
 title: Cloud authentication with Azure Active Directory B2C in ASP.NET Core
-author: guardrex
+ai-usage: ai-assisted
+author: wadepickett
 description: Discover how to set up Azure Active Directory B2C authentication with ASP.NET Core.
 ms.author: wpickett
 ms.custom: "devx-track-csharp, mvc"
-ms.date: 02/27/2026
+ms.date: 03/25/2026
 uid: security/authentication/azure-ad-b2c
 ---
 # Cloud authentication with Azure Active Directory B2C in ASP.NET Core
 
-By [Damien Bod](https://github.com/damienbod)
-
 [!INCLUDE[](~/includes/azure-active-directory-b2c-eol-support-notice.md)]
 
-[Azure Active Directory B2C](/azure/active-directory-b2c/active-directory-b2c-overview) (Azure AD B2C) is a cloud identity management solution for web and mobile apps. The service provides authentication for apps hosted in the cloud and on-premises. Authentication types include individual accounts, social network accounts, and federated enterprise accounts. Additionally, Azure AD B2C can provide multi-factor authentication with minimal configuration.
-
-> [!TIP]
-> Microsoft Entra ID, Microsoft Entra External ID and Azure AD B2C are separate product offerings. An Entra ID tenant generally represents an organization, while an Azure AD B2C tenant or a Microsoft Entra External ID tenant can represent a collection of identities to be used with relying party applications. To learn more, see [Azure AD B2C: Frequently asked questions (FAQ)](/azure/active-directory-b2c/active-directory-b2c-faqs).
-
-> [!TIP]
-> [Microsoft Entra External ID for customers](/azure/active-directory/external-identities/customers/overview-customers-ciam) is Microsoft’s new customer identity and access management (CIAM) solution.
-
-In this tutorial, you'll learn how to configure an ASP.NET Core app for authentication with Azure AD B2C.
-
-## Prerequisites
-
-* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
-* .NET SDK. [Install the latest .NET SDK](https://dotnet.microsoft.com/download/dotnet) for your platform.
-
-## Preparation
-
-1. [Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant).
-1. Create a new ASP.NET Core Razor pages app:
-
-    ```dotnetcli
-    dotnet new razor -o azure-ad-b2c
-    ```
-
-    The previous command creates a Razor pages app in a directory named *azure-ad-b2c*. 
-
-    > [!TIP]
-    > You may prefer to [use Visual Studio to create your app](/visualstudio/ide/quickstart-aspnet-core).
-
-1. [Create a web app registration in the tenant](/azure/active-directory-b2c/tutorial-register-applications#register-a-web-application). For **Redirect URI**, use `https://localhost:5001/signin-oidc`.  Replace `5001` with the port used by your app when using Visual Studio generated ports.
-
-## Modify the app
-
-1. Add the `Microsoft.Identity.Web` and `Microsoft.Identity.Web.UI` packages to the project. If you're using Visual Studio, you can use [NuGet Package Manager](/nuget/consume-packages/install-use-packages-visual-studio).
-
-    ```dotnetcli
-    dotnet add package Microsoft.Identity.Web
-    dotnet add package Microsoft.Identity.Web.UI
-    ```
-
-    In the preceding:
-
-    * `Microsoft.Identity.Web` includes the basic set of dependencies for authenticating with the Microsoft identity platform.
-    * `Microsoft.Identity.Web.UI` includes UI functionality encapsulated in an area named `MicrosoftIdentity`.
-
-1. Add an `AzureADB2C` object to `appsettings.json`.
-
-    > [!NOTE]
-    > When using Azure B2C user flows, you need to set the **Instance** and the PolicyId of the type of flow.
-
-    :::code language="json" source="azure-ad-b2c/sample/appsettings-b2c-userflow.json" highlight="2-17":::
-
-    * For **Domain**, use the domain of your Azure AD B2C tenant.
-    * For **ClientId**, use the **Application (client) ID** from the app registration you created in your tenant.
-    * For **Instance**, use the domain of your Azure AD B2C tenant.
-    * For **TenantId**, use the **Tenant ID** from your Azure AD B2C tenant. In the Azure portal, search for and select **Microsoft Entra ID**. In the **Overview**, copy the **Tenant ID**.
-    * For **SignUpSignInPolicyId**, use the user flow policy defined in the Azure B2C tenant
-	* Use either the **ClientSecret** or the **ClientCertificates** configuration. ClientCertificates are recommended.
-    * Leave all other values as they are.
-
-1. In *Pages/Shared*, create a file named `_LoginPartial.cshtml`. Include the following code:
-
-    :::code language="razor" source="azure-ad-b2c/sample/Pages/Shared/_LoginPartial.cshtml":::    
-
-    The preceding code:
-
-    * Checks if the user is authenticated.
-    * Renders a **Sign out** or **Sign in** link as appropriate.
-        * The link points to an action method on the `Account` controller in the `MicrosoftIdentity` area.
-
-1. In *Pages/Shared/_Layout.cshtml*, add the highlighted line within the `<header>` element:
+## Recommended path for new projects
 
-    :::code language="razor" source="azure-ad-b2c/sample/Pages/Shared/_Layout.cshtml" range="12-33" highlight="18":::
-
-    Adding `<partial name="_LoginPartial" />` renders the `_LoginPartial.cshtml` partial view in every page request that uses this layout.
+[Microsoft Entra External ID for customers](/entra/external-id/customers/overview-customers-ciam) is the recommended customer identity and access management (CIAM) solution for new ASP.NET Core applications, replacing Azure AD B2C with the latest identity platform features.
 
-1. In *Program.cs*, make the following changes:
+To get started with a new project, see [Sign in users in a sample ASP.NET Core web app](/entra/external-id/customers/sample-web-app-dotnet-sign-in).
 
-    1. Add the following `using` directives:
-
-        :::code language="csharp" source="azure-ad-b2c/sample/Program.cs" id="snippet_NewUsings":::
+## Migrate from Azure AD B2C to Entra External ID
 
-        The preceding code resolves references used in the next steps.
+To migrate an existing Azure AD B2C application to the newer platform, see [Plan and execute a migration to Microsoft Entra External ID](/entra/external-id/customers/migrate-to-external-id).
 
-    1. Update the `builder.Services` lines with the following code:
-
-        :::code language="csharp" source="azure-ad-b2c/sample/Program.cs" id="snippet_builderservices":::
+For detailed guidance on moving user accounts, including password migration strategies, see [Migrating users to Microsoft Entra External ID](/entra/external-id/customers/how-to-migrate-users).
 
-        In the preceding code:
+## Guidance for existing Azure AD B2C projects
 
-        * Calls to the `AddAuthentication` and `AddMicrosoftIdentityWebApp` methods configure the app to use OpenID Connect, specifically configured for the Microsoft identity platform.
-        * `AddAuthorization` initializes ASP.NET Core authorization.
-        * The `AddRazorPages` call configures the app so anonymous browsers can view the Index page. All other requests require authentication.
-        * `AddMvcOptions` and `AddMicrosoftIdentityUI` add the required UI components for redirecting to/from Azure AD B2C.
-
-    1. Update the highlighted line to the `Configure` method:
-
-        :::code language="csharp" source="azure-ad-b2c/sample/Program.cs" id="snippet_app":::
+Azure AD B2C remains supported for existing applications. Authoritative setup and configuration guidance is maintained in the Azure AD B2C documentation. The following articles cover the topics that ASP.NET Core developers typically need:
 
-        The preceding code enables authentication in ASP.NET Core.
+| Topic | Article |
+|---|---|
+| Create a tenant | [Tutorial: Create an Azure AD B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) |
+| Register a web application | [Tutorial: Register a web application in Azure AD B2C](/azure/active-directory-b2c/tutorial-register-applications) |
+| Configure authentication in an ASP.NET Core app | [Configure authentication in a sample ASP.NET Core web app](/azure/active-directory-b2c/configure-authentication-sample-web-app) |
+| Enable multi-factor authentication | [Enable MFA in Azure AD B2C](/azure/active-directory-b2c/multi-factor-authentication) |
 
-## Run the app
+## ASP.NET Core integration checklist
 
-> [!NOTE]
-> Use the profile which matches the Azure App registration **Redirect URIs**.
-1. Run the app.
-
-    ```dotnetcli
-    dotnet run --launch-profile https
-    ```
+After completing identity provider setup using the Entra or Azure AD B2C documentation, complete the following ASP.NET Core-specific steps:
 
-1. Browse to the app's secure endpoint, for example, `https://localhost:5001/`.
-    * The Index page renders with no authentication challenge.
-    * The header includes a **Sign in** link because you're not authenticated.
+1. **Install NuGet packages:** Add the [`Microsoft.Identity.Web`](https://www.nuget.org/packages/Microsoft.Identity.Web) and [`Microsoft.Identity.Web.UI`](https://www.nuget.org/packages/Microsoft.Identity.Web.UI) packages:
 
-1. Select the **Privacy** link.
-    * The browser is redirected to your tenant's configured authentication method.
-    * After signing in, the header displays a welcome message and a **Sign out** link.
+   ```dotnetcli
+   dotnet add package Microsoft.Identity.Web
+   dotnet add package Microsoft.Identity.Web.UI
+   ```
 
-## Next steps
+1. **Configure services in `Program.cs`:** Call `AddMicrosoftIdentityWebApp` to configure OpenID Connect authentication for the Microsoft identity platform, and call `AddMicrosoftIdentityUI` to add the required sign-in/sign-out UI components. For the full API reference, see the [Microsoft Identity Web documentation](https://github.com/AzureAD/microsoft-identity-web/wiki).
 
-In this tutorial, you learned how to configure an ASP.NET Core app for authentication with Azure AD B2C.
+1. **Add configuration:** Add the `AzureADB2C` section in `appsettings.json` with values that match your tenant and app registration. See [Configure authentication in a sample ASP.NET Core web app](/azure/active-directory-b2c/configure-authentication-sample-web-app) for the complete schema and sample.
 
-Now that the ASP.NET Core app is configured to use Azure AD B2C for authentication, the [Authorize attribute](xref:security/authorization/simple) can be used to secure your app. Continue developing your app by learning to:
+## Additional resources
 
-* [Customize the Azure AD B2C user interface](/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization).
-* [Configure password complexity requirements](/azure/active-directory-b2c/active-directory-b2c-reference-password-complexity).
-* [Enable multi-factor authentication](/azure/active-directory-b2c/active-directory-b2c-reference-mfa).
-* Configure additional identity providers, such as [Microsoft](/azure/active-directory-b2c/active-directory-b2c-setup-msa-app), [Facebook](/azure/active-directory-b2c/active-directory-b2c-setup-fb-app), [Google](/azure/active-directory-b2c/active-directory-b2c-setup-goog-app), [Amazon](/azure/active-directory-b2c/active-directory-b2c-setup-amzn-app), [Twitter](/azure/active-directory-b2c/active-directory-b2c-setup-twitter-app), and others.
-* [Use the Microsoft Graph API](/azure/active-directory-b2c/microsoft-graph-operations) to retrieve additional user information, such as group membership, from the Azure AD B2C tenant.
-* [How to secure a Web API built with ASP.NET Core using the Azure AD B2C](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C).
-* [Tutorial: Grant access to an ASP.NET web API using Azure Active Directory B2C](/azure/active-directory-b2c/tutorial-web-api-dotnet).
+* [Microsoft Entra External ID for customers overview](/entra/external-id/customers/overview-customers-ciam)
+* [Azure AD B2C documentation](/azure/active-directory-b2c/)
+* [Customize the Azure AD B2C user interface](/azure/active-directory-b2c/customize-ui)
+* [Configure password complexity in Azure AD B2C](/azure/active-directory-b2c/password-complexity)
+* [Microsoft Graph API with Azure AD B2C](/azure/active-directory-b2c/microsoft-graph-operations)
+* <xref:security/authentication/index>