faq.yml

### YamlMime:FAQ
metadata:
  title: 'Frequently asked questions (FAQ) for Azure Active Directory B2C'
  description: Answers to frequently asked questions about Azure Active Directory B2C.
  
  author: garrodonnell
  manager: CelesteDG  
  ms.service: azure-active-directory
  
  ms.topic: faq
  ms.date: 06/20/2025
  ms.author: godonnell
  ms.subservice: b2c
  ms.custom:
    - sfi-ga-blocked
    - b2c-support
    - has-azure-ad-ps-ref
    - azure-ad-ref-level-one-done
    - sfi-image-nochange
title: 'Azure AD B2C: Frequently asked questions (FAQ)'
summary: | 
  [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
  
  This page answers frequently asked questions about the Azure Active Directory B2C (Azure AD B2C). Keep checking back for updates.
  
sections:
  - name: General
    questions:
      - question: |
          Azure AD B2C end of sale
        answer: |
          Effective **May 1, 2025** Azure AD B2C will no longer be available to purchase for new customers, but current Azure AD B2C customers can continue using the product. The product experience, including creating new tenants or user flows, will remain unchanged; however, new tenants can only be created with Azure AD B2C P1.  Azure AD B2C P2 will be discontinued on March 15, 2026, for all customers. The operational commitments, including service level agreements (SLAs), security updates, and compliance, will also remain unchanged. We'll continue supporting Azure AD B2C until at least May 2030. More information, including migration plans will be made available. Contact your account representative for more information and to learn more about Microsoft Entra External ID.
      - question: |
          What is Microsoft Entra External ID?
        answer: |
          We have released our next generation Microsoft Entra External ID product which combines powerful solutions for working with people outside of your organization. With External ID capabilities, you can allow external identities to securely access your apps and resources. Whether you’re working with external partners, consumers, or business customers, users can bring their own identities. These identities can range from corporate or government-issued accounts to social identity providers like Google or Facebook. For more information, see [Introduction to Microsoft Entra External ID](/entra/external-id/external-identities-overview)

      - question: |
          Why can't I access the Azure AD B2C extension in the Azure portal?
        answer: |
          There are two common reasons for why the Microsoft Entra extension isn't working for you. Azure AD B2C requires your user role in the directory to be a Global administrator. Contact your administrator if you think you should have access. If you have Global administrator privileges, make sure that you are in an Azure AD B2C directory and not a Microsoft Entra directory. You can see instructions for [creating an Azure AD B2C tenant](tutorial-create-tenant.md).
          
      - question: |
          Can I use Azure AD B2C features in my existing, employee-based Microsoft Entra tenant?
        answer: |
          Microsoft Entra ID and Azure AD B2C are separate product offerings. To use Azure AD B2C features, create a separate Azure AD B2C tenant from your existing employee-based Microsoft Entra tenant. A Microsoft Entra tenant represents an organization. An Azure AD B2C tenant represents a collection of identities to be used with relying party applications. By adding **New OpenID Connect provider** under **Azure AD B2C > Identity providers** or with custom policies, Azure AD B2C can federate to Microsoft Entra ID allowing authentication of employees in an organization.

      - question: |
          Can I use Azure AD B2C to provide social sign-in (Facebook and Google+) into Microsoft 365?
        answer: |
          Azure AD B2C can't be used to authenticate users for Microsoft 365. Microsoft Entra ID is Microsoft's solution for managing employee access to SaaS apps and it has features designed for this purpose such as licensing and Conditional Access. Azure AD B2C provides an identity and access management platform for building web and mobile applications. When Azure AD B2C is configured to federate to a Microsoft Entra tenant, the Microsoft Entra tenant manages employee access to applications that rely on Azure AD B2C.

      - question: |
          What are local accounts in Azure AD B2C? How are they different from work or school accounts in Microsoft Entra ID?
        answer: |
          In a Microsoft Entra tenant, users that belong to the tenant sign in with an email address of the form `<xyz>@<tenant domain>`. The `<tenant domain>` is one of the verified domains in the tenant or the initial `<...>.onmicrosoft.com` domain. This type of account is a work or school account.
          
          In an Azure AD B2C tenant, most apps want the user to sign in with any arbitrary email address (for example, joe@comcast.net, bob@gmail.com, sarah@contoso.com, or jim@live.com). This type of account is a local account. We also support arbitrary user names as local accounts (for example, joe, bob, sarah, or jim). You can choose one of these two local account types when configuring identity providers for Azure AD B2C in the Azure portal. In your Azure AD B2C tenant, select **Identity providers**, select **Local account**, and then select **Username**.
          
          User accounts for applications can be created through a sign-up user flow, sign-up or sign-in user flow, the Microsoft Graph API, or the Azure portal.
      - question: |
          How many users can an Azure AD B2C tenant accommodate?
        answer: |
          By default, each tenant can accommodate a total of **1.25 million** objects (user accounts and applications), but you can increase this limit to **5.25 million** objects when you [add and verify a custom domain](custom-domain.md). If you want to increase this limit, please contact [Microsoft Support](find-help-open-support-ticket.md). However, if you created your tenant before **September 2022**, this limit doesn't affect you, and your tenant will retain the size allocated to it at creation, that's, **50 million** objects. 
      - question: |
          Which social identity providers do you support now? Which ones do you plan to support in the future?
        answer: |
          We currently support several social identity providers including Amazon, Facebook, GitHub (preview), Google, LinkedIn, Microsoft Account (MSA), QQ (preview), X, WeChat (preview), and Weibo (preview). We evaluate adding support for other popular social identity providers based on customer demand.
          
          Azure AD B2C also supports [custom policies](custom-policy-overview.md). Custom policies allow you to create your own policy for any identity provider that supports [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) or SAML. Get started with custom policies by checking out our [custom policy starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack).
          
      - question: |
          Can I configure scopes to gather more information about consumers from various social identity providers?
        answer: |
          No. The default scopes used for our supported set of social identity providers are:
          
          * Facebook: email
          * Google+: email
          * Microsoft account: openid email profile
          * Amazon: profile
          * LinkedIn: r_emailaddress, r_basicprofile

      - question: |
          I'm using ADFS as an identity provider in Azure AD B2C. When I try to initiate a sign-out request from Azure AD B2C, ADFS shows the error *MSIS7084: SAML logout request and logout response messages must be signed when using SAML HTTP Redirect or HTTP POST binding*. How do I resolve this issue?
        answer: |
          On the ADFS server, run: `Set-AdfsProperties -SignedSamlRequestsRequired $true`. This will force Azure AD B2C to sign all requests to ADFS.
        
      - question: |
          Does my application have to be run on Azure for it to work with Azure AD B2C?
        answer: |
          No, you can host your application anywhere (in the cloud or on-premises). All it needs to interact with Azure AD B2C is the ability to send and receive HTTP requests on publicly accessible endpoints.

      - question: |
          I have multiple Azure AD B2C tenants. How can I manage them on the Azure portal?
        answer: |
          Before opening Azure AD B2C service in the Azure portal, you must switch to the directory you want to manage. Select the **Settings** icon in the top menu to switch to the directory you want to manage from the **Directories + subscriptions** menu.

      - question: |
          Why am I unable to create an Azure AD B2C tenant?
        answer: |
          You might not have permission to create an Azure AD B2C tenant. Only users with at least **Tenant Creator** roles can create the tenant. 

      - question: |
          How do I customize verification emails (the content and the "From:" field) sent by Azure AD B2C?
        answer: |
          You can use the [company branding feature](../active-directory/fundamentals/how-to-customize-branding.md) to customize the content of verification emails. Specifically, these two elements of the email can be customized:
          
          * **Banner logo**: Shown at the bottom-right.
          * **Background color**: Shown at the top.
          
              ![Screenshot of a customized verification email](./media/faq/company-branded-verification-email.png)
          
          The email signature contains the Azure AD B2C tenant's name that you provided when you first created the Azure AD B2C tenant. You can change the name using these instructions:
          
          1. Sign in to the [Azure portal](https://portal.azure.com/) as the Global Administrator.
          1. Open the **Microsoft Entra ID** blade.
          1. Select the **Properties** tab.
          1. Change the **Name** field.
          1. Select **Save** at the top of the page.
          
          Currently, you can’t change the "From:" field on the email.
          
          > [!TIP]
          > With Azure AD B2C [custom policy](custom-policy-overview.md), you can customize the email Azure AD B2C sends to users, including the "From:" field on the email. The custom email verification requires the use of a third-party email provider like [Mailjet](custom-email-mailjet.md) or [SendGrid](custom-email-sendgrid.md).
          
      - question: |
          How can I migrate my existing user names, passwords, and profiles from my database to Azure AD B2C?
        answer: |
          You can use the Microsoft Graph API to write your migration tool. See the [User migration guide](user-migration.md) for details.
          
      - question: |
          What password user flow is used for local accounts in Azure AD B2C?
        answer: |
          The Azure AD B2C password user flow for local accounts is based on the policy for Microsoft Entra ID. Azure AD B2C's sign-up, sign-up or sign-in and password reset user flows use the "strong" password strength and don't expire any passwords. For more information, see [Password policies and restrictions in Microsoft Entra ID](../active-directory/authentication/concept-sspr-policy.md).
          
          For information about account lockouts and passwords, see [Mitigate credential attacks in Azure AD B2C](threat-management.md).
          
      - question: |
          Can I use Microsoft Entra Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
        answer: |
          No, Microsoft Entra Connect isn't designed to work with Azure AD B2C. Consider using the [Microsoft Graph API](microsoft-graph-operations.md) for user migration. See the [User migration guide](user-migration.md) for details.
          
      - question: |
          Can my app open up Azure AD B2C pages within an iFrame?
        answer: |
          This feature is in public preview. For details, see [Embedded sign-in experience](./embedded-login.md).
          
      - question: |
          Does Azure AD B2C work with CRM systems such as Microsoft Dynamics?
        answer: |
          Integration with Microsoft Dynamics 365 Portal is available. See [Configuring Dynamics 365 Portal to use Azure AD B2C for authentication](/power-apps/maker/portals/configure/azure-ad-b2c).
          
      - question: |
          Does Azure AD B2C work with SharePoint on-premises 2016 or earlier?
        answer: |
          Azure AD B2C isn't meant for the SharePoint external partner-sharing scenario; see [Microsoft Entra B2B](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/learn-all-about-the-azure-ad-b2b-collaboration-preview/ba-p/244082) instead.
          
      - question: |
          Should I use Azure AD B2C or B2B to manage external identities?
        answer: |
          Read [Compare solutions for External Identities](../active-directory/external-identities/external-identities-overview.md) to learn more about applying the appropriate features to your external identity scenarios.
          
      - question: |
          What reporting and auditing features does Azure AD B2C provide? Are they the same as in Microsoft Entra ID P1 or P2?
        answer: |
          No, Azure AD B2C doesn't support the same set of reports as Microsoft Entra ID P1 or P2. However, there are many commonalities:
          
          * **Sign-in reports** provide a record of each sign-in with reduced details.
          * **Audit reports** include both admin activity and application activity.
          * **Usage reports** include the number of users, number of logins, and volume of MFA.

      - question: |
          Why does my Azure AD B2C bill show phone charges named "Microsoft Entra External ID?"
        answer: |
          Following the new [billing model](https://azure.microsoft.com/pricing/details/active-directory-b2c/) for Azure AD External Identities SMS Phone Authentication, you may notice a new name on your bill. Previously, Phone MFA was billed as "Azure Active Directory B2C - Basic 1 Multi-Factor Authentication." Now you’ll see the following names based on your [country or region pricing tier](https://aka.ms/B2CSMSCountries):
          
          * Microsoft Entra External ID - Phone Authentication Low Cost 1 Transaction
          * Microsoft Entra External ID - Phone Authentication Mid Low Cost 1 Transaction
          * Microsoft Entra External ID - Phone Authentication Mid High Cost 1 Transaction
          * Microsoft Entra External ID - Phone Authentication High Cost 1 Transaction
          
          Although the new bill mentions Microsoft Entra External ID, **you’re still billed for Azure AD B2C based on your core MAU count**.
          
      - question: |
          Can end users use a time-based one-time password (TOTP) with an authenticator app to authenticate to my Azure AD B2C app?
        answer: |
          Yes. End users need to download any authenticator app that supports TOTP verification, such as the [Microsoft Authenticator app](https://www.microsoft.com/security/mobile-authenticator-app) (recommended). For details see, [verification methods](multi-factor-authentication.md#verification-methods).
          
      - question: |
          Why are my TOTP authenticator app codes not working?
        answer: |
          If the TOTP authenticator app codes aren't working with your Android or iPhone mobile phone or device, your device's clock time might be incorrect. In your device's settings, select the option to use the network-provided time or to set the time automatically.
          
      - question: |
          How do I know that the Go-Local add-on is available in my country/region? 
        answer: |
          While [creating your Azure AD B2C tenant](tutorial-create-tenant.md), if the Go-Local add-on is available in your country/region, you're asked to enable it if you need it. 
      
      - question: |
          Do I still get 50,000 free MAUs per month on the Go-Local add-on when I enable it?
        answer: |
          No. 50,000 free [MAUs](billing.md#mau-overview) per month doesn't apply when you enable the Go-Local add-on. 
          You'll incur a charge on the Go-Local add-on from the first MAU. However, you'll continue to enjoy free 50,000 MAUs per month on the other features available on your Azure AD B2C [Premium P1 or P2 pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/).  
      - question: | 
          I have an existing Azure AD B2C tenant in Japan or Australia that doesn't have a Go-Local add-on enabled. How do I activate this add-on? 
        answer: |
          Follow the steps in [Activate Go-Local ad-on](tutorial-create-tenant.md#activate-azure-ad-b2c-go-local-add-on) to activate Azure AD B2C Go-Local add-on.
      - question: |
          Can I localize the UI of pages served by Azure AD B2C? What languages are supported?
        answer: |
          Yes, see [language customization](language-customization.md). We provide translations for 36 languages, and you can override any string to suit your needs.
          
      - question: |
          Can I use my own URLs on my sign-up and sign-in pages that are served by Azure AD B2C? For instance, can I change the URL from contoso.b2clogin.com to login.contoso.com?
        answer: |
          Yes, you can use your own domain. For details, see [Azure AD B2C custom domains](./custom-domain.md?pivots=b2c-user-flow).
          
      - question: |
          How do I delete my Azure AD B2C tenant?
        answer: |
          Follow these steps to delete your Azure AD B2C tenant.
          
          You can use our new unified **App registrations** experience or our legacy  **Applications (Legacy)** experience. [Learn more about the new experience](./app-registrations-training-guide.md).

          #### [App registrations](#tab/app-reg-ga/)
          
          1. Sign in to the [Azure portal](https://portal.azure.com/) as the *Subscription Administrator*. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
          1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Settings** icon in the portal toolbar.
          1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
          1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.
          1. Delete all **User flows (policies)** in your Azure AD B2C tenant.
          1. Delete all **Identity Providers** in your Azure AD B2C tenant.
          1. Select **App registrations**, then select the **All applications** tab.
          1. Delete all applications that you registered.
          1. Delete the **b2c-extensions-app**.
          1. Under **Manage**, select **Users**.
          1. Select each user in turn (exclude the *Subscription Administrator* user you're currently signed in as). Select **Delete** at the bottom of the page and select **Yes** when prompted.
          1. Select **Microsoft Entra ID** on the left-hand menu.
          1. Under **Manage**, select **Properties**
          1. Under **Access management for Azure resources**, select **Yes**, and then select **Save**.
          1. Sign out of the Azure portal and then sign back in to refresh your access.
          1. Select **Microsoft Entra ID** on the left-hand menu.
          1. On the **Overview** page, select **Delete tenant**. Follow the on-screen instructions to complete the process.
          
          #### [Applications (Legacy)](#tab/applications-legacy/)
          
          1. Sign in to the [Azure portal](https://portal.azure.com/) as the *Subscription Administrator*. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
          1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Settings** icon in the portal toolbar.
          1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
          1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.
          1. Delete all the **User flows (policies)** in your Azure AD B2C tenant.
          1. Delete all the **Applications (Legacy)** you registered in your Azure AD B2C tenant.
          1. Select **Microsoft Entra ID** on the left-hand menu.
          1. Under **Manage**, select **Users**.
          1. Select each user in turn (exclude the *Subscription Administrator* user you're currently signed in as). Select **Delete** at the bottom of the page and select **YES** when prompted.
          1. Under **Manage**, select **App registrations**.
          1. Select **View all applications**
          1. Select the application named **b2c-extensions-app**, select **Delete**, and then select **Yes** when prompted.
          1. Under **Manage**, select **User settings**.
          1. If present, under **LinkedIn account connections**, select **No**, then select **Save**.
          1. Under **Manage**, select **Properties**
          1. Under **Access management for Azure resources**, select **Yes**, and then select **Save**.
          1. Sign out of the Azure portal and then sign back in to refresh your access.
          1. Select **Microsoft Entra ID** on the left-hand menu.
          1. On the **Overview** page, select **Delete directory**. Follow the on-screen instructions to complete the process.
          
          * * *          
          
      - question: |
          Can I get Azure AD B2C as part of the Enterprise Mobility Suite?
        answer: |
          No, Azure AD B2C is a pay-as-you-go Azure service and isn't part of Enterprise Mobility Suite.
          
      - question: |
          Can I purchase Microsoft Entra ID P1 and Microsoft Entra ID P2 licensing for my Azure AD B2C tenant?
        answer: |
          No, Azure AD B2C tenants don't use Microsoft Entra ID P1 or Microsoft Entra ID P2 licensing. Azure AD B2C uses Premium P1 or P2 licenses, which are no longer available for purchase as of May 1, 2025. They are different from Microsoft Entra ID P1 or P2 licenses for a Standard Microsoft Entra tenant. Azure AD B2C tenants natively support some features that are similar to Microsoft Entra ID P1 or P2 features, as explained in [Supported Microsoft Entra ID features](supported-azure-ad-features.md).
         
      - question: |
          Can I use a group-based assignment for Microsoft Entra Enterprise Applications in my Azure AD B2C tenant?
        answer: |
          No, Azure AD B2C tenants don't support [group-based assignment to Microsoft Entra Enterprise Applications](../active-directory/manage-apps/assign-user-or-group-access-portal.md).
          
      - question: |
          Is Azure AD B2C available in Microsoft Azure Government?
        answer: |
          No, Azure AD B2C is not available in Microsoft Azure Government.

      - question: |
          I am using rolling refresh tokens for my application and I am getting an invalid_grant error on redeeming newly acquired refresh tokens well within their set validity period. Why does this happen? 
        answer: |
          While determining validity for rolling refresh tokens, B2C will consider the initial login time of the user in the application also to calculate the token validity skew. If the user hasn't logged out of the application for a very long time, this skew value will exceed the validity period of the token and hence for security reasons the tokens will be considered as invalid. Hence the error. Inform the user to perform a proper logout and login back into the application and this should reset the skew. This scenario is not applicable if refresh token rolling is set as infinite rolling.
             
          
      - question: |
          I've revoked the refresh token using Microsoft Graph invalidateAllRefreshTokens, or Microsoft Graph PowerShell,  Revoke-MgUserSignInSession. Why is Azure AD B2C still accepting the old refresh token?
        answer: |
          In Azure AD B2C, if the time difference between `refreshTokensValidFromDateTime` and `refreshTokenIssuedTime` is less than or equal to 5 minutes, the refresh token is still considered valid. However, if the `refreshTokenIssuedTime` is greater than the `refreshTokensValidFromDateTime`, then the refresh token is revoked.
          Follow the following steps to check if the refresh token is valid or revoked:
          1. Retrieve the `RefreshToken` and the `AccessToken` by redeeming `authorization_code`.
          1. Wait for 7 minutes.
          1. Use Microsoft Graph PowerShell cmdlet [Revoke-MgUserSignInSession](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession) or Microsoft Graph API [invalidateAllRefreshTokens](/graph/api/user-invalidateallrefreshtokens?tabs=http&view=graph-rest-beta) to run the `RevokeAllRefreshToken` command.
          1. Wait for 10 minutes.
          
          1. Retrieve the `RefreshToken` again.

          > [!TIP]
          > With Azure AD B2C [custom policy](custom-policy-overview.md), you can reduce the above mentioned skew time of 5 minutes (300000 milliseconds)  by adjusting the value for InputParameter "TreatAsEqualIfWithinMillseconds" under claim transformation Id "AssertRefreshTokenIssuedLaterThanValidFromDate". This claim transformation can be found in the TrustFrameworkBase.xml file under latest custom policy [stater-pack](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#get-the-starter-pack). 
          
      - question: |
         I use multiple tabs in a web browser to sign in to multiple applications that I registered in the same Azure AD B2C tenant. When I try to perform a single sign-out, not all of the applications are signed out. Why does this happen? 
        answer: |
          Currently, Azure AD B2C doesn't support single sign-out for this specific scenario. It's caused by cookie contention as all the applications operate on the same cookie simultaneously.
          
      - question: |
          How do I report a problem with Azure AD B2C?
        answer: |
          See [File support requests for Azure Active Directory B2C](find-help-open-support-ticket.md).

      - question: |
          In Azure AD B2C, I revoke all sessions of a user by using the Azure portals Revoke sessions button, but it doesn't work.
        answer: |
          Currently, Azure AD B2C doesn't support user session revocation from the Azure portal. However, you can achieve this task by using [Microsoft Graph PowerShell](manage-users-portal.md#revoke-a-consumer-users-session) or [Microsoft Graph API](/graph/api/user-revokesigninsessions).
  - name: Azure AD External Identities P2 retirement
    questions:
      - question: |
          What happened to Azure AD External Identities P2 in B2C tenants?
        answer: |
          Azure AD External Identities P2 has been retired in Azure AD B2C tenants. P2-only features are no longer available.
      - question: |
          Does the retirement affect workforce tenants?
        answer: |
          No. ID Protection remains available for business guests in workforce tenants as part of Azure AD External Identities P2. The retirement applies only to B2C tenants.
      - question: |
          What should I do if I was using P2 ID Protection in my B2C tenant?
        answer: |
          To continue protecting against identity-based risks in B2C, consider integrating a [partner identity verification provider](identity-verification-proofing.md). All P2 tenants will be automatically switched to P1 on a rolling basis by the end of March 2026.
      - question: |
          Will I still be billed for P2 after the retirement?
        answer: |
          Your B2C tenant will be automatically switched to P1 by the end of March 2026 and you will be billed at P1 pricing. For guidance on changing your pricing tier, see [Azure AD B2C billing](billing.md).
      - question: |
          Is the P2 retirement related to the Azure AD B2C end of sale?
        answer: |
          These are separate topics. The end of sale means Azure AD B2C is no longer available to new customers as of May 2025. The P2 retirement specifically retires the P2 pricing tier and ID Protection in B2C tenants. Existing B2C customers on P1 can continue using the service.