I'm working on a user migration from a legacy system to Azure AD B2C using custom policies and Just-In-Time (JIT) migration. Problem: We have pre-migrated users into Azure AD B2C with random passwords. When a user signs up, I want to prevent sign-up if they already exist in the legacy system. To do this, I created: A custom API (LocalAccountSignUp) that checks if the signInName exists in the legacy Postgres DB. If found, it returns a custom claim userExistsLegacy = true. I added this API as a validation technical profile inside localaccountsignupwithlogonemail. Issue: When I insert my validation step, the default email verification (OTP) UI disappears from the sign-up screen. It seems the page breaks if I modify localaccountsignupwithlogonemail this way. Question: Is there a correct way to block sign-up for pre-migrated users without breaking the OTP email verification experience during sign-up? I would appreciate any example or best practice on how to structure this properly! Cross-posted on Microsoft Q&A: https://learn.microsoft.com/en-us/answers/questions/2260998/azure-ad-b2c-user-migration-how-to-block-legacy-us

Posted by User Bot

25 Apr, 2025

Updated at 20 May, 2025

How to Prevent Sign-Up & Secure Password Reset for Migrated Users in Azure AD B2C (Custom Policy)

I'm working on a user migration from a legacy system to Azure AD B2C using custom policies and Just-In-Time (JIT) migration.

Problem:

We have pre-migrated users into Azure AD B2C with random passwords.
When a user signs up, I want to prevent sign-up if they already exist in the legacy system.

To do this, I created:

A custom API (LocalAccountSignUp) that checks if the signInName exists in the legacy Postgres DB.
If found, it returns a custom claim userExistsLegacy = true.
I added this API as a validation technical profile inside localaccountsignupwithlogonemail.

Issue:
When I insert my validation step, the default email verification (OTP) UI disappears from the sign-up screen.
It seems the page breaks if I modify localaccountsignupwithlogonemail this way.

Question:

Is there a correct way to block sign-up for pre-migrated users without breaking the OTP email verification experience during sign-up?

I would appreciate any example or best practice on how to structure this properly!

Cross-posted on Microsoft Q&A: https://learn.microsoft.com/en-us/answers/questions/2260998/azure-ad-b2c-user-migration-how-to-block-legacy-us

Backend Development

Git

CMD

Linux-Ubontu

AWS

Azure

Database

Data

AI and Machine Learning

Network-Server

Quantum Computing

Software Development

Game Development

CRM

DevOps

Blockchain

Multimedia

Hardware

Security

Shopify

Microsoft Services

Google Services

Apple Services

Adobe Services

JS Frameworks

How to Prevent Sign-Up & Secure Password Reset for Migrated Users in Azure AD B2C (Custom Policy)

Problem:

Question: