Preparing an Azure AD B2C migration with EntraExporter
Before undertaking a migration from Azure AD B2C to Microsoft Entra External ID (EEID) — or to any other identity provider — it is essential to have a comprehensive inventory of your existing tenant. Without this preliminary mapping, the risk of overlooking critical components (applications, user flows, extension attributes) is high.
This is precisely the role of the EntraExporter PowerShell module: it allows you to export the entire configuration of an Entra ID or Azure AD B2C tenant to structured JSON files, usable as a reference base for managing your migration.
What is EntraExporter?
EntraExporter is an open source PowerShell module that exports the configuration settings of an Entra ID or Azure AD B2C tenant to local .json files. It also supports Entra External ID, making it particularly well-suited for migration scenarios.
Installation and authentication
Install the EntraExporter module
Installation is done from the PowerShell Gallery:
1Install-Module EntraExporterRequired Microsoft Graph permissions
The export requires a set of read permissions on Microsoft Graph. For an Azure AD B2C tenant, the essential scopes are as follows:
1Connect-MgGraph -TenantId "<your-tenant-id>" `2 -Scopes "Directory.Read.All", `3 "Application.Read.All", `4 "IdentityUserFlow.Read.All"Beware of irrelevant permissions in B2C
The complete list of scopes documented for EntraExporter includes permissions such as EntitlementManagement.Read.All, OnPremDirectorySynchronization.Read.All, Teamwork.Read.All or SharepointTenantSettings.Read.All. These scopes are specific to Entra ID and do not apply to an Azure AD B2C tenant. Limit yourself to strictly necessary permissions.
For complete authentication covering all B2C object types, here is the exhaustive list of supported scopes:
1Connect-AzAccount2Connect-MgGraph -Scopes 'Directory.Read.All', `3 'Policy.Read.All', `4 'IdentityProvider.Read.All', `5 'Organization.Read.All', `6 'User.Read.All', `7 'IdentityUserFlow.Read.All', `8 'APIConnectors.Read.All', `9 'Application.Read.All', `10 'RoleManagement.Read.All', `11 'AuditLog.Read.All'Export B2C configuration
Authentication to B2C tenant
Connect to the target Azure AD B2C tenant by specifying its identifier:
1Connect-MgGraph -TenantId "<your-tenant-id>" `2 -Scopes "Directory.Read.All","Application.Read.All","IdentityUserFlow.Read.All"Launch targeted export
For an initial inventory focused on migration, target the most critical object types:
1Export-Entra -Path 'C:\Exports\B2C-Backup' -Type B2C,Users,ApplicationsExecution produces output similar to the following:
1➡️ identity/userFlows2➡️ identity/b2cUserFlows3➡️ identity/userFlowAttributes4➡️ applications5➡️ users6Processing batch of 3 request(s):7 → applications/8 → identity/b2cUserFlows9 → identity/userFlows10Processing batch of 2 request(s):11 → identity/userFlowAttributes12 → users/?$count=true&$expand=extensionsComplete tenant export
To obtain an exhaustive snapshot of all tenant objects:
1Export-Entra -Path 'C:\Exports\B2C-Backup' -AllStructure of exported files
The export generates a directory tree organized by object type. Here are the main directories produced and their contents.
Applications
Each application registered in the tenant has its own subdirectory. The associated JSON file contains all the application's metadata:
1{2 "id": "0e...cd",3 "appId": "09...93",4 "displayName": "My MVC Application",5 "createdDateTime": "2021-09-05T22:13:23Z",6 "identifierUris": [],7 "isFallbackPublicClient": null,8 "nativeAuthenticationApisEnabled": null9}User flows and B2C attributes
The identity directory contains user flows (b2cUserFlows), built-in attributes and custom extension attributes.
Example of a built-in attribute:
1{2 "id": "city",3 "displayName": "City",4 "description": "The city in which the user is located.",5 "userFlowAttributeType": "builtIn",6 "dataType": "string",7 "supportedTenantTypes": "b2c"8}Example of a custom extension attribute:
1{2 "id": "extension_51...4e_CaptchaUserResponseToken",3 "displayName": "CaptchaUserResponseToken",4 "description": "For use with captcha.",5 "userFlowAttributeType": "custom",6 "dataType": "string",7 "supportedTenantTypes": "b2c"8}Users
Each user account is exported in an individual subdirectory with its complete attributes:
1{2 "id": "00...2a",3 "accountEnabled": true,4 "createdDateTime": "2023-06-05T20:56:29Z",5 "creationType": "LocalAccount",6 "displayName": "First Name Last Name"7}Exportable object types
The -Type parameter accepts the following values. Note that some categories are exclusively relevant for Entra ID and not for B2C.
| Type | Relevant for B2C | Description |
|---|---|---|
| B2C | âś… Yes | User flows, attributes, B2C policies |
| Applications | âś… Yes | Registered applications |
| Users | âś… Yes | Local user accounts |
| Identity | âś… Yes | Identity providers |
| Policies | âś… Yes | Conditional access policies and others |
| Domains | âś… Yes | Custom domains |
| PIM | ❌ No | Privileged Identity Management (Entra ID only) |
| EntitlementManagement | ❌ No | Entitlement Management (Entra ID only) |
| Teams | ❌ No | Microsoft Teams (Entra ID only) |
| Sharepoint | ❌ No | SharePoint (Entra ID only) |
Using the export as a migration tracking tool
The JSON files produced by EntraExporter constitute a solid base for building a migration dashboard. Here are the recommended uses:
- Initial inventory: identify all objects to migrate (applications, flows, attributes, users)
- Tracking matrix: export data to a spreadsheet to create a migration checklist by component
- Post-migration validation: rerun the export on the target Entra External ID tenant and compare the two exports to identify gaps
- Detection of custom extension attributes: these attributes are often forgotten during migrations and require manual recreation
Tip: source / target comparison
EntraExporter natively supports Entra External ID. Run the same export on your EEID tenant after migration and compare the JSON trees with a diff tool (e.g., git diff or a dedicated tool like Beyond Compare). You will get a precise view of missing or misconfigured objects.
Important: Custom Policies (IEF) are not exported
If your Azure AD B2C tenant uses Identity Experience Framework (IEF) Custom Policies, these are not exported by EntraExporter. Make sure to version your custom policy XML files separately in a Git repository before any migration.
Conclusion
EntraExporter is a valuable tool for any IT team engaged in an Azure AD B2C migration. It provides complete visibility of the existing configuration and serves as a repository for validating migration integrity. Combined with a methodical component-by-component tracking approach, it significantly reduces the risk of omissions when moving to Entra External ID.
To go further, also explore Microsoft's native migration tools dedicated to the B2C to EEID transition, as well as the external identity management capabilities available in the Entra portal.



