Skip to content
Visit Kinde’s marketing website Kinde Docs
  • Get started
  • Switch to Kinde

Migrate to Kinde from Azure B2C

Migrate your users from Azure B2C to Kinde. Azure B2C does not export passwords, so the migration approach you choose will determine how users authenticate on first sign-in.

What you need

Link to this section
  • A Kinde account with Admin access
  • Kinde account configured to match your current auth provider — see before you migrate
  • Azure B2C tenant with user export permissions

Key considerations

Link to this section
  • Passwords cannot be exported — Azure B2C does not provide access to hashed passwords. Users will need to reset their password or use a new sign-in method, unless you use drip-feed migration.
  • Local accounts vs. federated identities — users who signed in via social providers (Google, Facebook, etc.) in Azure B2C can be imported by email and prompted to re-link their social login.
  • MS Entra ID connection — if you use Azure AD-based logins, set up the MS Entra ID connection in Kinde before importing users so Kinde can match them to the right connection.

Export users from Azure B2C

Link to this section

Option A: Azure portal

Link to this section
  1. In the Azure portal, go to Azure AD B2C.
  2. Select Users from the left menu.
  3. Select Download users to export a CSV of all users.

The portal export includes basic user properties (email, display name, object ID). It does not include passwords.

Link to this section

Use the Microsoft Graph API to export users programmatically with full control over which attributes are included:

Terminal window
GET https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,accountEnabled
Authorization: Bearer {access_token}

Paginate using the @odata.nextLink value in the response. Convert the output to a Kinde-compatible CSV.

Column mapping:

Azure B2C fieldKinde column
idid
mail or userPrincipalNameemail
givenNamefirst_name
surnamelast_name
accountEnabledemail_verified (use TRUE/FALSE)

Choose your migration method

Link to this section
Link to this section

Migrate users seamlessly as they log in. A Kinde workflow validates each login against Azure B2C’s ROPC endpoint, creates the user in Kinde on success, and takes over authentication going forward.

Before you start:

  1. Bulk import user email addresses (without passwords) to seed Kinde.
  2. Enable Enumeration protection in Kinde (Settings > Attack protection > Enumeration protection).
  3. Enable the ROPC user flow in your Azure B2C tenant.

The drip-feed migration tutorial includes the Azure B2C-specific workflow code.

Bulk import with API sync (catch new registrations)

Link to this section

Export users and import into Kinde. During the migration window, use the Kinde API to push any new sign-ups from Azure B2C directly to Kinde so no one is missed.

  1. Set up an API integration to push new Azure B2C registrations to Kinde in real time.
  2. Export existing users using the portal or Graph API.
  3. Import into Kinde via bulk import.
  4. Switch to Kinde.
  5. Users will be prompted to set a new password or sign in via passwordless on first sign-in.

See Create users with the API for the Kinde API steps.

Bulk import only

Link to this section

Simplest option. Export users, import into Kinde, switch. No API integration needed.

  1. Export users using the portal or Graph API.
  2. Re-import before cutover to catch any new registrations.
  3. Follow the bulk import guide.
  4. Users set a new password or sign in via passwordless on first sign-in.

Hard cutover (maintenance window)

Link to this section

For the cleanest cutover when a short service interruption is acceptable:

  1. Block new registrations in Azure B2C (not logins — since passwords aren’t migrated, existing logins don’t affect the migration).
  2. Export all users.
  3. Import into Kinde via bulk import.
  4. Switch to Kinde.
  5. Users set a new password or sign in via passwordless on first sign-in.

Next steps

Link to this section
  • If using drip-feed, monitor the workflow logs to confirm users are migrating successfully.
  • Once migration traffic from Azure B2C drops to zero, disable the workflow and decommission your Azure B2C tenant.
  • Notify users of the change before go-live — especially that they will need to verify their email or set a new password on first sign-in.

Get support

Link to this section

If you need help with your migration, contact Kinde support.

Related articles

Useful links

  • Join the community

    Get support from the Kinde team and expert users in the Kinde community

    Join via Slack or Discord

  • Contact support

    Chat to support through the Kinde help widget, or send a question via email

    Send an email