onPasswordSubmitListener breaks sign-in (AADSTS50000) on CIAM tenant even when user has no migration flag set

Michael E 25 Reputation points
2026-05-21T21:05:38.6666667+00:00

Hey, hoping someone has hit this.

I'm trying to set up JIT password migration on a Microsoft Entra External ID (CIAM) tenant, basically copying users from an old Azure AD B2C tenant and migrating their passwords on first sign-in. I've followed the docs as closely as I can but every sign-in fails with AADSTS50000 the moment I add the password-submit listener, and I'm completely stuck.

The weird thing is that the failure happens even for users that don't have the migration flag set. So it's not "migration doesn't work", it's "sign-in fully stops working for any user on the app". The function endpoint never even gets called.

Setup:

The CIAM tenant is freshly created through the proper Azure portal wizard (Create a resource → Microsoft Entra External ID), with the Azure subscription linked, in the UK region. Tenant type is CIAM, OIDC discovery responds fine. Region NA or EU makes no difference (tried both).

I have a simple web app reg with jwt.ms as a redirect URI and enableIdTokenIssuance: true. It's bound to an externalUsersSelfServiceSignUpEventsFlow user flow. I created a test user via Graph with a passwordProfile set to a known value, no extension flags on the user.

Sign-in works fine with this setup. I get the email page, the password page, the consent screen, then jwt.ms with a valid id_token. So the tenant and the user flow are healthy.

Then I add an onPasswordSubmitListener via Graph. The listener has an onPasswordMigrationCustomExtensionHandler pointing at a customAuthenticationExtension (which points at an anonymous Azure Function endpoint, with a cert uploaded to the extension app reg's keyCredentials with usage Encrypt, and the standard CustomAuthenticationExtension.Receive.Payload Graph permission admin-consented on the extension app's service principal). The migrationPropertyId references a Boolean directory extension property registered on the tenant's b2c-extensions-app.

The moment that listener exists and is scoped to the app, every sign-in fails. Same user, same password, same URL. AADSTS50000, "There was an error issuing a token or an issue with our sign-in service." Roughly 150 to 500ms processing time. The sign-in logs show authenticationMethod "Password in the cloud" and an empty appliedEventListeners array. The Azure Function never receives a POST so it's not a function-side issue.

Crucially: the user I'm testing with does not have the migration flag set. I'd expect the listener to be a no-op for that user and fall through to standard cloud password verification. Instead it seems to kill sign-in for everyone on the app.

If I delete the listener, sign-in immediately works again. Same user, same everything else. Repeated this on two different CIAM tenants with the same result. So I'm pretty sure it's the listener config and not a tenant or app issue.

Things I've already checked:

  • Cert is uploaded with usage Encrypt and is valid. Got synthetic POSTs to the function working (sending a properly encrypted password-submit payload directly to the function endpoint, it decrypts, validates against legacy B2C ROPC, and returns MigratePassword fine).
  • The extension app has CustomAuthenticationExtension.Receive.Payload from Microsoft Graph, admin-consented.
  • The customAuthenticationExtension's resourceId matches an identifierUri on the extension app reg.
  • The directory extension property exists on b2c-extensions-app, dataType Boolean, targetObjects User, and is readable/queryable via Graph.
  • The listener is properly scoped via conditions.applications.includeApplications. Not scoped to all apps.
  • tokenEncryptionKeyId — tried with and without, same result.
  • userType is Member, accountEnabled true, creationType LocalAccount.

I've seen on a couple of older Stack Overflow posts that the password-submit listener pattern was introduced for B2C-to-External-ID migrations specifically and there's a known gotcha where it breaks unmigrated users, but I can't find anything definitive. Has anyone got a working onPasswordSubmitListener config they could share, even a sanitised one? Or know if there's something extra you have to enable on the tenant to make the "fall through to cloud password when toBeMigrated is false" behavior actually work?

Thanks for any pointers.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
  1. Sina Salam 30,486 Reputation points Volunteer Moderator
    2026-05-28T14:47:20.0166667+00:00

    Hello @Michael E , and @TU2

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Your issue with AADSTS50000 might be similar to this link: https://learn.microsoft.com/en-us/answers/questions/5900102/onpasswordsubmit-jit-migration-listener-configured Check my post and steps for more detail clarification.

    If the issue (AADSTS1100001 + underlying 1003050), then, is now best classified as beyond documented customer self-remediation and likely requires Microsoft internal support or engineering review. Raise support ticket via your Portal or use Priority Customer Support (PCS). But if not, kindly let me know your findings.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.