Using a primary IdP other than Entra ID
Posted by BWMerlin@reddit | sysadmin | View on Reddit | 11 comments
I have started a new job at a small health care company because they hate their MSP and want to bring everything in house. Most of the users are on the road seeing to our clients are only licensed under Microsoft 365 Business Basic so they can get email while the few office staff are Microsoft 365 Business Standard.
We hardly use any of the Microsoft suite of products in total so I am considering up if we should move more into the Microsoft stack or keep the light foot print we currently have and look at alternatives. We are experiencing growth and plan to outgrow the 300 user limit of Microsoft 365 Business (I read the Microsoft FAQ and it seems that this is a soft cap so long as you don't exceed more than 300 users on any one business plan).
I am tossing up around our IdP if I should just stick with Entra ID or if I should look at alternatives like Okta and have the external IdP feed into Entra ID Free tier for user provisioning and Office and Windows authentication.
One of the ideas that I have tossed to leadership was that we move away from Microsoft 365 Business Basic for the bulk of our users and look for an external mail host and intergrate that with our IdP for provisioning and SSO for those that just need email.
For those that use an IdP other than Entra ID when and why did it make sense for you? Does this quiet probable hair brain idea to use something other than Entra ID make sense for an organisation of our size? Should I just not worry so much and drink the Microsoft coolaid?
AppIdentityGuy@reddit
I would absolutely go MS Business Premium. Don't split your IDP and being in Healthcare you have a dump truck load of regulations and laws that you need to align to that is goinf to be tricky without the right licensing...
BWMerlin@reddit (OP)
Why Business Premium? When I look here the only major difference I can see is the inclusion of Intune and Defender.
This is something that I am going to have to research. I am hoping (I am doubtful) that the MSP has been keeping them in compliance.
AppIdentityGuy@reddit
You mentioned that you have split the management of devices between 2 different systems. Never an optimal idea. Would you be able to retain N-Able access after the divorce from the MSP? Intune gives you all your device management in one console. MS Defender for Sndpoint, not the same as Windows Defender is one of the best XDR products on the market. Business Premium is worth it just for that IMHO.
BWMerlin@reddit (OP)
I have inherited the split, I am looking at combining under the same MDM whether that be Intune, Workspace ONE or Hexnode.
The MSP is being very difficult and we don't want to keep them around (and they us) for any longer than possible so keeping N-Able won't be possible unless we buy it but as I said above looking at an MDM to bring everything together.
We currently have SentinelOne and Huntress so looking at options around keeping that or going Defender or other as well.
hybrid0404@reddit
M365 Business licensing and what not is just a pricing tier cap, when you exceed 300, you just have to go up to their enterprise licensing. They give small businesses a bit of a break. I think you need to take a step back and decide what functionality you need first. Try to create profiles of features your various worker types need and then try to match that first. Then go to the various solutions and functions.
I suggest you go here and compare the different plans - https://m365maps.com/matrix.htm
Entra ID is a perfectly capable IdP into the tens of thousands of users. Are you only using this IdP for SSO? In that case, why would you pay for okta to feed into the free tier of Entra ? If you're going to pay for Okta, you could look at the paid for features you get in Entra and not have another solution to manage. You're still using the underlying Entra directory I would assume for many things. Do you have other entitlements you need to manage as well?
I've worked for a large organization that used Okta. It was chosen because we felt we needed a "universal directory" that spanned across multiple business units and acquisitions. We needed an identity layer above Entra. I didn't work with it extensively but I question some the value it provides in our specific use case.
Finding efficiencies in Microsoft licensing or anything licensing for that matter isn't a new thing. This whole move some folks to a different email system entirely and then have others in M365 sounds like a nightmare. Now you've got two management areas. What happens when someone moves into a different role? Now they need to change email systems. Are you going to split up your business email domain across two platforms or run two domain names for email?
BWMerlin@reddit (OP)
Solid advice, being see new in the role I am still trying to get to understand the business. From what I can gather most of our staff really only require email. I have recently discovered Microsoft 365 Exchange P1 which looks to be a perfect fit for most of our staff while the rest of the staff I believe Microsoft/Windows 365 E3 (no Teams) would be the best fit for.
Thanks for that link, makes it really easy to see what is going on.
The MSP is being a bit difficult to work with so I am not fully aware of the entire product stack but from what I can see all users have access to Office either via Business Basic or Business Standard and that is pretty much it.
The idea (not sure if even possible) would be to have all email handled by an alternative system and using an IdP allow provisioning and SSO to that other system so the end user wouldn't know that it wasn't exchange, they would still get their email through their default mail client (for those that needed email only) while others would still be able to use Outlook but it wouldn't be connected to exchange.
I have found Microsoft 365 Exchange P1 which is honestly looking perfect for most of our users while the rest will either stay Business Standard or move to an E series license.
mixduptransistor@reddit
If you're really that small, I would suggest sticking with Microsoft. First, every vendor, regulatory agency, consultant, or customer (if they're companies) are all going to be Microsoft overwhelmingly in your industry. Switching to something else for email is just going to be a hassle from a learning curve and compatibility standpoint
Most of your meetings will be Teams meetings, most of your interactions and meetings will be with other people who are using Outlook, etc.
I'm curious why you would drop a free tier of Entra ID to pay for Okta, for a small org. Are there some features you'd get with Okta that Entra ID doesn't give you?
Also curious what alternate email provider you'd go with
At the end of the day "it's not Microsoft" is a very dumb reason to move away from them, especially at a small scale. If there are other things, and you kind of don't like Microsoft maybe that is a tie breaker, but if literally the only reason you're going into a decision to spend more money is I don't like Microsoft, step back for a second and really think about it
BWMerlin@reddit (OP)
Microsoft really are the default choice (for better and worse) and it is supper easy to stay within the eco system and just keep adding on products and options.
Agreed, the only reason I was considering it was a flight of fancy until the Corporate Services Manager saw the price of E series licensing and started to take the idea seriously (that is when alarm bells went off in my head).
Teams barely used at all, we don't have a single team setup and it is only used by a small handful of office staff with most staff preferring email, text or to call rather than Teams.
As I said above, a flight of fancy as we have such a small Microsoft footprint I was thinking/wondering if it might be possible to not get drawn into the tar pit that can be Microsoft and their countless options, products and solutions. It only gained a little traction when the Corporate Services Manager baulked at the cost moving from Microsoft 365 Business Basic/Standard to E or F series licenses.
Ideally someone who could integrate with an IdP for user provisioning and SSO so while on the backend it wouldn't be exchange to the user they would still use their same corporate credentials to access mail. I have since discovered Microsoft 365 Exchange P1 licensing which honestly seems perfect, gives users access to email and nothing else.
As the only IT person here it is helpful to have places like Reddit to act as a sounding board for ideas.
tankerkiller125real@reddit
In my experience the only reason a company uses Okta is because one of the big wigs is a getting a kick back after going golfing with an Okta rep.
nerfblasters@reddit
Business basic/standard don't include Entra P1 so that means no conditional access, no MS Graph API access for logging, etc.
Also no intune, so how are devices being managed?
You said healthcare, so I would assume that means PHI/PII and HIPAA compliance concerns - how are those being managed now?
I can't imagine meeting any real compliance requirements via 365 without at least business premium, or more likely E5.
BWMerlin@reddit (OP)
Android tablets are in Hexnode while Windows devices are managed by the MSP N-Able suite of applications.
We are not in the US so no HIPPA but I am very sure that there are similar local laws which I will need to dig into. I have only just started so I hope (but I am doubtful) that the MSP was keeping them compliant.
I will look to see what we need around compliance.