Using a primary IdP other than Entra ID
Posted by BWMerlin@reddit | sysadmin | View on Reddit | 5 comments
I have started a new job at a small health care company because they hate their MSP and want to bring everything in house. Most of the users are on the road seeing to our clients are only licensed under Microsoft 365 Business Basic so they can get email while the few office staff are Microsoft 365 Business Standard.
We hardly use any of the Microsoft suite of products in total so I am considering up if we should move more into the Microsoft stack or keep the light foot print we currently have and look at alternatives. We are experiencing growth and plan to outgrow the 300 user limit of Microsoft 365 Business (I read the Microsoft FAQ and it seems that this is a soft cap so long as you don't exceed more than 300 users on any one business plan).
I am tossing up around our IdP if I should just stick with Entra ID or if I should look at alternatives like Okta and have the external IdP feed into Entra ID Free tier for user provisioning and Office and Windows authentication.
One of the ideas that I have tossed to leadership was that we move away from Microsoft 365 Business Basic for the bulk of our users and look for an external mail host and intergrate that with our IdP for provisioning and SSO for those that just need email.
For those that use an IdP other than Entra ID when and why did it make sense for you? Does this quiet probable hair brain idea to use something other than Entra ID make sense for an organisation of our size? Should I just not worry so much and drink the Microsoft coolaid?
mixduptransistor@reddit
If you're really that small, I would suggest sticking with Microsoft. First, every vendor, regulatory agency, consultant, or customer (if they're companies) are all going to be Microsoft overwhelmingly in your industry. Switching to something else for email is just going to be a hassle from a learning curve and compatibility standpoint
Most of your meetings will be Teams meetings, most of your interactions and meetings will be with other people who are using Outlook, etc.
I'm curious why you would drop a free tier of Entra ID to pay for Okta, for a small org. Are there some features you'd get with Okta that Entra ID doesn't give you?
Also curious what alternate email provider you'd go with
At the end of the day "it's not Microsoft" is a very dumb reason to move away from them, especially at a small scale. If there are other things, and you kind of don't like Microsoft maybe that is a tie breaker, but if literally the only reason you're going into a decision to spend more money is I don't like Microsoft, step back for a second and really think about it
tankerkiller125real@reddit
In my experience the only reason a company uses Okta is because one of the big wigs is a getting a kick back after going golfing with an Okta rep.
AppIdentityGuy@reddit
I would absolutely go MS Business Premium. Don't split your IDP and being in Healthcare you have a dump truck load of regulations and laws that you need to align to that is goinf to be tricky without the right licensing...
nerfblasters@reddit
Business basic/standard don't include Entra P1 so that means no conditional access, no MS Graph API access for logging, etc.
Also no intune, so how are devices being managed?
You said healthcare, so I would assume that means PHI/PII and HIPAA compliance concerns - how are those being managed now?
I can't imagine meeting any real compliance requirements via 365 without at least business premium, or more likely E5.
hybrid0404@reddit
M365 Business licensing and what not is just a pricing tier cap, when you exceed 300, you just have to go up to their enterprise licensing. They give small businesses a bit of a break. I think you need to take a step back and decide what functionality you need first. Try to create profiles of features your various worker types need and then try to match that first. Then go to the various solutions and functions.
I suggest you go here and compare the different plans - https://m365maps.com/matrix.htm
Entra ID is a perfectly capable IdP into the tens of thousands of users. Are you only using this IdP for SSO? In that case, why would you pay for okta to feed into the free tier of Entra ? If you're going to pay for Okta, you could look at the paid for features you get in Entra and not have another solution to manage. You're still using the underlying Entra directory I would assume for many things. Do you have other entitlements you need to manage as well?
I've worked for a large organization that used Okta. It was chosen because we felt we needed a "universal directory" that spanned across multiple business units and acquisitions. We needed an identity layer above Entra. I didn't work with it extensively but I question some the value it provides in our specific use case.
Finding efficiencies in Microsoft licensing or anything licensing for that matter isn't a new thing. This whole move some folks to a different email system entirely and then have others in M365 sounds like a nightmare. Now you've got two management areas. What happens when someone moves into a different role? Now they need to change email systems. Are you going to split up your business email domain across two platforms or run two domain names for email?