What I like most is how naturally it fits into the Microsoft ecosystem. Since we were already using M365, a lot of things worked out of the box, which reduced the initial setup effort. Features like Single-Sign-On and conditional access policies have been particularly useful. They allow us to control access based on user roles, devices, or locations without making the user experience overly complicated. It also simplified the onboarding and offboarding processes, which used to be so much more manual.
April 21, 2026
There is no way to delegate admin consent for users to specific groups, so we are forced to keep it as admin consent only. There are no customizable error or access denied pages; generic deny pages are confusing to users, so users are generally allowed into the application at the level providing the correct error. Group membership limitations should be flagged and exposed to users with large groups and what applications they will not be able to access. The users and application admins are unaware of this until after implementation and then a few users hit the error which is an empty claim. Nothing is exposed without a major effort to expose it is group memberships. This leads to this service not having a true Enterprise group management implementation. Sign-In log queries are slow and sometimes unresponsive.
January 5, 2026