Microsoft Entra ID

1) Simplicity is key. It is very easy and fast to add SSO configurations, and it can be done in the UI in seconds. At the same time, there are some more complex things (like the ent. apps policies) that are hidden in the API and can be used in more advanced scenarios if needed. 2) Automation capabilities. Everything you see in the portal can be called through the Graph API. It gives so much power for automation and integration with 3rd party systems (like Service Now or Azure DevOps). So, it is possible to provide most of the functionality as a service for your internal customers through that. 3) Road-map. A lot of new features are planned/coming. Entra is a key Microsoft product and the only Identity Provider vendor they have. So it gives a very good feeling of safety that it will be developed further for many years and it will stay.

Bundled licensing makes it cost effective.

PIM, CA policies tied to Defender for cloud apps, RBAC roles designated for specific resources like Purview (great for being able to still easily block your Global Admins from getting to areas they dont belong).

1) Additional (and sometimes unexpected) costs. Entra IGAs, Verified ID, and some other features require additional licenses in fact on top of the M365 E5 license. This is not expected in a way that you might think that E5 should be enough for everything (as it is a top license). The same is applicable for external identities that require some licenses on top of E5. 2) Confusion and overlapping of some B2B vs B2C functionality. Some features have the same name (e.g. Sign-Up flow) but different meaning and implementation for B2B and B2C. E.g. Something that works for B2C may not work for B2B (and that is expected). It creates confusion and requires effort to do a very good scoping and fully understand what you plan to achieve and by which tools. 3) It would be great to have more customisation options for MFA methods. It is not possible to allow some MFA methods for SSPR (self-service password reset) and not allow it for MFA. It is not possible, for example, to allow phone/SMS for SSPR but block it for MFA (as it is not reliable). This has created issues in some areas where MFA Authenticator app access can be challenging (e.g. for companies who have offices in EU/US and China).

Conditional access policy filters are limited, such as not being able to exclude apps with Graph dependencies. You have to craft your own solution for SSO provisioning more often than alternative solution. Microsoft support is very basic and hard to get intelligent help.

Biggest dislike is the paywall behind the Entra Suite. i get some items costing more, but having to pay for B2B provisioning is annoying in a world where Microsoft touts security first, yet doesnt give a proper guest account lifecycle workflow without paying for those vendor accounts.