1) Simplicity is key. It is very easy and fast to add SSO configurations, and it can be done in the UI in seconds. At the same time, there are some more complex things (like the ent. apps policies) that are hidden in the API and can be used in more advanced scenarios if needed. 2) Automation capabilities. Everything you see in the portal can be "called" through the Graph API. It gives so much power for automation and integration with 3rd party systems (like Service Now or Azure DevOps). So, it is possible to provide most of the functionality as a service for your internal customers through that. 3) Road-map. A lot of new features are planned/coming. Entra is a key Microsoft product and the only Identity Provider vendor they have. So it gives a very good feeling of safety that it will be developed further for many years and it will stay.

1) Additional (and sometimes unexpected) costs. Entra IGAs, Verified ID, and some other features require additional licenses in fact on top of the M365 E5 license. This is not expected in a way that you might think that E5 should be enough for everything (as it is a top license). The same is applicable for external identities that require some licenses on top of E5. 2) Confusion and overlapping of some B2B vs B2C functionality. Some features have the same name (e.g. "Sign-Up flow") but different meaning and implementation for B2B and B2C. E.g. Something that works for B2C may not work for B2B (and that is expected). It creates confusion and requires effort to do a very good scoping and fully understand what you plan to achieve and by which tools. 3) It would be great to have more customisation options for MFA methods. It is not possible to allow some MFA methods for SSPR (self-service password reset) and not allow it for MFA. It is not possible, for example, to allow phone/SMS for SSPR but block it for MFA (as it is not reliable). This has created issues in some areas where MFA Authenticator app access can be challenging (e.g. for companies who have offices in EU/US and China).