Microsoft Entra ID is the de-facto standard for enterprise identity management in the overwhelming majority of European enterprises in 2026. At its core, Entra ID is a very robust IdM system — authentication (including advanced conditional access, risk-based authentication), SSO for thousands of applications via SAML/OIDC, user lifecycle management, governance (entitlement management, access reviews). Above that core, Microsoft progressively added an MDM layer (through Intune integration), B2B and B2C extensions, and in 2025 advanced AI-driven threat detection.
Key question: What of this functionality is genuinely unique to Entra ID, and what can be covered by European or open-source alternatives?
Relevant European and open-source alternatives in 2026
- Authentik , Authentik documentation · link · archived (Germany, MIT licence + commercial enterprise extensions) — modern architecture, very good UI, flexible "flow engine" for custom authentication flows, reverse-proxy mode for applications without native SSO support. Suitable for small to mid-size enterprises.
- Keycloak , Keycloak documentation · link · archived (Red Hat, CNCF incubation project, Apache 2.0) — a proven enterprise choice, full LDAP and Active Directory support, OAuth 2.0, OIDC, SAML 2.0. Java-based, battle-tested in production. Deep AD integration remains the tool of choice for large enterprise migrations.
- Zitadel , Zitadel documentation · link · archived (Switzerland, AGPL 3.0 + commercial licence) — API-first, cloud-native, built on event-sourcing architecture. Strong multi-tenant capabilities (B2B SaaS). Kubernetes-native design.
- Hanko , Hanko documentation · link · archived (Germany, open source) — a more modern approach with passkey-based SSO, positioned against Clerk, Auth0, Stytch.
Functional comparison with Entra ID
| Functional layer | Entra ID | European/open-source alternatives | Gap |
|---|---|---|---|
| Authentication (SAML, OIDC, OAuth 2.0) | Yes | Yes (all) | None |
| Multi-factor authentication (TOTP, WebAuthn, hardware tokens, push) | Yes | Yes (all) | None |
| Single sign-on for thousands of SaaS applications | Curated catalogue of integrations | Typically custom configuration via OIDC/SAML | Integration effort is higher with alternatives |
| Conditional access (context, risk, location) | Very developed | Authentik Flow Engine, Keycloak authentication flows | Alternatives cover the basics; AI-driven detection missing |
| Active Directory integration | Native | Keycloak excellent, Authentik good | None substantial |
| Microsoft 365, SharePoint, Windows integration | Native, deep | Formally via SAML/OIDC, but the integration experience is less smooth | Substantial for organisations deep in the Microsoft ecosystem |
| MDM (endpoint device management) | Yes (via Intune) | Missing as an integrated product | Solution: separate MDM (Kandji for Mac, Headwind MDM for Android) |
| Governance (access reviews, entitlement management) | Developed | Authentik and Keycloak have the basics; scope smaller | Medium |
| AI-driven threat detection and anomaly | Microsoft Entra ID Protection | Zitadel has hints in recent versions; otherwise missing | Medium to substantial for large enterprises |
| Customer Identity and Access Management (B2C) | Entra External ID | Zitadel multi-tenant excellent, Keycloak Organizations, Hanko | Alternatives are high quality |
Where the gap actually sits
The IdM core is fully mature and enterprise-capable in the European and open-source alternatives. The fundamental difference lies in two peripheral layers:
- MDM (Mobile/Endpoint Device Management) — Entra ID + Intune is one integrated solution. Without Microsoft, an organisation must compose MDM from multiple components by endpoint platform. This is not impossible (Jamf for Apple, alternatives for Android), but it is operationally more complex.
- Depth of integration with the Microsoft ecosystem — an organisation whose end users work in Windows 11 + Microsoft 365 + Teams + SharePoint gets from Entra ID a seamless experience that an alternative IdP will not provide to the same degree. This is not because the alternatives are functionally inferior, but because Microsoft designs its ecosystem so that Entra ID is the path of least resistance.
Practical implication
For an organisation migrating from Microsoft 365 to Nextcloud (see the productivity chapter), an IdM migration is a logically following step — most of the European IdM workload moves naturally, because the reason for deep Microsoft integration also disappears. For an organisation that remains in the Microsoft ecosystem at the endpoint layer but wants to diversify IdM for other reasons (sovereignty, regulation, cost), migration from Entra ID is possible but the operational benefit is smaller and the risk of complications higher. From the perspective of the operations roadmap, this means: IdM migration should naturally follow office-layer migration, not precede it.