Entra ID Governance vs midPoint: A Practical Comparison

Microsoft Entra ID Governance is the default identity governance option for organizations deep in the Microsoft ecosystem. It is cloud-native, tightly integrated with M365 and Azure, and available as an add-on to the Entra ID licenses most enterprises already hold. For pure Microsoft environments, it works.

The question is what happens when your environment is not purely Microsoft.

Most enterprises are not. They run SAP alongside Azure. Oracle databases alongside SharePoint. Custom HR systems alongside Workday. On-premises Active Directory alongside Entra ID. Legacy LDAP directories that predate their cloud migration. And increasingly, Keycloak for application-level authentication and federation that sits outside Microsoft’s reach.

That is where Entra ID Governance’s scope ends and the governance gap begins. This article compares Microsoft Entra ID Governance with Evolveum midPoint – not to declare a winner, but to help you understand which platform governs what, where the gaps are, and how they work together in the hybrid reality most enterprises actually operate in.

What Entra ID Governance does well

Credit where it is due. Entra ID Governance is strong within its domain:

• Native M365 and Azure governance. Entitlement management for Azure roles, M365 groups, SharePoint permissions, and Teams access – all managed through access packages with approval workflows and expiration policies.
• Privileged Identity Management (PIM). Just-in-time activation for Azure and Entra roles, integrated with Conditional Access for MFA, compliant device, and location-based policy enforcement. This is best-in-class for Microsoft resources.
• Access reviews with AI suggestions. Periodic reviews of group memberships and role assignments with machine-learning-powered recommendations to help reviewers make faster decisions.
• Lifecycle workflows. Automated joiner/mover/leaver processes triggered by HR data from Workday and SuccessFactors, with Logic Apps extensions for custom scenarios.
• Self-service access request. The My Access portal gives end users a clean experience for requesting access packages.

If your organization runs only Microsoft services and cloud-native SaaS applications with SCIM provisioning support, Entra ID Governance may cover your governance needs. But that describes a shrinking minority of enterprises.

Where the governance gap opens

Entra ID Governance is an extension of Entra ID – a cloud identity service. It was designed to govern objects within the Microsoft ecosystem. The further you move from that center, the thinner the governance coverage becomes.

Non-Microsoft systems

Entra’s connector support relies on SCIM and ECMA 2.0 integrations. Applications that support SCIM provisioning work. The rest – SAP, Oracle databases, legacy LDAP directories, custom internal applications, mainframe systems, on-premises middleware – require custom ECMA connectors or manual integration. Microsoft is currently not accepting new app gallery submissions as part of its Secure Future Initiative, further limiting the connector ecosystem.

In practice, this means identity governance in the Microsoft layer is automated, and identity governance everywhere else is partially manual, partially scripted, or absent entirely.

On-premises infrastructure

Entra ID Governance is a cloud service. It does not run on premises. For on-premises targets, a provisioning agent bridges the gap – but governance features like entitlement management and access reviews do not extend to local systems without workarounds. Rights in the cloud are tightly regulated. Rights on-premises are not transparent.

Hybrid Active Directory

Many organizations run hybrid AD – on-premises Active Directory synchronized to Entra ID. Entra ID Governance can review cloud-synced groups and roles, but it does not provision to Active Directory. It syncs from AD. Governing access in the on-premises directory – where most operational systems still authenticate – requires separate tooling.

Complex policy requirements

Entra ID Governance uses template-based policies extended with Azure Logic Apps for complex scenarios. Organizations with sophisticated business rules – multi-level approvals based on risk classification, attribute-driven role assignment across organizational hierarchies, cross-system segregation of duties policies – hit the ceiling of what template workflows can express. Logic Apps add flexibility but also cost and complexity.

Keycloak and application-level federation

A growing number of enterprises use Keycloak for application-level authentication, SSO federation, and fine-grained authorization – particularly for custom applications, microservices architectures, and environments where vendor-neutral identity infrastructure matters. Keycloak realms, client roles, and group structures represent a significant portion of the access landscape that Entra ID Governance does not see or govern.

This is a critical gap. The identities and roles managed in Keycloak are often the ones controlling access to your most custom, business-critical applications. If your IGA platform cannot reach Keycloak, those roles are ungoverned – no certification, no SoD checks, no automated lifecycle.

Feature comparison

The cost reality at enterprise scale

Entra ID Governance licensing scales per user. The math is straightforward but often underestimated.

An important licensing nuance: Entra ID Governance counts users who could use the feature, not users who actually do. If 10,000 employees can request access packages, you need 10,000 licenses even if only 500 actively request.

midPoint has no per-user licensing. The software is fully open source under the European Union Public Licence (EUPL), and every line of code is publicly available. There is no open-core model and no hidden Enterprise Edition.

That said, production deployments typically benefit from an Evolveum support subscription. Certain operational features, including clustering and high availability, email notifications, reports, and the removal of the Evolveum branding footer, require a subscription identifier to activate. The subscription itself is not a software license. It is a support and development funding model: Evolveum provides SLA-backed bug resolution, prioritized fixes, influence on the product roadmap, and connector support. Your subscription directly funds continued midPoint development, maintenance, and the open-source community behind it.

Even with a subscription, the economics are dramatically different from per-user commercial IGA licensing. There is no per-identity cost that scales linearly with your headcount. Whether you govern 5,000 or 500,000 identities, the subscription cost does not multiply with each user. We can help you calculate the exact comparison for your organization. Contact us for a TCO calculation.

How they work together: the coexistence model

This is not a zero-sum comparison. The pragmatic architecture for most enterprises is midPoint alongside Entra ID, not instead of it.

Entra ID remains your cloud directory and authentication layer. It handles SSO, Conditional Access, and MFA. If you use PIM for Azure role governance, keep using it – it is excellent for that purpose.

midPoint sits as the governance layer across your full technology stack:

• Microsoft ecosystem: midPoint connects to Entra ID/Azure AD via its connector, governing cloud identities alongside everything else
• Active Directory: Full bidirectional provisioning and governance – something Entra ID Governance itself cannot do
• Keycloak: Governance of realms, roles, clients, and group memberships – bringing application-level identity under the same certification and SoD framework as everything else
• SAP, databases, LDAP, custom applications: ConnId connectors cover the systems Entra does not reach
• HR systems: midPoint pulls from any authoritative source – not limited to Workday and SuccessFactors

The result is a single governance platform that sees your complete identity landscape. Certification campaigns cover every system. SoD policies span every application. The JML process deprovisions access everywhere – not just in the Microsoft layer.

The Keycloak governance story

Keycloak has become the de facto open-source identity and access management platform for custom application authentication. Enterprises use it for SSO federation, fine-grained authorization, multi-tenant application access, and as a CIAM layer. Many organizations that adopted Keycloak for its flexibility now manage hundreds of realms, thousands of client roles, and complex group hierarchies.

The governance gap is real: who reviews Keycloak roles? Who certifies that a developer still needs admin access to a production realm? Who detects conflicting role assignments across Keycloak and Active Directory? Who deprovisions Keycloak access when someone leaves?

midPoint’s ConnId connector framework integrates with Keycloak directly, bringing Keycloak identities, roles, and groups into the same governance model as every other system. This means:

• Keycloak roles appear in access certification campaigns alongside AD groups and Entra roles
• SoD policies can prevent toxic combinations across Keycloak and other systems
• JML automation deprovisions Keycloak access when the authoritative HR source triggers a leaver event
• Role mining can analyze Keycloak assignments alongside other entitlements to optimize the role model

At WeKnowIdentity, we have hands-on experience integrating midPoint with Keycloak deployments. Our team understands both platforms deeply – from Keycloak realm architecture and client configuration to midPoint connector development and policy design. If your organization uses Keycloak and needs to bring it under governance, we know how to make that work.

European sovereignty and regulatory compliance

For European organizations subject to NIS2, DORA, or GDPR, the deployment and data sovereignty question matters.

Entra ID Governance runs in Microsoft’s data centers. Your governance data – who has access to what, certification decisions, policy configurations – lives in Microsoft’s infrastructure. You control it through the Azure portal but do not control the infrastructure.

midPoint can be deployed on your own infrastructure – on premises, in your own cloud account, or on European cloud providers. Your governance data stays where you put it. Every line of governance logic is open source and inspectable. midPoint is developed by Evolveum, a European company, licensed under the European Union Public Licence (EUPL), and holds the Cybersecurity Made in Europe certification. It is listed in the European Commission’s Interoperable Europe catalogue and EuroStack.

For organizations where data sovereignty is a regulatory requirement or a strategic priority, this distinction is not academic.

When to choose which

Entra ID Governance is likely sufficient if:

• Your environment is 90%+ Microsoft (Azure, M365, Entra ID)
• Your non-Microsoft systems are all SCIM-enabled SaaS applications
• You have no significant on-premises infrastructure requiring governance
• Your policy requirements fit within template workflows
• Data sovereignty in Microsoft data centers is acceptable

midPoint is the stronger choice if:

• You operate a heterogeneous environment (Microsoft + SAP + Oracle + custom systems + Keycloak + legacy directories)
• You need governance across on-premises and cloud infrastructure
• You require deep customization, complex SoD policies, or organizational modeling
• You need on-premises or sovereign cloud deployment
• You want to eliminate per-user licensing costs at scale
• You are subject to DORA, NIS2, or strict GDPR data residency requirements
• You are migrating from MIM or SAP IDM and need a platform that covers your full stack

Both together is the pragmatic answer if:

• You have significant Microsoft investment but also non-Microsoft systems that need governance
• You want to keep Entra ID for authentication and PIM while extending governance to your full landscape
• You need a single governance view across your entire identity population

Our experience

At WeKnowIdentity, we specialize in midPoint implementation, integration, and migration for enterprises with complex, heterogeneous identity environments. Our team holds four Evolveum midPoint certifications and has delivered 10+ enterprise deployments across Europe.

We have specific experience with:

• midPoint deployments alongside Entra ID and Active Directory in hybrid environments
• Keycloak integration and governance – bringing Keycloak realms and roles under midPoint’s certification and policy framework
• Migrations from Microsoft Identity Manager (MIM) to midPoint
• Migrations from SAP IDM to midPoint
• Custom connector development for legacy systems, databases, REST APIs, and proprietary platforms

If you are evaluating whether Entra ID Governance covers your needs, or whether midPoint – alone or alongside Entra – is the right fit for your environment, we can help you assess the governance gaps and plan the architecture.

Assess your governance coverage

Contact us for a governance coverage assessment. We will map your current identity landscape, identify the systems Entra does not reach, evaluate your Keycloak governance posture, and provide a practical recommendation for how midPoint and Entra can work together in your environment.

Related Resources

• midPoint vs Commercial IGA: Which Approach Fits Your Enterprise?
• Microsoft MIM to midPoint Migration
• midPoint consulting and implementation services
• Custom midPoint connector development
• Our implementation methodology
• Case study: European Telecom Operator

Sources

1. Microsoft, Entra ID Governance overview – learn.microsoft.com
2. Microsoft, Entra Plans and Pricing – microsoft.com
3. Microsoft, Entra ID Governance licensing fundamentals – learn.microsoft.com
4. SAMexpert, Entra ID licensing guide – samexpert.com
5. Evolveum, midPoint introduction – docs.evolveum.com
6. Evolveum, midPoint adopting EUPL – evolveum.com
7. Evolveum, Cybersecurity Made in Europe – evolveum.com
8. Evolveum, Open Source IGA comparison – evolveum.com
9. Evolveum, Gartner IAM Summit 2026 – evolveum.com
10. Inalogy, Digital sovereignty at Gartner IAM Summit 2026 – inalogy.com
11. KuppingerCole, IGA market sizing – kuppingercole.com