Back to blog|Identity

Microsoft Entra ID Alongside Authentik: When the Dual Strategy Pays Off for German SMBs in 2026

May 15, 2026
Timo Wevelsiep
authhost

Microsoft Entra ID Alongside Authentik: When the Dual Strategy Pays Off for German SMBs in 2026

Authentik vs. Microsoft Entra ID 2026: pricing, the CLOUD Act, NIS2 — and when coexistence rather than replacement is the right strategy for SMBs.

authhost.de Blog

Content notice: The information in this article was compiled to the best of our knowledge at the time of publication. Technical details, pricing, versions, licensing models and external content are subject to change. Please verify the information independently, especially before making business-critical or security-relevant decisions. This article does not constitute individual professional, legal or tax advice.

Table of Contents

TL;DR – The Key Points in 60 Seconds

  • Entra ID is omnipresent in SMBs — but rarely a deliberate choice. It comes with Microsoft 365. That makes it hard to replace, but easy to complement.
  • The sovereignty question has sharpened: in 2025 Microsoft confirmed before the French Senate that the US CLOUD Act can override EU data residency [5].
  • The licensing matrix is getting more expensive and more complex: P1, P2, Entra Suite, governance as an add-on, Workload ID Premium — plus the Microsoft 365 price increase in July 2026 [1][10].
  • Authentik is open source (MIT license), covers all relevant protocols, and runs as a managed service on German infrastructure — from €34.90/month, unlimited users.
  • The honest recommendation is usually coexistence: Entra ID stays for the Microsoft 365 stack, Authentik takes on everything outside it — Linux servers, custom apps, RADIUS, legacy LDAP.

The Starting Point in 2026: Why Identity Becomes a Boardroom Issue

Identity management was long a purely IT matter. In 2026 it is a strategic one — and, in case of doubt, one for the boardroom. Three currents are converging.

The CLOUD Act testimony from Microsoft France

On 10 June 2025, Anton Carniaux, chief legal officer of Microsoft France, testified before the French Senate that Microsoft cannot guarantee that data of European citizens held in EU data centers is protected from access by US authorities — even without the consent of European bodies [5]. The Hamburg Data Protection Commissioner summarized it in August 2025: despite earlier Microsoft statements that EU data was safe, there is no way to keep US authorities from accessing EU data [6].

This is not new in terms of the legal situation — the CLOUD Act has applied since 2018. What is new is that the claim "EU data residency = data sovereignty" must now be considered incorrect at the highest official level.

The movement in the public sector

What began in the public sector is reaching the SMB world. In October 2025, the German state of Schleswig-Holstein began moving around 30,000 civil-servant workstations off Exchange and Outlook to open-source alternatives [7][8]. According to its own figures, the German federal government spent 481 million euros on Microsoft licenses in 2024 — a 76 percent increase in two years. These numbers have become a reference point in the German-speaking debate: not as a call to abandon Microsoft, but as a reason to actually quantify one's own dependency.

The Microsoft price increase in July 2026

In the first comprehensive plan refresh in years, Microsoft 365 prices are rising. M365 E5 climbs from 57 to 60 US dollars per user per month, M365 F1 (Frontline) from 2.25 to 3.00 US dollars [10]. At the same time, M365 E7 (99 US dollars per user per month, generally available from May 2026) was introduced as a new top bundle that includes the Entra Suite and the new "Agent 365" for the first time [9]. Anyone doing a license review in 2026 cannot avoid the identity cost question.

What Microsoft Entra ID Does Well — and What It Doesn't

An honest look at coexistence starts by acknowledging the incumbent's strengths.

The real strengths

  • Deep Microsoft 365 integration. Conditional Access for Outlook, Teams, SharePoint, OneDrive, and device management via Intune — this endpoint-level integration is real and cannot be rebuilt from the outside.
  • Market maturity. In November 2025, Entra ID was named a "Leader" in the Gartner Magic Quadrant for Access Management for the ninth consecutive year [2]. That is not a pure Microsoft bonus but technically founded.
  • Broad feature set for Microsoft-centric stacks. Identity Protection, Privileged Identity Management, Verified ID, Entra Internet Access, and Private Access are mature building blocks — when the stack is Microsoft anyway.

The structural limits

  • Licensing complexity. P1, P2, the Entra Suite as an add-on, identity governance as a separate add-on, Workload ID Premium as a never-bundled item — plus the M365 bundles in which Entra tiers are folded. The actual costs are hard to grasp without a table (see below).
  • CLOUD Act exposure. Microsoft is a US corporation. The Carniaux testimony (above) turns the third-country question into a documentable risk.
  • Concentration risk. Storm-0558 (July 2023) and Midnight Blizzard (January 2024) showed that the identity provider itself becomes a target. The US government's Cyber Safety Review Board called the Storm-0558 chain a "cascade of avoidable errors" in March 2024 and described Microsoft's security culture at the time as "inadequate" [3][4]. The global Azure Front Door outage of 29 October 2025 took M365 and Entra sign-ins down for over twelve hours — through a single configuration error [11]. Microsoft has responded with its "Secure Future Initiative"; the structural point remains: a central identity provider concentrates risk.

None of these points means "Entra ID is bad." They mean: Entra ID is not the mandatory choice for every application in the house.

What Authentik Does Well — and What It Doesn't

The strengths

  • Open source and independent. Authentik is licensed under the MIT license; it is backed by Authentik Security, Inc., organized as a public benefit corporation [12]. No closed code, no enforced vendor roadmap.
  • Complete protocol suite. OIDC, SAML 2.0, LDAP, RADIUS, SCIM, mTLS, and Kerberos — plus a visual flow engine that lets you model authentication logic without code. Conditional Access (GeoIP, impossible travel, device posture) and modern MFA including passkeys are part of it.
  • Own environment, own data. Self-hosted or as a managed service — in both cases a dedicated tenant, not the shared tenant of a US corporation. Release 2025.10 removed Redis as a dependency; the Remote Access Gateway (RDP/SSH/VNC) has been freely available since release 2025.2 [13].

The honest limits

  • No native M365 Conditional Access depth. Authentik can federate with Entra ID, but the endpoint-level integration with Outlook, Teams, and SharePoint is and remains Entra territory.
  • Operational responsibility. Self-hosting means updates, backups, monitoring, availability — around the clock if it comes to it. That is exactly what managed offerings are for, but the effort does not disappear, it shifts.
  • Not a 1:1 replacement for every Microsoft federation scenario. Certain SharePoint federation setups expect older token formats that Authentik does not serve. Anyone with such scenarios must plan for it in the architecture.

Pricing Reality 2026

Microsoft does not publish a fully consolidated price list — the following tables summarize the publicly visible figures.

Microsoft Entra ID: standalone

Plan Price (per user/month) Includes
Entra ID Free USD 0 basic SSO and basic MFA, shipped with Azure and M365
Entra ID P1 USD 6 Conditional Access, self-service password reset, hybrid identities
Entra ID P2 USD 9 additionally Identity Protection, Privileged Identity Management
Entra Suite (add-on on P1/P2) + USD 12 ID Governance, Internet Access, Private Access, Verified ID Premium
Entra ID Governance (standalone add-on) + USD 7 (on P1) / + USD 4 (on P2) access reviews, entitlement management, lifecycle workflows
Workload ID Premium USD 3 per workload identity never included in M365 or Suite bundles

Microsoft Entra ID: via Microsoft 365 bundles

Bundle Price (per user/month) Included Entra tier
M365 Business Premium ~ USD 22 Entra ID P1
M365 E3 USD 36 (price increase announced for July 2026) Entra ID P1
M365 E5 USD 57 → USD 60 (from July 2026) Entra ID P2
M365 F1 (Frontline) USD 2.25 → USD 3.00 (from July 2026) Entra ID P1
M365 E7 (new, from May 2026) USD 99 Entra ID P2 + Entra Suite + Agent 365

Authentik and Managed Authentik

Variant Price Character
Authentik (open source, MIT) €0 full IdP, self-hosted, operated in-house
Authentik Enterprise USD 5 per user/month additional enterprise features, license from Authentik Security
Managed Authentik (authhost) from €34.90/month – flat rate, unlimited users dedicated instance, operated by authhost, hosted in Germany

Worked example: a 100-employee SMB with a mixed stack

A mid-sized company with 100 employees uses Microsoft 365 — and runs around 15 applications outside the Microsoft stack alongside it: Linux servers with SSH access, a GitLab instance, a RADIUS VPN, an in-house SaaS application, several self-hosted tools.

  • The M365 stack runs on the existing licenses — Entra ID P1 is included there. A coexistence strategy changes nothing about that.
  • Variant A – everything via Entra: for the 15 non-Microsoft applications and their service identities, depending on requirements, Entra ID Governance (USD 7 per user/month on P1), the Entra Suite (USD 12 per user/month), or Workload ID Premium (USD 3 per workload identity) apply — costs that grow with every user and workload count.
  • Variant B – coexistence: Microsoft 365 and Entra ID stay unchanged. Managed Authentik takes on the 15 non-Microsoft applications — as a flat rate from €34.90/month, independent of user or workload count.

The saving does not come from "throwing Microsoft out" but from converting the identity costs of the non-Microsoft world from "per user, per add-on, per workload" into a predictable flat rate.

Comparison based on publicly available information, as of May 2026. Microsoft prices in US dollars, authhost prices in euros; prices and tiers can change at any time — please verify directly with the respective provider. Microsoft® and Microsoft Entra ID® are trademarks of Microsoft Corporation. Authentik is open-source software; the project is maintained by Authentik Security, Inc. (USA). authhost is an independent managed hosting provider and is not affiliated with these companies.

Three Scenarios Where the Dual Strategy Works

Scenario 1 – Microsoft 365 plus Linux servers and custom SaaS

The office runs on M365, but product development runs on Linux servers, plus an in-house SaaS application and tools like GitLab or Grafana. Entra ID stays for the office stack; Authentik becomes the identity provider for SSH access, internal tools, and the in-house application — an area where Entra licenses quickly become expensive and unwieldy.

Scenario 2 – Microsoft 365 plus a RADIUS VPN and legacy LDAP

Classic mid-sized business: M365 for the office IT, but a RADIUS-secured VPN and several legacy applications that only speak LDAP. Authentik provides RADIUS and LDAP outposts and connects exactly these systems, without every affected user needing a higher Entra tier.

Scenario 3 – Microsoft 365 plus a GDPR-critical in-house application

An application processes particularly sensitive data — health, financial, or client data. This is where the CLOUD Act framing matters most. This application gets its identity provider in Germany, separate from the US stack; the rest of the office stays on Entra.

And when one alone is enough

Coexistence is not an end in itself. A pure Microsoft shop with no significant applications outside the M365 stack does well with Entra ID alone — the extra effort of a second system is not worth it then. Conversely, a pure open-source stack without Microsoft 365 needs no Entra ID; there, Authentik alone is the coherent choice. The dual strategy is the right answer for the large middle ground in between — and that is most German SMBs.

NIS2, GDPR, and the CLOUD Act: the Compliance Framework

What NIS2 requires

Germany's NIS2 implementation act sets out a catalog of risk-management measures in Section 30. Relevant to identity and access management are access control policies and the use of multi-factor authentication [14]. Crucially: NIS2 names no vendor. The regulatory question is effectiveness according to the state of the art, not "Microsoft or not." Section 38 establishes the personal responsibility of management — and it cannot be delegated.

GDPR Article 32 and the CLOUD Act

Under Article 32 GDPR, controllers must justify why a technical measure meets the state of the art. With a US provider exposed to the CLOUD Act, that includes acknowledging that protection against third-country access cannot be guaranteed — Microsoft has confirmed this itself. Where high risk exists, a data protection impact assessment is mandatory anyway; according to the Hamburg Data Protection Commissioner, the CLOUD Act exposure belongs in it.

Management responsibility

"The IT manager said we use Entra because that's standard" is not a tenable argument under NIS2. The choice of identity provider is a documented, justified decision — and that is exactly why a deliberate look at the architecture pays off.

Note: this is not legal advice. Specific compliance and liability questions belong with data protection and legal counsel.

Coexistence in Practice: How It Works Technically

The architecture is less spectacular than it sounds. Authentik becomes the identity provider for everything outside the Microsoft stack — Linux SSO via OIDC, SaaS applications via SAML 2.0, legacy systems via the LDAP outpost, VPNs via the RADIUS outpost.

The bridge to Microsoft 365 is standard federation: Authentik and Entra ID can be connected via OIDC or SAML, so single sign-on is preserved — users sign in once, regardless of whether the target application is in the Microsoft stack or not. The identities of the non-Microsoft world do not end up in the Microsoft cloud in the process.

For particularly sensitive applications, Conditional Access policies (GeoIP, impossible travel, device posture) can be activated in Authentik, and hardware keys based on WebAuthn/FIDO2 established as the standard. With Managed Authentik from authhost, a team in Germany takes on operations — updates, backups, monitoring — while data sovereignty stays with the customer.

Conclusion

Microsoft Entra ID is ubiquitous in German SMBs — but rarely a deliberate decision. It comes with Microsoft 365. In 2026, the deliberate look pays off: the CLOUD Act situation has solidified, NIS2 makes identity a documentation-bound management matter, and license costs are rising.

For most companies, the honest answer is not "throw Microsoft out" but coexistence: Entra ID stays for what it was built for — the Microsoft 365 stack. Authentik takes on everything else — open source, on German infrastructure, at predictable costs. Anyone who uses M365 and runs Linux servers, custom apps, or legacy systems alongside it is usually cleaner and more sovereign with the dual strategy than with "Entra for everything."

Get to know Managed Authentik → | → View plans & pricing

Sources

  1. Microsoft – Entra pricing overview: microsoft.com
  2. Microsoft Security Blog – Gartner Magic Quadrant for Access Management 2025: microsoft.com
  3. CISA / Cyber Safety Review Board – Review of the Summer 2023 Microsoft Exchange Online Intrusion (20 March 2024): cisa.gov
  4. Microsoft MSRC – Midnight Blizzard / nation-state actor (January/March 2024): microsoft.com
  5. Microsoft France before the French Senate – CLOUD Act testimony (June 2025): coverage e.g. borncity.com
  6. Hamburg Data Protection Commissioner – Microsoft cannot prevent US access to the EU cloud (08/2025): datenschutzbeauftragter-hamburg.de
  7. The Register – Schleswig-Holstein migrates to open source (10/2025): theregister.com
  8. The Irish Times – A small German state's quiet revolt against Microsoft (02/2026): irishtimes.com
  9. Wintive – Microsoft Entra ID Complete Guide 2026 (Agent 365, M365 E7): wintive.com
  10. SAMexpert – Microsoft Entra ID licensing guide & M365 price changes 2026: samexpert.com
  11. breached.company – Azure Front Door outage (29 October 2025): breached.company
  12. Authentik – official website & license: goauthentik.io
  13. Authentik – release 2025.10 (Redis dependency removed): goauthentik.io
  14. NIS2 Directive (EU) 2022/2555 – risk-management measures (Art. 21): eur-lex.europa.eu

Frequently Asked Questions

What is Microsoft Entra ID and what is it used for?
Entra ID is Microsoft's cloud-based identity provider, formerly known as Azure Active Directory. It authenticates users for Microsoft 365, Azure, and integrated third-party applications — from Conditional Access and MFA to identity governance. In most German SMBs, Entra ID does not arrive standalone but automatically via a Microsoft 365 subscription: M365 Business Premium and E3 include Entra ID P1, E5 includes P2.
What is Authentik and how does it structurally differ from Entra ID?
Authentik is an open-source identity provider under the MIT license, developed by Authentik Security, Inc., a US company organized as a public benefit corporation. Structurally it differs on three levels: first, Authentik runs in its own dedicated environment — self-hosted or with a European managed provider — not in the shared tenant of a US corporation. Second, the open-source code is not subject to a closed vendor roadmap. Third, the open-source edition incurs no per-user license costs; enterprise features cost 5 US dollars per user per month from Authentik Security.
What does Microsoft's testimony before the French Senate mean for German companies?
On 10 June 2025, Microsoft France's chief legal officer, Anton Carniaux, testified before the French Senate that Microsoft cannot guarantee that data of European citizens held in EU data centers will not be passed to US authorities — even without the consent of European bodies. The consequence for German companies: anyone processing personal data via a US identity provider should explicitly document the third-country transfer risk in their data protection impact assessment. According to the Hamburg Data Protection Commissioner, mere EU data residency is not enough to eliminate the CLOUD Act risk.
Which NIS2 requirements affect identity management?
Germany's NIS2 implementation act sets out a catalog of risk-management measures in Section 30; relevant to identity and access management are access control policies and the use of multi-factor authentication. NIS2 does not prescribe a specific product but effectiveness according to the state of the art. Section 38 establishes the personal responsibility of management. Important: the choice of identity provider is a decision subject to documentation requirements — whether Entra ID or Authentik, management must be able to justify why the chosen solution meets the state of the art. This is not legal advice — specific compliance decisions belong with data protection and legal counsel.
What does Microsoft Entra ID cost in 2026 compared to Authentik?
In 2026, Microsoft Entra ID costs 6 US dollars per user per month standalone (P1) or 9 US dollars (P2), with an annual commitment. Most German SMBs have Entra via M365 bundles — M365 Business Premium and E3 include P1, E5 includes P2. Identity governance costs an additional 7 US dollars as an add-on on P1, or you book the Entra Suite for 12 US dollars. Workload ID Premium (3 US dollars per workload identity) is never included in bundles. Authentik Open Source is free; enterprise features cost 5 US dollars per user per month. Managed Authentik via authhost starts at €34.90/month as a flat rate with unlimited users.
Is Authentik a full-fledged alternative to Microsoft Entra ID?
Functionally in large part yes, structurally not entirely. Authentik covers OIDC, SAML 2.0, LDAP, RADIUS, SCIM, mTLS, Kerberos, Conditional Access, and MFA — all the protocols an identity provider needs. What Authentik cannot replace is the deep integration with Microsoft 365: Conditional Access for Outlook, Teams, and SharePoint at the endpoint level only works via Entra ID, because Microsoft does not expose those interfaces. For pure M365 stacks, Entra is therefore the natural choice. For mixed stacks — M365 plus Linux servers, custom apps, legacy LDAP — coexistence (Entra for M365, Authentik for the rest) is usually the most honest architecture.
Which Microsoft Entra security incidents should decision-makers know about in 2026?
Three documented events remain relevant. Storm-0558 (July 2023): attackers forged authentication tokens with a stolen Microsoft signing key and accessed the email accounts of around 25 organizations, including the US State Department. The US government's Cyber Safety Review Board called the result a "cascade of avoidable errors" in its March 2024 report and described Microsoft's security culture as "inadequate." Midnight Blizzard (January 2024): state-aligned actors attacked Microsoft corporate mailboxes via a legacy test tenant without MFA. On top of that came the global Azure Front Door outage on 29 October 2025, which took Microsoft 365 and Entra sign-ins down worldwide for over twelve hours — triggered by a configuration error.
What happens to our identities if we want to leave Authentik again?
Authentik uses standard protocols: users, groups, and roles can be migrated at any time via SCIM provisioning or a direct database export. In a self-hosted or managed setup, the data always belongs to the customer — there are no proprietary lock-in mechanisms. By comparison: with deeply integrated Entra setups using the Microsoft Graph API and Conditional Access policies, the migration complexity is significantly higher. That is not a disadvantage of Entra but the natural consequence of deep integration — the honest question is whether that depth is justified for every application.
When is the coexistence architecture (Entra ID and Authentik) the right choice?
Three indicators together point to coexistence: first, the company runs on Microsoft 365 and does not want to replace Microsoft. Second, there are relevant applications outside the Microsoft stack — Linux servers with SSH access, a RADIUS VPN, LDAP legacy apps, self-hosted tools like Gitea, Nextcloud, or Grafana, or an in-house SaaS application. Third, the company processes data that is particularly sensitive under NIS2 or GDPR and for which the CLOUD Act framing matters. If all three apply, the dual strategy is usually cleaner than Entra for everything.
How quickly can Authentik be deployed alongside Entra ID?
A managed Authentik instance with authhost is provisioned within minutes via the self-service portal. The first applications can typically be connected within two to four weeks — a Linux SSO via OIDC is a matter of hours, a SAML provider for a SaaS application half a day. Federation with Entra ID ("Sign in with Microsoft" as an option in Authentik) is standard OIDC and configured in about an hour. The bottleneck is rarely the technology but the architecture decision made beforehand.

Written by

Timo Wevelsiep

Founder, merkaio

Founder of merkaio. Managed Authentik Identity Hosting. Focus on identity management, SSO and zero trust architecture.

LinkedIn

Custom inquiry or consultation?

For enterprise inquiries, custom configurations or a personal consultation. Send us a short message – we'll get back to you within 24 hours.

Timo Wevelsiep

Your Contact

Timo Wevelsiep

Founder, merkaio

[email protected]

By submitting, you agree to our Privacy Policy.