Entra ID has grown substantially as an IGA platform over the last few years. Gartner has started calling it "Light IGA" — which is a useful shorthand: it covers the essentials and works well within the Microsoft ecosystem, but doesn't go as deep as platforms purpose-built for governance. Whether that's sufficient depends entirely on what your governance requirements actually are.

The honest practitioner answer: if your environment is predominantly Microsoft and your governance needs are relatively simple — automating user lifecycle, running access reviews for Microsoft-managed resources, basic entitlement management — Entra ID Governance is a solid option. If you're dealing with complex multi-system environments, tight compliance requirements, or non-Microsoft applications that need deep integration, you'll hit the ceiling.

What Entra ID Actually Handles Well

User lifecycle automation. Lifecycle Workflows handle joiner-mover-leaver events for Entra-managed identities. Built-in tasks cover the standard operations: generating temporary access passes, sending welcome emails, disabling accounts, removing group memberships. Custom tasks are extensible through Azure Logic Apps. Lifecycle workflows are shells that need to be built out by the customer — which means the automation capability is real but the out-of-the-box coverage requires configuration investment.

Access reviews. Entra's access review campaigns work well for reviewing Entra-managed resources: group memberships, application assignments, Entra ID roles, and Azure resource roles. The ML-assisted reviewer recommendations (flagging inactive users, surfacing low-affiliation accounts for revocation consideration) reduce the rubber-stamp approval problem.

Entitlement Management and Access Packages. Bundling related resources into access packages with approval policies and expiration dates is one of Entra's genuinely differentiated features. External partner access through the MyAccess portal and the ability to delegate catalog management to resource owners are capabilities that dedicated mid-market IGA platforms sometimes handle less elegantly.

HR system integration. Entra ID has pre-built connectors for Workday and SAP SuccessFactors for HR-driven provisioning. For other HRMS platforms, API-driven inbound provisioning allows custom integrations without building a full connector.

For organizations that are genuinely Microsoft-centric — Microsoft 365, Azure resources, and primarily SCIM-connected SaaS applications — this is a meaningful governance stack that satisfies SOC 2 access review requirements and automates the core JML lifecycle.

Where Entra ID Falls Short as a Standalone IGA

Limited connectors for non-Microsoft and on-prem systems. Entra's application gallery covers hundreds of SaaS apps via SCIM or SAML, but anything outside that gallery requires custom connector development. On-premises applications using ECMA connectors work for some scenarios; legacy systems with no API require workarounds through Azure Functions or Logic Apps — custom code you own and maintain. Dedicated IGA platforms that support agent-based discovery and legacy system integration without requiring bespoke code handle this category differently.

No native Segregation of Duties enforcement. SoD controls — preventing one person from holding conflicting access rights that together would allow them to complete a sensitive transaction without oversight — are a specific requirement for SOX compliance and a best practice for any organization with financial system access. Entra ID Governance doesn't provide native SoD conflict detection or enforcement. This is one of the gaps that makes Entra "Light IGA" rather than full IGA in Gartner's framing.

No advanced role mining. Static role definitions are manageable when you define them upfront. Role mining — analyzing actual usage patterns to suggest least-privilege role modifications, identify roles that don't match actual behavior, and detect privilege accumulation — isn't a current Entra capability. For organizations that need continuous role optimization rather than static role management, this requires additional tooling.

Reporting and auditing depth. Provisioning logs have a 90-day retention limit without routing to Azure Monitor (which adds cost and configuration). The audit reporting format, while functional, is more basic than the compliance-ready timestamped reports that dedicated IGA platforms generate natively for auditors.

The maker-checker problem. Entra ID is both the access provider (IAM) and the governance auditor (IGA). For organizations that want a neutral third-party governance layer that evaluates access across all their identity providers — Entra, Okta, AWS IAM, Google Workspace — using Entra as the governance layer creates an inherent conflict of interest: the system granting access is also the system auditing it.

Multi-IdP environments. Most organizations of meaningful size don't run exclusively on Entra. Engineering teams using AWS SSO, legacy systems on Okta, shadow IT with its own auth — Entra's governance tools are optimized for the Microsoft perimeter and have limited visibility outside it. A dedicated IGA platform that federates governance across multiple identity providers covers the full access surface rather than the Microsoft-connected portion.

The Honest Cost Question

Several practitioners have noted that upgrading to the governance-capable Microsoft licensing tiers is expensive. The Entra Suite at the required tier for full governance features has a per-user cost that adds up quickly at mid-market scale, particularly when external users (contractors, B2B partners) are factored in at similar per-user rates.

For mid-sized organizations evaluating this decision, the cost comparison should include the full licensing cost for the governance-enabled tier, the additional Azure Monitor cost for log retention beyond 90 days, and the professional services or internal engineering cost to build out the Logic Apps and custom connectors for the non-standard cases. That total cost of ownership comparison sometimes makes dedicated next-generation IGA platforms — which include connector libraries, agent-based discovery, and compliance reporting without separate add-on costs — more competitive than the headline Microsoft licensing comparison suggests.

When Entra ID Is Sufficient and When It Isn't

Entra ID Governance is likely sufficient if:

• Your environment is predominantly or exclusively Microsoft 365 and Azure
• Your SaaS applications are primarily in the Entra app gallery with SCIM support
• Your compliance requirements are primarily access reviews and basic lifecycle automation
• You have the engineering resources to build out Lifecycle Workflow customizations and Logic Apps for edge cases
• SoD enforcement isn't a specific audit requirement

A dedicated IGA platform is likely needed if:

• Your environment spans multiple identity providers (Entra + Okta, Entra + AWS, etc.)
• A significant share of your application stack is outside the Entra gallery or lacks SCIM
• SOX SoD controls are a specific compliance requirement
• You need granular visibility into what users can do inside third-party applications rather than just whether they have access
• You need agent-based discovery for on-prem or legacy systems
• You want a neutral governance layer that audits all identity providers rather than just Entra-managed access
• Budget optimization is a priority relative to Microsoft's top-tier licensing costs

Frequently Asked Questions

Is Entra ID a full IGA platform?

Gartner's characterization of Entra ID as "Light IGA" is accurate. It covers the essential IGA capabilities — lifecycle workflows, access reviews, entitlement management, and HR-driven provisioning — within the Microsoft ecosystem. It lacks features that full IGA platforms provide: native Segregation of Duties enforcement, advanced role mining, deep granular entitlement visibility inside non-Microsoft applications, and governance across multiple identity providers. Whether it's sufficient depends on the complexity and scope of your governance requirements.

What is the Segregation of Duties gap in Entra ID Governance?

Segregation of Duties controls prevent one person from holding conflicting access rights — for example, the ability to both create and approve a financial transaction. These controls are a specific SOX compliance requirement. Entra ID Governance doesn't provide native SoD conflict detection or enforcement. Organizations with SOX requirements or complex access conflict scenarios need either a dedicated IGA platform with native SoD or custom tooling built on top of Entra.

How does Entra ID handle non-Microsoft applications in access reviews?

Access reviews in Entra ID cover Entra-managed resources: group memberships, Entra application assignments, and Azure roles. For applications outside the Entra perimeter — those that don't use Entra for authentication or aren't SCIM-connected — access data doesn't flow into Entra's access review campaigns natively. Dedicated IGA platforms that integrate directly with downstream applications to pull user lists and permission data provide broader access review coverage.

When should you use a dedicated IGA platform instead of Entra ID Governance?

Consider a dedicated IGA platform when your environment spans multiple identity providers, when you need SoD enforcement for SOX compliance, when significant portions of your application stack require on-prem agents or custom connectors for governance coverage, when you need granular permission-level visibility inside third-party applications, or when the cost of Microsoft's governance licensing tiers exceeds the value delivered for your specific requirements.