You run Entra ID already. It handles your Azure resources, SSO works, and the access reviews feature is sitting right there. The question worth asking before a full IGA procurement cycle: how much of what SailPoint or Saviynt actually does can Entra cover — especially if you have on-prem apps, workloads in AWS, and a few legacy systems without APIs?

The honest answer is that Entra ID will get you partway there, and then leave specific gaps that matter more as your environment gets more complex. Here is where those gaps actually are, and what mid-sized organizations are doing about them.

Where Entra ID IGA Works Well and Where It Doesn't

Entra ID is genuinely strong in the environments it was designed for. If your organization is primarily Microsoft-centric — Azure resources, M365, apps that support SCIM — Entra's governance features cover a reasonable portion of what you need. Group-based access reviews are well-supported. Privileged Identity Management handles just-in-time role activation for Azure and Entra roles. Access Packages let you bundle multiple resources into a single requestable unit with tiered approvals and automatic expiry.

The limitations appear at the edges of that Microsoft perimeter.

The authorization blindspot. Entra is fundamentally an IAM tool, built around authentication — verifying who logs in. It generally cannot see what a user is actually doing or what granular permissions they hold inside third-party applications. Practitioners evaluating it for full IGA describe this consistently: Entra can tell you someone has access to Salesforce, but it cannot read back the specific permission sets or entitlements that user holds inside Salesforce. That gap matters directly for access reviews and for any compliance program requiring fine-grained visibility.

The provisioning direction problem. Entra still does not support provisioning identities to Active Directory — it syncs from AD. In practice, using Entra as your IGA means using Active Directory as your underlying user directory with AD Connect sync. For organizations that want to treat AD and Entra as separate managed apps, that architecture is a constraint, not a feature.

Non-Microsoft app governance. Access reviews outside the Entra ecosystem require custom builds. Tight integration with ServiceNow, for example, is a point-and-click configuration in purpose-built IGA platforms. In Entra, it means building and maintaining a custom integration — functional, but ongoing work that sits with your team rather than with the vendor. The same applies to on-prem apps that don't support SCIM: custom provisioning workflows using Azure Functions or Logic Apps are possible, but they add a development and maintenance burden that compounds over time.

How Modern IGA Platforms Handle On-Prem and Non-API Apps

This is where the Entra gap becomes most concrete for organizations with hybrid environments — on-prem deployed apps, workloads in AWS or GCP, legacy systems without available APIs.

Standard IAM tools, including Entra, rely on APIs to provision and de-provision access. When an application lacks an API — or restricts it behind expensive licensing tiers — that app falls outside automated governance entirely unless you build something custom.

Purpose-built IGA platforms handle this through two mechanisms:

Browser automation for API-less SaaS apps. For web-based applications that lack usable APIs, modern IGA platforms use AI-driven UI automation — effectively navigating the application's interface the way a human administrator would — to execute user discovery, onboarding, and offboarding. This reaches apps that SCIM and API-based provisioning cannot.

Lightweight on-prem agents for internal and database-backed systems. For custom applications, internal dashboards, or apps running on your own infrastructure (including AWS environments without API exposure), dedicated IGA platforms deploy lightweight agents within your network. These agents execute local commands and fetch user data directly without requiring inbound firewall access. For Active Directory specifically, this kind of agent-based connection also enables full write-back — creating accounts, adding users to OUs, executing lifecycle actions — that Entra's own architecture doesn't support in the provisioning-to-AD direction.

Why SailPoint and Saviynt Aren't the Default Answer for Mid-Market Either

The natural response to Entra's IGA limitations is to look at the traditional enterprise IGA platforms — SailPoint, Saviynt, IBM Security Identity. They solve the problems Entra doesn't. They also introduce a different category of problem.

Both SailPoint and Saviynt were built for large enterprise deployments with complex on-prem infrastructure. The implementation cycles are long, the satellite architecture required for deep on-prem connectivity is heavy, and the configuration needed to get onboarding and offboarding workflows functioning takes months. One practitioner who went through a SailPoint IdentityNow POC described not being impressed with the cloud product and noted the on-prem version's better reputation — which gives a sense of where the product's center of gravity actually sits.

For a mid-sized organization that needs full IGA but does not have a dedicated identity engineering team, the implementation complexity of traditional enterprise platforms is its own failure mode. The thread on this is consistent: many organizations start IGA implementations and fail halfway through because the resource commitment was underestimated.

The Architecture That Works for Mid-Market Hybrid Environments

The approach that avoids both traps — Entra-only gaps and enterprise IGA over-engineering — is to use Entra ID for what it does well (core directory, SSO, Azure resource governance) and layer a dedicated IGA platform on top for everything it cannot reach.

A next-generation IGA platform integrates with Entra as a source of truth for employee identities, inherits the SSO layer, and extends governance to the applications and infrastructure outside the Microsoft perimeter: the AWS workloads without APIs, the on-prem legacy systems, the SaaS tools that support browser-based access only. Zluri connects to 300+ applications natively and handles non-API apps through UI automation and on-prem agents — so the apps Entra cannot govern are still covered without custom code.

This also means the governance layer is not locked to Microsoft's product roadmap. Several practitioners evaluating Entra IGA in 2023 noted that features they needed were 12–18 months out on the Microsoft roadmap. A dedicated IGA platform with those capabilities already built in is a faster path to compliance coverage than waiting on a roadmap from a vendor whose primary business is not IGA.

What to Evaluate Before Committing

Before deciding whether Entra alone covers your needs or whether a dedicated IGA layer is warranted, the questions worth answering are:

Do you need to read back entitlements from downstream apps — not just confirm someone has access, but see what specific permissions they hold? If yes, Entra will not meet that requirement without custom builds.

Do you have on-prem apps or AWS workloads without APIs? If yes, you need either browser automation or agent-based connectivity that Entra does not provide.

How much governance customization will sit with your team vs. the vendor? If your team will be maintaining custom integrations for every non-Microsoft app, the ongoing cost of that is part of the IGA total cost, not just the licensing.

Do you have the resources to run a full SailPoint or Saviynt implementation? If not, a next-generation IGA platform with faster time-to-value may be a better fit than the traditional enterprise platforms that solve the same problems at significantly higher implementation cost.

FAQ

Can Entra ID fully replace SailPoint or Saviynt for IGA?

For organizations with primarily Microsoft-centric environments and no need to govern non-API or on-prem apps, Entra ID covers a meaningful portion of IGA requirements. For hybrid environments — on-prem apps, multi-cloud workloads, legacy systems without APIs — purpose-built IGA platforms cover gaps that Entra does not, particularly around entitlement visibility and non-SCIM provisioning.

What are the biggest limitations of Entra ID for identity governance?

The main gaps practitioners report are: no provisioning to Active Directory (only sync from AD), limited visibility into entitlements inside third-party apps, no out-of-the-box integration with ITSM tools like ServiceNow, and no native way to govern apps without APIs or SCIM support without custom development.

How do IGA platforms handle apps without APIs or SCIM?

Modern IGA platforms use two approaches: AI-driven browser automation to navigate and manage access in web-based apps that lack usable APIs, and lightweight on-prem agents deployed inside the network for internal apps, databases, and systems that require local command execution.

Is SailPoint or Saviynt the right alternative to Entra IGA for mid-size companies?

For mid-sized organizations without a dedicated identity engineering team, traditional enterprise platforms like SailPoint and Saviynt often involve more implementation complexity than the organization can sustain. Next-generation IGA platforms designed for faster deployment are often a better fit at that scale.