You're evaluating user lifecycle management tools and trying to get past the vendor websites to understand what IT teams who actually run these systems think. The honest picture from practitioners: Okta works well, Entra ID is the right answer if you're already a Microsoft shop, JumpCloud hits a useful sweet spot for smaller organizations, and all of them run into the same structural problem when you try to automate the full lifecycle across a SaaS stack where not every application supports SCIM.
What Practitioners Actually Say About Each Tool
Okta is the most commonly mentioned tool in the thread and gets consistently positive reviews from teams that have set it up properly. Auto-provisioning for M365, GitHub, and Atlassian via SCIM; SAML authentication for VPNs and other supported SaaS applications; and MFA are the core use cases where it earns its reputation. The consistent complaints are pricing (renewals are described as non-negotiable, and discounts are hard to get without significant license volume) and the SSO tax — several applications charge an add-on for SAML support that adds meaningful cost per application. One team described using someone from Upwork to handle the initial setup, which worked. The adaptive MFA module was described as not worth the premium.
Entra ID comes up as the default recommendation for Microsoft shops, and practitioners with hybrid or primarily Microsoft environments describe it as solid for the use cases it covers. Entra ID Governance was mentioned for more advanced IGA scenarios — access packages, lifecycle workflows — though at additional licensing cost that partially offsets the savings from choosing Microsoft over Okta. The commenter who noted some customers are on Entra ID Governance while others use SailPoint was describing the typical enterprise split: Entra ID core for identity, either Entra Governance or a third-party IGA platform for access management.
JumpCloud gets positioned as the cost-effective option for smaller organizations — free for 10 users or fewer, integrates with Microsoft and Google, includes password management and MDM functionality. The limitations noted: fewer integrations than Okta, patch management behind dedicated RMM tools, and limited PSA integration for MSPs. For teams that need SSO, directory, and basic MDM without Okta's pricing, it's a legitimate choice.
BetterCloud mixed with Okta and Zapier came up as a SaaS management layer approach — BetterCloud handles SaaS lifecycle actions, Okta handles identity, and Zapier handles custom integrations. This is the DIY orchestration approach that works for organizations comfortable building and maintaining the connections.
ADManager Plus was mentioned by ManageEngine as an option for AD-centric environments with M365 integration — automating onboarding, offboarding, and compliance reporting within the Microsoft stack.
OneLogin was named as a lower-cost alternative to Okta with a decent integration network.
The Features Every Tool Struggles With
The question "what ULM features do you wish these tools offered?" produced a remarkably consistent answer across the thread, and it's worth being specific.
SCIM coverage gaps. Every IdP-based lifecycle management tool is limited by what applications support SCIM. The SSO tax means many applications that theoretically support SCIM only expose it at enterprise pricing. The result: even organizations with Okta or Entra ID well-configured find that a significant portion of their SaaS stack requires manual provisioning and deprovisioning because the applications aren't in the SCIM-supported tier.
Granular entitlement management. Creating a user account in an application is straightforward via SCIM. Assigning the correct license tier, permission set, or application-specific role based on department or location is where most IdP-native tooling falls short. Okta and Entra ID can push a SCIM payload to create the account; managing the fine-grained access profile within the application requires either application-native configuration or an additional governance layer.
Shadow IT discovery. Standard IAM tools manage what IT provisioned. They don't discover applications employees adopted outside IT's visibility — the tool finance added via a shared credit card, the AI tool someone connected with personal Google OAuth, the vendor portal with separate credentials. Standard IdP tools have no mechanism to surface these; they're invisible at offboarding unless a discovery engine identifies them separately.
Automated access reviews. Periodic certification campaigns — quarterly reviews where application owners confirm or revoke user access — are either absent or expensive in standard IAM tools. Entra ID Governance includes access reviews as part of its licensed feature set. Okta's access review functionality requires additional modules. Most teams that don't have dedicated IGA tooling do their access reviews in spreadsheets, which satisfies audit requirements technically but creates enormous manual work.
Non-SCIM application automation. For applications with no SCIM support but with an API, direct API-based provisioning handles the gap. For applications with no API at all, the gap is structural. Both categories are outside what standard IdP tools handle — they require either custom automation or an IGA platform with broader integration coverage.
How to Think About Tool Selection for Your Specific Environment
The commenter who gave the most structured framework in the thread identified the right evaluation dimensions:
SCIM coverage and integration network. How many of your applications are in the tool's supported integration catalog? For each application not in the catalog, what's the fallback — manual, custom script, or iPaaS?
Additional SKUs. Workflows, access reviews, advanced lifecycle management — what's included in the base license and what costs extra? This is where Okta's pricing model compounds quickly, and where Entra ID Governance's separate licensing becomes significant.
MDM integration. Is device management included, integrated, or a separate tool? JumpCloud includes basic MDM; Okta integrates with Jamf and Intune but doesn't include MDM. For environments where device lifecycle is part of the identity lifecycle, this matters.
Cost and expected trajectory. Okta is more capable and more expensive; JumpCloud and OneLogin are cheaper and more limited. Entra ID is cost-effective for Microsoft shops but requires additional licensing for full IGA capability. The right choice depends on current SaaS stack complexity, compliance requirements, and expected growth.
HRIS integration. The key integration for automating the full lifecycle is between your HR system and your IdP. If your HRIS connects cleanly to Okta or Entra ID, the provisioning trigger can be automated. If it doesn't — or if it does but requires custom configuration — that's where an IGA orchestration layer adds value.
Where an IGA Platform Extends What IdP Tools Cover
The tools described above — Okta, Entra ID, JumpCloud — handle authentication and SCIM-based provisioning well. The gap is the governance layer: managing the applications outside SCIM coverage, discovering shadow IT, automating access reviews, and handling the full offboarding sequence including data transfer and license reclamation.
Zluri sits above the IdP rather than replacing it. Okta or Entra ID continues to handle SSO and directory; Zluri adds the provisioning logic for non-SCIM applications, the discovery engine for shadow IT, the access certification campaigns, and the offboarding playbooks that handle the complete user exit sequence. The HRIS event (hire or termination) triggers provisioning and offboarding across both the IdP-connected applications and the broader SaaS stack simultaneously.
For organizations at the point of choosing a ULM tool stack, the practical question is how much SaaS complexity requires the governance layer. For smaller organizations with a compact, well-connected SaaS stack, Okta or JumpCloud plus the applications' native SCIM integration handles most of it. For organizations with more than 30–40 SaaS applications, significant non-SCIM coverage, or compliance-driven access review requirements, the IdP alone leaves meaningful gaps.
Frequently Asked Questions
What is the best user lifecycle management tool for a mid-market company?
Okta is the most capable option with the broadest integration network, but it's also the most expensive. Entra ID is the right choice for Microsoft-centric environments and is more cost-effective when you're already paying for M365. JumpCloud hits a useful price-to-capability ratio for smaller organizations or those that don't need Okta's full feature set. All of them have SCIM coverage gaps that an IGA platform addresses.
What is the SSO tax and how does it affect ULM tool selection?
The SSO tax refers to SaaS vendors charging enterprise pricing to unlock SAML and SCIM support. This means that even with Okta or Entra ID configured, many of your applications can't be automatically provisioned or deprovisioned because they don't expose SCIM at the tier you're paying for. The practical responses are upgrading specific application licenses, switching to competitors that include SSO at lower tiers, or using an IGA platform with direct API integrations that don't depend on the vendor's SCIM implementation.
How do you handle provisioning for applications that aren't in your IdP's SCIM catalog?
Direct API integrations (if the application has an API), iPaaS-based custom integrations, or IGA platforms with broader integration coverage. For applications with no API at all, managed manual task routing — where the offboarding workflow generates a tracked task for the application owner — keeps the manual step inside the documented process with an audit trail.
What is the difference between an IAM tool like Okta and an IGA platform like Zluri?
IAM tools handle authentication (who can log in) and basic provisioning for SCIM-connected applications. IGA platforms handle the governance layer: provisioning for non-SCIM applications, shadow IT discovery, access reviews and certification campaigns, granular entitlement management, and the full offboarding sequence including data transfer and license reclamation. Most mature identity programs use both: an IdP for authentication and directory, and an IGA platform for governance.
Is JumpCloud a viable alternative to Okta for small to mid-sized companies?
Yes for organizations under 50–100 users with a relatively simple SaaS stack. JumpCloud includes directory, SSO, MDM, and basic provisioning at a lower price point than Okta. The integration network is smaller and patch management is behind dedicated RMM tools, but for organizations that don't need Okta's full integration depth, JumpCloud handles the core identity use cases at meaningful cost savings.
See How Zluri Extends Your Existing IdP for Full User Lifecycle Management
Most organizations find that their IdP handles authentication well and leaves gaps in provisioning for non-SCIM apps, shadow IT coverage, and access review automation. See how Zluri's IGA layer closes those gaps above your existing Okta or Entra ID environment — without replacing the tools that are already working.
.svg)
