TL;DR
Three identity providers, three very different trade-offs. For a 10-50 person Australian SMB, your choice of IdP is less about feature checklists and more about what you're already running and what your threat model actually looks like. In a year where AI-driven device code phishing campaigns are bypassing MFA at scale and OAuth token theft is the new credential stuffing, your identity layer IS your perimeter. This guide breaks down Okta, Entra ID (P1/P2), and Authentik across SSO coverage, conditional access, JML automation, audit logging, cost, and operational overhead — with a decision matrix and concrete recommendations for three common SMB archetypes.
The Threat Landscape Demands More Than MFA
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Two attack patterns dominate 2026 identity breaches. First, AI-enabled device code phishing — Microsoft's Defender team documented a campaign using dynamic code generation, automated backend infrastructure on Railway.com, and generative AI for hyper-personalised lures. The attack bypasses MFA entirely because the user authenticates through a legitimate Microsoft flow; the token simply lands in the attacker's session instead.
Second, OAuth token abuse through SaaS integrations. The Salesloft breach demonstrated that compromising a single OAuth token between two apps can unlock data across hundreds of downstream tenants — no phishing, no credential theft, just a stolen integration token operating silently.
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Both attack classes share a characteristic: they operate after authentication succeeds. MFA did its job. The session was validated. And then the attacker walked through the front door with a valid token. This reality is precisely why conditional access, session-aware monitoring, and token lifecycle controls matter more than which second factor you choose.
SSO Coverage: Breadth Matters More Than Depth
Okta Workforce Identity supports SAML 2.0, OIDC, WS-Fed, and OpenID Connect out of the box. Its integration catalogue exceeds 7,000 pre-built connectors. SCIM provisioning is strong for major SaaS apps (Google Workspace, Microsoft 365, Slack, Salesforce, Atlassian). For an SMB running a mixed SaaS stack, Okta's breadth is its primary selling point.
Microsoft Entra ID P1 covers SAML, OIDC, and WS-Fed natively. If your stack is Microsoft-heavy (M365, Dynamics, Azure), integration is seamless — it's already your IdP whether you've configured it or not. SCIM provisioning works well for Microsoft-adjacent SaaS but gets patchier for niche applications. Entra ID P2 adds identical SSO breadth; the upgrade is about security features, not connectivity.
Authentik (self-hosted, open-source) supports SAML 2.0, OIDC, and LDAP. No pre-built integration catalogue — you configure each application manually. SCIM support exists but is community-maintained and less mature. For 10-50 users running a known, stable set of applications, this is manageable. For environments with frequent SaaS churn, the manual overhead adds up fast.
Conditional Access: Where the Real Security Lives
This is the capability that determines whether your identity provider can actually stop the attacks described above.
Entra ID P1 includes Conditional Access with location-based policies, device compliance checks, and application-level controls. P2 adds risk-based Conditional Access powered by Microsoft's threat intelligence — sign-in risk and user risk policies that automatically block or challenge sessions based on anomalous behaviour. For Australian SMBs subject to the Essential Eight, Entra P2's risk policies directly satisfy "restrict authentication to trusted locations" and "implement session controls" requirements.
Okta offers comparable capabilities through its Access Gateway and Identity Engine (separate add-ons). Device trust, network zones, and step-up authentication are available but typically require higher-tier plans. Context-aware policies exist but are less tightly integrated than Entra's native offering.
Authentik provides policy-based access control with custom Python expressions — powerful but entirely DIY. You can build conditional access rules, but there's no threat intelligence feed, no risk scoring, and no anomaly detection. You're building the logic yourself.
Lifecycle Management (JML) and Audit Logging
Joiner-Mover-Leaver automation separates an identity provider from a fancy login page.
Okta: Robust lifecycle management with workflow automation (Okta Workflows). Automated provisioning/deprovisioning across integrated apps. Audit logging is comprehensive with real-time streaming to SIEM. The out-of-box JML workflows are a genuine time-saver for SMBs without dedicated IAM staff.
Entra ID P1/P2: Lifecycle management through Microsoft Entra ID Governance (additional cost) or through dynamic groups and access reviews in P2. Audit logs are rich and integrate natively with Microsoft Sentinel (if you're running it). The catch: full JML automation requires Entra ID Governance, which is an add-on licence on top of P2.
Authentik: No built-in JML automation. You script it yourself via API or use third-party tools. Audit logging exists but lacks the depth and exportability of commercial offerings. For a 20-person team, manually onboarding/offboarding is survivable. At 50, it becomes error-prone.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →Cost and Operational Overhead
| Dimension | Okta Workforce | Entra ID P1 | Entra ID P2 | Authentik |
|---|---|---|---|---|
| Cost (AUD/user/month) | $8–12 | $8–9 | $14–16 | Free (+ hosting) |
| Hosting | SaaS | SaaS | SaaS | Self-hosted |
| Setup time | 2–4 weeks | 1–2 weeks (if M365) | 1–2 weeks | 1–3 weeks |
| Ongoing maintenance | Low | Low | Low | Medium–High |
| Minimum IT skill required | Generalist | M365 familiarity | M365 familiarity | Linux/sysadmin |
Authentik's "free" price tag is misleading. Hosting on a VPS ($10–30/month), TLS certificates, backups, updates, and incident response all consume staff time. For a cost-constrained SMB with a capable sysadmin, it works. For everyone else, it's a hidden cost centre.
Decision Matrix
| Criteria | Okta | Entra ID (P1/P2) | Authentik |
|---|---|---|---|
| SSO breadth (mixed SaaS) | Excellent | Good | Adequate |
| SSO depth (Microsoft stack) | Good | Excellent | Adequate |
| Conditional access | Good (P2-level requires add-on) | Excellent (P2) | DIY only |
| JML automation | Excellent | Good (requires Governance add-on) | Manual/API |
| Audit logging | Excellent | Excellent | Basic |
| Cost efficiency | Moderate | Moderate–High | High (if you have the skills) |
| Operational overhead | Low | Low | High |
| Compliance readiness | Strong | Strongest (Essential Eight alignment) | Requires custom work |
Go With X If...
Microsoft-first SMB (M365, Teams, Azure, Dynamics): Go with Entra ID P2. You're already paying for an Entra ID tier with your M365 licences — upgrading to P2 gives you risk-based Conditional Access, which directly addresses the device code and OAuth token attacks dominating 2026. The native integration with your existing stack means zero SSO gaps. Factoring in what you're already licencing, P2 is often cheaper than adding a third-party IdP.
Multi-cloud / heterogeneous SaaS SMB: Go with Okta Workforce Identity. When your stack spans Google Workspace, Salesforce, Atlassian, AWS, and Slack with no dominant vendor, Okta's integration breadth and reliable SCIM provisioning across all of them matters more than deep Microsoft integration. The JML workflows save significant time in environments with frequent staff changes.
Cost-constrained SMB with strong Linux skills: Go with Authentik. If you're running 10–25 people, have a capable sysadmin, and your application set is stable and small, Authentik's self-hosted model delivers real savings. Budget $20–40/month for a VPS, plan for quarterly updates, and accept that conditional access will be hand-built policy expressions rather than vendor-managed risk scoring. It's a legitimate choice — just not a free one.
FAQ
Is Authentik production-ready for a 20-person business? Yes, with caveats. It handles SAML and OIDC flows reliably. The gaps are in operational tooling — no built-in JML workflows, limited audit export, and community rather than vendor support. If you have a sysadmin who can own it, it works.
Do I need Entra ID P2 or is P1 sufficient? P1 gives you Conditional Access based on location, device, and application. P2 adds risk-based policies (sign-in risk, user risk) that detect anomalous behaviour automatically. In 2026's threat landscape, where attacks use legitimate authentication flows, risk-based detection is the layer that catches what static policies miss. If budget allows, P2 is the recommendation.
What about the Essential Eight? The Australian Cyber Security Centre's Essential Eight Maturity Model (specifically Maturity Level 2–3) requires restricting authentication to trusted sources, implementing MFA, and controlling privileged access. Entra ID P2 maps most directly to these requirements out of the box. Okta satisfies them with configuration. Authentik can satisfy them, but requires custom implementation and documentation.
How do I handle the OAuth integration risks raised by the Salesloft breach? Regardless of which IdP you choose, audit every OAuth-based integration in your tenant quarterly. Revoke unused tokens. Apply least-privilege scopes to app registrations. Entra ID P2's workload identity risk detection helps here; Okta requires API token management in its admin console; Authentik requires manual review of connected applications.
Conclusion
Your identity provider is no longer just a login page — it's the control plane for every access decision in your organisation. The 2026 threat landscape, from AI-driven device code phishing to OAuth token abuse through SaaS integrations, makes conditional access capability and token lifecycle controls non-negotiable. Pick the provider that matches your stack, your skills, and your budget — but pick one, and configure it thoroughly. An unconfigured IdP is worse than no IdP, because it creates the illusion of security.
Visit consult.lil.business for a free cybersecurity assessment — we'll review your identity architecture against the current threat landscape and the Essential Eight, and give you a concrete roadmap.
References
- Microsoft Security Blog: Inside an AI-enabled device code phishing campaign (April 2026) — https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
- Australian Cyber Security Centre: Essential Eight Maturity Model — https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
- NIST Special Publication 800-63-4: Digital Identity Guidelines — https://pages.nist.gov/800-63-4/
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.