Open Source Alternatives
Microsoft's cloud identity service (now Entra ID): SSO, MFA, and directory for apps and workforces.
Azure AD (Microsoft Entra ID) is a trademark of its respective owner.
Updated Jul 2026
Azure AD is sticky because it is wired into Microsoft 365, Windows, and Intune, and that integration is what you lose, not your user accounts. Authentik and ZITADEL replace the SSO, MFA, and directory functions for your own apps. They do not replace conditional access tied to Microsoft's risk engine or device management through Intune. A team using Entra only for app SSO can move in a week or two. An organization running Windows, M365, and device compliance through Entra is not really switching identity, it is leaving the Microsoft ecosystem, which is a much larger project. The hidden cost is everything else in your stack that authenticates against Entra.
We find the alternatives so you don't have to
Open source analysis in your inbox every Wednesday.
Ranked by feature coverage
Flexible identity provider
SSO (single sign-on), multi-factor auth, user directories, all in one place. The open source version is extremely capable.
Identity infrastructure, simplified
ZITADEL is a self-contained identity platform: login, signup, SSO, multi-factor auth, user roles, all in one. It's an alternative to Auth0 or Clerk that you can self-host for free.
Open Source Identity and Access Management For Modern Applications and Services
Keycloak is the default answer to "we need SSO but we're not paying Okta." It handles logins, SAML, OIDC, MFA, and user federation with LDAP and Active Directory for every app you own. Red Hat has backed it for over a decade, it's now a CNCF project, and every feature ships free under Apache 2.0.
Authentik and ZITADEL replace Azure AD's app SSO, MFA, and directory. They don't touch Microsoft 365, Windows, or Intune integration, so this only makes sense if your identity needs are app-level, not whole-ecosystem.