Beyond the free Microsoft tools: real identity security for SMBs

Woman working at a computer with screen showing system logs

ZeroTek Communications

September 30, 2025

Time to read: 8 min

Key Takeaways

  • Security defaults ≠ security. Conditional Access is challenging; Okta + ZeroTek is intuitive, robust, and scalable.
  • Free might trim license counts. But Okta + ZeroTek cut real costs—MSP toil and tickets—while hardening security for all your clients.
  • Manual SAML/SCIM in Microsoft drags projects. Okta + ZeroTek cuts SSO app integrations to minutes.
  • Policy sprawl in CA can break access. Okta via ZeroTek standardizes controls across tenants for predictability and efficiency.
  • MFA gaps persist too easily. Okta via ZeroTek makes phishing-resistant MFA the baseline across all customers.

Contents

Contents

Key Takeaways

  • Security defaults ≠ security. Conditional Access is challenging; Okta + ZeroTek is intuitive, robust, and scalable.
  • Free might trim license counts. But Okta + ZeroTek cut real costs—MSP toil and tickets—while hardening security for all your clients.
  • Manual SAML/SCIM in Microsoft drags projects. Okta + ZeroTek cuts SSO app integrations to minutes.
  • Policy sprawl in CA can break access. Okta via ZeroTek standardizes controls across tenants for predictability and efficiency.
  • MFA gaps persist too easily. Okta via ZeroTek makes phishing-resistant MFA the baseline across all customers.

If you manage identity for small-to-medium businesses (SMBs), you’ve heard it before: “We’ve got Microsoft—why pay for anything else?” But Microsoft Entra limitations for MSPs (and the SMBs they serve) show up fast: wrestling with Conditional Access, MFA that doesn’t always work quite how it should, and time-consuming integrations with non-Microsoft apps. That gap between “free” and secure is where risk increases, and time and money disappear.

We’ve already done a feature-by-feature comparison of Okta vs Microsoft Entra for MSPs. This article is more specifically for MSPs who’ve worked with Entra ID in the field and want a better solution for themselves and the SMBs they support. We’ll take a close look at where the Microsoft-only approach falls short for SMB realities, quantify the hidden costs of “free,” and outline what better identity security looks like delivered the MSP way with ZeroTek and Okta. Along the way, you’ll hear from ZeroTek Partner and co-author, New England Network Solutions (NENS) about their real-world experiences using industry-leading Okta to protect their customers with top-tier identity and access security.

This is the second of a weekly six-part series co-authored by ZeroTek and NENS for Cybersecurity Awareness Month (October). Some articles, like this one, are written for MSPs; most will address the concerns of SMBs.  

The “Microsoft is good enough” mindset—and why it’s risky

For SMBs that already license Microsoft 365 (M365), leaning on Entra ID feels pragmatic: it has MFA, some SSO, and “security defaults” that you’d expect would provide an acceptable baseline level of security. The catch is, the moment you need more than very rudimentary access control, you’re in Conditional Access territory—and that requires additional paid license layers for every user governed by those policies. Microsoft’s own guidance is explicit: Conditional Access is a per-user licensed feature, and compliance requires additional paid licensing for all users who directly or indirectly benefit from CA policies.

Security defaults themselves are intentionally generic. Microsoft says they’re not the right fit if you have complex requirements—and suggests moving to Conditional Access as soon as complexity appears. In other words, the “free” setup is a stepping stone, not an endpoint.

“It wasn’t easy to standardize or maintain, and it wasn’t sustainable. It was ‘free’ MFA coming at a real cost.”

– Kristian Sanchez,
Senior Security Consultant, NENS

NENS on how “Free MFA is never free.”

“In the very early days of M365 management, we were doing what most other companies were: enabling MFA on an account-by-account basis. This was mostly to accommodate folks who didn’t want the inconvenience of having to jump through hoops to log into their business apps,” Kristian Sanchez, Senior Security Consultant at NENS.

“Without Conditional Access and security enforcement, it was easy to miss setting up accounts with MFA and challenging to rehash security discussions with holdouts. You’d end up with this smattering of users with single-factor authentication. It wasn’t easy to standardize or maintain, and it wasn’t sustainable. It was ‘free’ MFA coming at a real cost. That’s when we started looking for a better way to manage identities and access, and a third-party IdP.”

Where Entra ID falls short for real-world SMB needs

1) Conditional Access is powerful—and a labyrinth

Conditional Access can implement Zero Trust controls (device state, location, risk, app sensitivity), but for service providers the limitations of Microsoft Entra for MSPs surface in day-to-day operations: overlapping policies, edge-case exceptions, and brittle testing cycles. Troubleshooting often hinges on specialized tools like the What If simulator and sign-in logs. Microsoft’s own docs spend a lot of time going over planning, testing, and troubleshooting patterns to help you avoid breaking access. They even introduced “Conditional Access health” signals to identify block policy issues. That’s not accidental; it’s there because things do go sideways, and it’s often not very easy to figure out why.

For MSPs juggling dozens of tenants, every new exception multiplies the complexity matrix: internal vs. guest, browser vs. client apps, legacy auth, device compliance, registration, registration-from-trusted-location only, and more.

Yes, Microsoft keeps adding help tools like the optimization agent, but the on-the-ground toil for your techs is real.

2) “Basic MFA” isn’t enough against modern attacks

Push fatigue (“MFA bombing”), SIM-swapped SMS, and phishing frameworks that proxy and steal session tokens have changed the threat model, and SMBs are under attack. Guidance from public-sector and enterprise security leaders is blunt: implement phishing-resistant MFA wherever possible (CISA).

We recommend phishing-resistant factors (for example, FIDO2/WebAuthn) with any IdP. The differentiator for Entra ID compared to Okta + ZeroTek isn’t what factors are available—it’s how quickly you can standardize MFA, enforce consistently across tenants, and support users without flooding the help desk.

3) Integration friction in diverse SaaS environments

Most SMBs live in a hybrid SaaS world: Microsoft 365 plus industry-specific tools (legal, healthcare, finance), plus collaboration, dev, HR, CRM. With Entra, you’ll find thousands of gallery apps—but “thousands” is a fuzzy commitment that still leaves gaps you must wire up via SAML/OIDC and SCIM. Microsoft’s own materials position the gallery as “thousands of pre-integrated apps,” and the developer docs walk you through manual SAML config and custom provisioning patterns when apps fall outside the gallery sweet spot. That’s doable, but it’s work.

Okta, by contrast, publishes the size of its ecosystem in SEC filings: over 8,000 pre-built integrations in the Okta Integration Network (OIN), with more added regularly. For MSPs, those pre-built connectors directly translate to fewer brittle custom configs and faster time-to-value.

“Okta logging actually tells a helpful story that our engineers can follow, so troubleshooting is quick—and when we’re unsure, ZeroTek has always returned a fast response.”

– Kristian Sanchez,
Senior Security Consultant, NENS

NENS on policy and logging differences

“The fact is, Microsoft’s Conditional Access—with security groups, specific exclusions, all across multiple overlapping policies in M365—can get confusing fast. And system logs in M365 are difficult to work with at best, which then leads to a lot of policy-diving and tenant documentation just to figure out why a user suddenly can’t do something they should be able to do after a simple group change,” says Sanchez. 

“It’s been so much easier to configure and manage access in Okta, even for more complex needs and edge cases. Okta’s global policy and federation approach has let us unify control of apps and user experiences outside the M365 tenant and remove Conditional Access policies from M365 altogether. Okta logging actually tells a helpful story that our engineers can follow, so troubleshooting is quick—and when we’re unsure, ZeroTek has always returned a fast response.”

The hidden costs of “free” (time, complexity, and security debt)

Time: policy design, testing, and exceptions

Free features often balloon into time sinks once you need to accommodate reality: break-glass and service accounts, on-prem machines, seasonal contractors, and third-party guests. Designing Conditional Access safely demands a lab, rollback patterns, and the habit of using sign-in diagnostics and What If before production. That’s time you can’t bill for twice.

Complexity: licensing and policy sprawl

Per-user licensing for Conditional Access can torpedo the “free” narrative fast. Even if a tenant enables Conditional Access with one P1 or Business Premium license, compliance requires an additional layer of licensing for every user in scope of those policies (directly or indirectly). In multi-tenant MSP land, tracking this cleanly is its own mini project.

Security gaps: “good enough” MFA and partial coverage

Security defaults are a better-than-nothing baseline, but Microsoft explicitly advises organizations with complex needs to use Conditional Access. If you stop at defaults, you’ll never reach phishing-resistant factors or nuanced risk controls—and attackers know it.

What “real identity security” looks like for MSPs

Real identity security for SMBs is outcomes-driven: durable protection against phishing, fast onboarding/offboarding, consistent policy across tenants, and smooth access to all business apps. Here’s a pragmatic blueprint MSPs can run today:

1) Lead with phishing-resistant factors

Adopt FIDO2/WebAuthn or device-bound biometrics as required factors for your customers’ users. For Okta, ZeroTek’s recommended baseline includes enabling FIDO2 (WebAuthn) and Okta Verify with biometric verification, while reserving TOTP for specific narrow-use accounts, then moving to truly passwordless authentication with Okta FastPass when the organization is ready. 

2) Use network zones to enforce geography and infrastructure trust

Pre-defining country/region zones, office IPs, and known MSP infrastructure prevents off-geo sign-ins and automated abuse like Tor anonymizers, without introducing user friction. ZeroTek prescribes these zones up front to harden every customer org consistently.

3) Isolate and lock down high-privilege workflows

ZeroTek’s Deep Link feature creates a hardened enclave for privileged actions, with a dedicated authenticator policy to harden access. This prevents MFA drift from creeping into admin accounts and gives you a reliable backdoor for emergency fixes.

4) Choose an ecosystem that minimizes custom plumbing

Okta’s OIN gives you a broad, well-maintained catalog (8,000+ and growing) to reduce hand-rolled SAML/SCIM work. Compare that to the Entra reality: many scenarios are supported, but you’ll often find yourself following tutorials to assemble SAML/OIDC and provisioning flows, app by app, or waiting on app-vendor docs to reconcile quirks. That’s friction your SMB clients feel as slow onboarding.

5) Standardize once; stamp many

ZeroTek is built for MSP multitenancy and usage-based billing. You standardize identity controls once—authenticators, zones, privileged access patterns—then stamp those best practices across customers. Our setup runbooks (the same ones we use internally) codify the “gotchas,” like staging FastPass only after the org is stable and enrollments are complete.

“Being able to tightly control who can access what and then track admin access across Okta tenants through ZeroTek Audit helps to check compliance boxes.

It has really helped make our ticket routing and management more efficient.”

– Jason Bricault, CTO, NENS

NENS on managing secure access to Okta with ZeroTek

“NENS works across a lot of different business verticals,” explains Jason Bricault, CTO at NENS. “Being able to tightly control who can access what and then track admin access across Okta tenants through ZeroTek Audit helps to check compliance boxes.”

“For our engineering teams, we use different security groups and leverage ZeroTek’s built-in RBAC to ensure least-privileged access. For example, our junior engineers can perform Okta group and user actions from ZeroTek but are not able to connect to our clients’ Okta Admin Consoles through ZeroTek Deep Link. That’s reserved for senior team members who are equipped for the responsibility. It has really helped make our ticket routing and management more efficient.”

Why ZeroTek + Okta is the pragmatic MSP answer

Here’s the simple case for why MSPs should be using ZeroTek and Okta.

  • Purpose-built IAM matters. Okta was designed from day one for identity use cases and an expansive integration ecosystem; ZeroTek was designed from day one to bring Okta’s powerful technology to MSPs. That DNA shows up in faster, safer app onboarding for SMB stacks.
  • MSP mechanics matter just as much. ZeroTek adds multi-tenant control, usage-based billing, and codified best practices (zones, authenticators, Deep Link) so Admins deliver consistently across many clients—without reinventing everything per tenant.
  • Responsive Okta tech support tailored to the needs of MSPs managing multiple customers.

“The console really feels purpose-built to set project and engineering teams up for success, from kick-off to deployment to day-to-day management.”

– Kristian Sanchez,
Senior Security Consultant, NENS

NENS on how ZeroTek and Okta transformed their delivery of IAM

Leaving behind Microsoft Entra limitations for MSPs and adopting Okta instead has been a game-changer for NENS.

“Before ZeroTek, getting Okta licensed and the console set up took weeks because of Okta’s contracting process and delivery timelines,” says Sanchez. “After ZeroTek, setting up a client’s Okta org and licensing takes minutes.”

“The console really feels purpose-built to set project and engineering teams up for success, from kick-off to deployment to day-to-day management,” he explains. “For example, as we approach go-live, we can clearly see who is (and isn’t) enrolled and activated, then drive and rapidly achieve the MFA adoption that’s essential. It’s easy to explain and roll out to users.”

“Given our underwhelming experiences with Microsoft logging and support, and the complexity and frustrations of Conditional Access, standardizing on Okta through ZeroTek was an easy call,” adds Bricault. “The ZeroTek Okta solution has let us simplify MFA and SSO for our team and our clients while raising security across the board. We’ve never looked back.”

NENS x ZeroTek

New England Network Solutions (NENS) brings deep frontline MSP expertise, while ZeroTek’s multi-tenant Okta control plane makes it easy to standardize and scale best-practice identity security for SMBs. With ZeroTek | Okta, NENS rolls out strong, consistent controls quickly, cuts risk without adding complexity and delivers enterprise-grade protection to all customers.

Are you ready?

 

 

Ready to explore how ZeroTek | Okta can help your MSP deliver next-level security services to your customers?

Icon: a speech bubble

Book a call to get your questions answered, learn about our MSP pricing, and arrange a demo.

You may also like…

A practical roadmap for SMB identity security

A practical roadmap for SMB identity security

Oct 21, 2025

As an leading MSP/IT services provider, NENS manages thousands of users across more than 60 clients on Okta. They follow a proven deployment roadmap for new clients to ensure a great user experience.

Share This