If you're managing user identities in Microsoft Entra ID using the admin portal, maybe some dynamic groups, and a onboarding checklist on a wiki somewhere — you're not alone. That's how most mid-market IT teams operate. And honestly, for a while it works fine.
This page isn't about telling you that manual Entra ID management is bad. It's about helping you recognize the point where it stops being good enough, and what the options are when you get there.
What Entra ID gives you natively
Microsoft has been steadily improving identity management capabilities in Entra ID. Here's what you can do today without any third-party tools:
User management. Create, update, and delete users through the portal, PowerShell, or Graph API. Assign licenses, set properties, manage authentication methods. The basics work.
Dynamic groups. Create groups that automatically add and remove members based on user attributes like department, job title, or location. Powerful in theory, but the rule syntax is limited and troubleshooting broken rules is painful.
Entra ID Governance (P2 license). Access reviews, entitlement management, lifecycle workflows, and privileged identity management. These features exist, but they're spread across different blades in the portal, require P2 licensing for every user, and have real limitations.
Lifecycle workflows. Relatively new. You can trigger automated tasks when users join, move, or leave. But the available actions are limited, the conditions are rigid, and building anything beyond basic scenarios requires workarounds.
For a company with 30 employees and straightforward access needs, this native toolkit is genuinely sufficient. You don't need anything else.
Where manual Entra ID management breaks down
The cracks start showing when some combination of the following becomes true:
Onboarding takes too long and varies too much. When you have 50+ hires per year, the manual process starts eating real time. More importantly, different people do it differently. One admin assigns all the right groups. Another misses two. A third follows a wiki doc that's six months out of date. The result: inconsistent access, frustrated new hires, and IT support tickets on day one.
Offboarding has gaps. Disabling an account is easy. Making sure that person's access to every group, shared mailbox, Teams channel, SharePoint site, and application is properly revoked — that's harder. Without a structured process, things get missed. Former employees with lingering access is one of the most common audit findings we see.
Access reviews are a nightmare. Entra ID's native access reviews (P2) work for simple cases, but managing review campaigns across departments, tracking completions, handling exceptions, and producing audit evidence requires significant manual effort. Most teams we talk to end up doing access reviews in spreadsheets, which defeats the purpose.
Compliance evidence is scattered. When your auditor asks "show me a list of all access changes in the last quarter" or "prove that access reviews were completed for all departments," you're pulling data from multiple places, cross-referencing logs, and hoping you haven't missed anything. This works until it doesn't, usually at the worst possible time.
Dynamic groups hit their limits. The native dynamic group rules can't handle complex logic cleanly. "All marketing people except contractors, but include marketing contractors who've been here more than six months" turns into an unreadable expression that nobody dares touch. And when a dynamic group breaks silently, people lose access with no alert.
P2 licensing costs add up. Entra ID P2 (now part of Microsoft Entra Suite) costs roughly 8-9 EUR per user per month. For 200 users, that's over 19,000 EUR per year. And you still need to stitch together multiple portal blades to get a coherent governance experience.
What Adcyma adds on top of Entra ID
Adcyma doesn't replace Entra ID. It connects to your existing Entra ID tenant and adds a governance layer on top. Think of it as the management console that Entra ID's native tools should be but aren't.
Automated lifecycle management. Define what each role needs once — groups, licenses, Teams memberships, mailbox access — and let the system handle provisioning and deprovisioning consistently every time. Connected to your HR system or triggered manually.
Simplified dynamic groups. Create and manage dynamic group rules with a clearer interface than Entra ID's native syntax. See what changed and why. Get alerts when something unexpected happens.
Structured access reviews. Run review campaigns with clear ownership, deadlines, and escalation. Every decision is logged. Every completion is tracked. Export the results directly in a format your auditor can use.
Unified compliance reporting. Pull SOC 2, ISO 27001, and NIS2 reports from a single place instead of cobbling together data from multiple portal blades and log sources.
No P2 license dependency. Adcyma provides governance capabilities without requiring Entra ID P2 licensing for every user. Depending on your current licensing, this can offset a significant portion of the cost.
The honest comparison
Aspect | Manual Entra ID + P2 | Adcyma
- Cost | P2: ~19,000 EUR/year for 200 users | Comparable or lower
- Setup time | Already running (sort of) | 1 to 2 days
- Onboarding consistency | Depends on who does it | Defined once, runs the same every time
- Offboarding completeness | Manual checklist, easy to miss things | Automated, comprehensive
- Access reviews | Native reviews + spreadsheets | Structured campaigns with full audit trail
- Compliance reporting | Manual data assembly | Pre-built reports for SOC 2, ISO 27001, NIS2
- Dynamic group management | Native syntax (limited, fragile) | Clearer interface, better visibility
- Learning curve | Spread across multiple portal blades | Single interface
When sticking with native Entra ID makes sense
Keep doing what you're doing if:
- You have fewer than 50 users and low turnover
- Your compliance requirements are minimal or informal
- Your IT team has the capacity to handle lifecycle tasks manually
- You're not facing SOC 2, ISO 27001, or NIS2 audits
- Access review frequency is annual or informal
There's no shame in manual processes when they genuinely work for your scale.
When it's time for something more
Consider a dedicated tool when:
- Onboarding and offboarding take too long or produce inconsistent results
- You're approaching a compliance audit and don't have clean evidence
- Access reviews are being done in spreadsheets (or not being done at all)
- You've had an incident involving former employee access
- Your team is growing and the manual workload is scaling linearly while the IT team isn't
- You're paying for P2 licenses primarily for governance features
This is the gap Adcyma is designed to fill. Not replacing Entra ID — making it actually work for governance at your scale.
Adcyma is free for up to 25 users. For larger teams, start a free 14-day trial. No credit card, no consultants.