Microsoft Entra External ID vs. Opal.dev

In our organisation we use Microsoft Entra External ID primarily to enable non-attenders to remotely login to our tenant and access pre-prepared educational resources. As well as access to tutors, pupils can also communicate with centralised staff who can support them to gain an education. Utilising our external tenant configuration we can develop and deploy our own in house apps to unpin this support intervention.

Incentivized

I am frustrated that my organization chose to adopt Opal for our access management tool. It is extremely difficult to use, due to bugs and basic functionality missing. Engineers are not given write access to production resources, so every change must flow through Opal.

This involves writing an IAM policy by hand for every request, because it is far too difficult to find an existing role in the system, and requests must the narrowly tailored only to allow the exact operation requested. Opal makes this process much more difficult because it lacks basic functionality for end users, such as: -Ability to modify an existing IAM role

-Ability to view existing IAM roles

-Ability to delete duplicate Opal roles

-Lack of IAM role templates

-Poor error messages when attempting JSON policy fails validation

In general, each Opal request takes 5-10 minutes because you need to be very explicit with every API action you are requesting, which then needs to be repeated multiple times because it is very hard to get everything correct the first time, which then requires a new round of reviews. This is partially because AWS IAM roles can be tricky to get right, but Opal provides no functionality to make this easier.

Incentivized

• One of the things that Microsoft Entra External ID does really well is creating user logins, accounts and profile. It is very easy to create them, manage them and delete them. It is fast and reliant.
• Limit access or authorization feature. We can allow different levels of authorization and access. So that not all the employees would have access to all the data. Only some relaible employees would have access and power to change anything.
• Mutli factor authentication feature is also a really good feature to secure data. Even overseas vendors need MFS to login which gives double protection to our data.

Incentivized

• Troubleshooting diagnostic logs effectively requires VS Code
• Group and role management requires additional effort
• The programming model (XML) could use some developer experience love

Incentivized

• Inability to modify an IAM role after creation
• Inability to use templated IAM roles
• Inability to see existing IAM roles
• Inability for users to clean up existing Opal roles
• Poor ability to search for existing Opal roles
• Repeated reliability issues - IAM role creation breaks far too often
• Cryptic error messages when IAM JSON is incorrect

Incentivized

Microsoft Entra External ID is an all round solid product, and certainly delivers the solution to our needs well. Through use we found that Pupil's become 'experts in avoidance', if they can forget their login details or indeed their device used for MFA, they will and then use that as the excuse for not accessing/completing their assignments. If more MFA options were available (such as delegated MFA) this would really help iron out our entire end user experiences

Incentivized

I really enjoy how simple it is to connect this Active Directory with other Microsoft Products to collaborate with colleagues and clients.

Incentivized

• Having monthly active users billing was cost-effective.
• Helped with the IT support that was already managing the Azure platform of the company; this helped to manage the costs better and optimize them.

Incentivized

• Decreased engineering productivity

Incentivized