Microsoft Entra External ID vs. Opal.dev

It is not easy to calculate the actual ROI due to the difficult quantification of all factors, but it certainly contributed a lot in protecting, monitoring and controlling access to our system. It also made it much easier to detect vulnerable external users with simple and "easy to hack" passwords they use on multiple apps.

I am frustrated that my organization chose to adopt Opal for our access management tool. It is extremely difficult to use, due to bugs and basic functionality missing. Engineers are not given write access to production resources, so every change must flow through Opal.

This involves writing an IAM policy by hand for every request, because it is far too difficult to find an existing role in the system, and requests must the narrowly tailored only to allow the exact operation requested. Opal makes this process much more difficult because it lacks basic functionality for end users, such as: -Ability to modify an existing IAM role

-Ability to view existing IAM roles

-Ability to delete duplicate Opal roles

-Lack of IAM role templates

-Poor error messages when attempting JSON policy fails validation

In general, each Opal request takes 5-10 minutes because you need to be very explicit with every API action you are requesting, which then needs to be repeated multiple times because it is very hard to get everything correct the first time, which then requires a new round of reviews. This is partially because AWS IAM roles can be tricky to get right, but Opal provides no functionality to make this easier.

Incentivized

• One of the things that Microsoft Entra External ID does really well is creating user logins, accounts and profile. It is very easy to create them, manage them and delete them. It is fast and reliant.
• Limit access or authorization feature. We can allow different levels of authorization and access. So that not all the employees would have access to all the data. Only some relaible employees would have access and power to change anything.
• Mutli factor authentication feature is also a really good feature to secure data. Even overseas vendors need MFS to login which gives double protection to our data.

Incentivized

• Troubleshooting diagnostic logs effectively requires VS Code
• Group and role management requires additional effort
• The programming model (XML) could use some developer experience love

Incentivized

• Inability to modify an IAM role after creation
• Inability to use templated IAM roles
• Inability to see existing IAM roles
• Inability for users to clean up existing Opal roles
• Poor ability to search for existing Opal roles
• Repeated reliability issues - IAM role creation breaks far too often
• Cryptic error messages when IAM JSON is incorrect

Incentivized

I find it easy to use. The usability is great. Every department uses it for different purposes. Everyone access information relevant to them. Since we've started to use this we have seen less security incidents.

Incentivized

I really enjoy how simple it is to connect this Active Directory with other Microsoft Products to collaborate with colleagues and clients.

Incentivized

• Having monthly active users billing was cost-effective.
• Helped with the IT support that was already managing the Azure platform of the company; this helped to manage the costs better and optimize them.

Incentivized

• Decreased engineering productivity

Incentivized