Organizations building modern identity and access management (IAM) strategies often turn to Microsoft Entra as a central component. With strong integration into Microsoft 365, native support for conditional access, and increasingly mature passwordless capabilities, Entra provides a comprehensive approach to cloud-based identity management.
However, IAM in enterprise environments is rarely limited to the cloud. Many organizations operate hybrid environments, maintain legacy applications, and serve both internal and external users – each with specific identity and authentication requirements. These use cases sometimes fall outside the scope of what Entra directly supports.
In such scenarios, additional tools like Secfense can complement Microsoft Entra by addressing specialized needs related to authentication, compliance, and security for applications and systems not fully covered by Entra’s architecture.
IAM in practice: When Entra needs support
Microsoft Entra is designed to be the central control plane for identity in Microsoft-first environments. It supports:
- Single Sign-On (SSO) and federation via SAML/OIDC
- Conditional Access based on device, location, and risk
- Passwordless authentication through Microsoft Authenticator and Windows Hello
- Integration with Microsoft Defender and Microsoft Graph for reporting
That said, a number of common enterprise scenarios require capabilities that may sit adjacent to or outside of Entra’s focus:
1. Legacy and on-prem applications
Many organizations continue to use web applications that don’t natively support modern authentication protocols. Entra’s Application Proxy can provide access to these apps, but implementation may involve identity synchronization, gateway configuration, or code-level changes.
A reverse proxy such as Secfense can enforce phishing-resistant MFA (e.g., FIDO2 or passkeys) for legacy and on-prem apps without requiring changes to the applications themselves. This can be particularly valuable in hybrid environments with sensitive internal systems.
2. Customer Identity (CIAM) with modern authentication
Microsoft Entra External ID provides basic support for external user authentication. At present, however, FIDO2 and passkey support is not yet available in External ID, with roadmap availability expected in the future.
Secfense enables FIDO2-based passwordless login for B2B and B2C users today, using any FIDO-compliant authenticator, including device-bound passkeys. This can help organizations improve usability while meeting modern compliance standards like PSD2 or NIST 800-63B.
3. Environments requiring local identity ownership
Some organizations, particularly those in government, healthcare, or financial services, are required to maintain identity data on-premises or avoid cloud synchronization for regulatory reasons.
Secfense supports FIDO2 authentication directly from on-prem Active Directory, without syncing identity data to the cloud. This allows organizations to adopt modern authentication while preserving local identity governance.
4. Authenticator and passkey flexibility
Microsoft Authenticator and Windows Hello offer strong options for Entra-connected systems. However, passkeys stored in Microsoft Authenticator are currently limited to use within Microsoft ecosystems.
Secfense works with a wide range of authenticators (e.g., YubiKey, platform authenticators, biometric sensors), enabling cross-platform passkey support and fine-grained control over how passkeys are used, stored, or synchronized.
Layered authentication as a design principle
A common challenge in IAM is ensuring that authentication does not rely on a single layer or mechanism. Entra offers a strong set of protections, but in high-risk or regulated environments, additional security layers are often recommended.
Secfense adds such a layer by operating independently from identity providers. Even if a user is authenticated through Entra, Secfense can apply additional controls, such as:
- Secondary FIDO2 prompts for sensitive applications
- Microauthorizations (e.g., step-up authentication for specific actions)
- Session-level policies beyond initial login
This separation of identity storage (IAM) from authentication enforcement (IdP/MFA) supports defense-in-depth strategies and aligns with Zero Trust principles.
Complementing, Not Replacing
It is important to emphasize that Secfense does not aim to replace Microsoft Entra or any other identity platform. Instead, it is designed to coexist with existing identity infrastructure and to extend authentication capabilities to places where built-in Entra features are either unavailable or unsuitable.
For example, in a typical architecture:
- Microsoft Entra manages identity federation, SSO, and policy across Microsoft services.
- Secfense adds phishing-resistant authentication to custom apps, legacy systems, or CIAM portals without code changes.
This modular, layered approach allows organizations to make targeted improvements without redesigning their identity stack or compromising existing investments.
Summary table: Secfense capabilities in Microsoft environments
| Use Case | Microsoft Entra | Secfense |
|---|---|---|
| Legacy/on-prem apps | Application Proxy with integration | Reverse proxy, no code, MFA enforcement |
| Passkeys for CIAM | Roadmap (not yet available) | Available today |
| Local identity ownership | Requires sync to Entra ID | Works with on-prem AD |
| Per-app MFA policies | Central policy enforcement | MFA per app/session with microauth |
| Authenticator choice | Microsoft Authenticator, Windows Hello | Any FIDO2 method |
| Defense in depth | IAM and IdP tightly integrated | IAM ≠ MFA enforcement layer |
Final considerations
Organizations need flexibility to adapt to new standards (like passkeys), comply with new regulations, and protect systems that aren’t cloud-native or modernized.
Microsoft Entra provides a strong foundation for identity in Microsoft environments. Secfense can complement this foundation, helping extend phishing-resistant authentication to specialized or hard-to-reach parts of your infrastructure without replacing or duplicating what Entra already does well.
Next Steps
If your organization is:
- Looking to enable passkeys or FIDO2 for legacy, CIAM, or regulated apps
- Evaluating layered security models for identity and authentication
- Exploring passwordless strategies beyond the Microsoft ecosystem
…we’d be happy to show you how Secfense works alongside your current Entra setup.
Request a demo or technical consultation: Contact Secfense
Antoni Sikora 