Entra ID Battlecard — What "Identity Is Covered" Actually Covers

Last verified: June 3, 2026 Card type: Competitive — Application-Layer Governance Gap Refresh trigger: July 2026 education pricing exemption effective date; Cloud Sync migration notifications beginning July 2026

Competitor Snapshot

Entra enters Higher Ed deals pre-installed. It ships inside the M365 agreement the institution already owns, which means the CIO frequently treats identity as solved before anyone has mapped what "solved" actually covers. The bundle economics are real, the campus integration is deep, and the education pricing exemption from July 2026 commercial increases removes cost pressure that might otherwise force re-evaluation.

Recognition Cues

• "We already have identity covered through our Microsoft agreement." Most common signal. "Covered" almost always means SSO into Microsoft apps. Probe what happens to Canvas provisioning, Workday lifecycle, or Ellucian access when a student graduates. The answer reveals the gap.

• "We're on A5, so we have everything." A5 includes Entra ID P2. P2 does not include Entra ID Governance (lifecycle workflows, entitlement management, advanced access reviews). That requires a separate add-on at $7/user/month commercial list or the Entra Suite. The buyer rarely knows this. A3 includes P1-equivalent capabilities, confirmed by Microsoft's Governance add-on prerequisite language. A1 includes Entra ID Free only.

• "Our EES renewal is coming up and Microsoft is bundling more." The July 2026 M365 commercial price increases exempt education customers. This strengthens the "stay" argument on cost. Do not fight the pricing conversation directly.

• "We're looking at Copilot / Agent 365 and want to keep identity in one place." The buyer assumes Entra Agent ID covers all agent governance. It covers Microsoft-platform agents natively. Non-Microsoft agents require SDK integration or workload identity federation, each requiring custom implementation work. Canvas, Ellucian, and research computing agents are not documented in any Microsoft Agent ID source as of this sweep.

• "We just got a Cloud Sync migration notice from Microsoft." Starting July 2026, Microsoft is notifying tenants of their transition window from Entra Connect Sync to Cloud Sync. This signals the institution is in an active infrastructure transition. Ask what the migration covers and what falls outside the initial supported scope. Timing and institutional impact are campus-specific; treat this as a discovery opener, not a talking point.

• An RFP listing "Microsoft Entra ID" as incumbent IdP with no mention of non-Microsoft application governance. That omission tells you identity was scoped to match the Microsoft footprint. The institution's full application portfolio was never the frame.

Where They Genuinely Win

Microsoft-dominant campuses running the bulk of their application portfolio on M365, Azure, and Intune. Conditional Access policies are native. Device compliance flows through Intune without integration seams. P1 ships in A3, P2 in A5. No incremental license cost for core IAM features inside the Microsoft perimeter. The education pricing exemption from July 2026 commercial increases removes cost pressure that might otherwise force re-evaluation. If the institution's application map is genuinely Microsoft-dominant and they have no near-term multi-cloud research computing requirements, Entra is defensible. Do not waste credibility arguing otherwise.

Where the Conversation Shifts

Non-Microsoft application lifecycle is manual. Entra authenticates against Canvas, Workday, Ellucian, and hundreds of SaaS apps via SAML. Provisioning is a different question. Microsoft's own documentation notes that Canvas user provisioning is a manual task (last verified March 2025; confirm current state before citing in-call). The identity lifecycle across enrollment, employment, and alumni breaks at the boundary of the Microsoft ecosystem. Multiply that manual step across every non-Microsoft app in the portfolio.

Workload identity governance is unbundled. Entra Workload ID Premium costs $3 per service principal per month at commercial list (last verified June 2026). It is excluded from every M365 bundle and the Entra Suite. No education-specific pricing is publicly documented as of this sweep. A campus with 400 service principals subject to research compliance controls faces ~$14,400/year in costs sitting entirely outside the "identity is covered" agreement.

Agent governance beyond Microsoft requires custom integration. Entra Agent ID reached GA in April 2026 with non-Microsoft platform support via SDK sidecar and workload identity federation. Named integrations include AWS Bedrock, n8n, and announced partnerships with ServiceNow and Workday. Public documentation as of this sweep does not describe support for Canvas LTI agents, Ellucian agents, or research computing framework agents. Each would require individual instrumentation via the Auth SDK or federation wiring.

Multi-cloud research computing lost its CIEM path. Microsoft retired Entra Permissions Management in November 2025. R1 institutions running research workloads on AWS have no Entra-native path for cross-cloud entitlement governance.

Maturity-State Response Guide

The competitive motion across all states is expansion beyond the Microsoft layer. You are extending coverage to where that layer stops.

State 1: Microsoft-Dominant, Operationally Stretched

15+ of top 20 are Microsoft; small IAM team

Lead with: "Your Microsoft investment is doing real work. Where is your team spending the most manual hours — the apps outside that perimeter, or the provisioning and deprovisioning steps Microsoft doesn't automate?"

Anchor on: Lifecycle automation relief. Even Microsoft-dominant campuses have manual provisioning into Canvas, HR systems, and research tools. A stretched team feels this as operational pain before they frame it as a governance gap. Coexistence positioning: Okta automates the lifecycle across the full portfolio while Entra continues handling what it handles well.

Do not say: "Entra can't handle your identity needs." It handles most of them here. Overreach kills credibility with a buyer whose Microsoft investment is working and who will verify your claims with their Microsoft rep before your next call.

State 1b: Microsoft-Dominant, Mature IAM Program

15+ of top 20 are Microsoft; staffed identity team

Lead with: "Your Microsoft investment is doing real work. Where does governance get harder — the service accounts running outside Conditional Access, or the agent identities you're starting to plan for?"

Anchor on: Workload ID Premium's unbundled cost. A mature team already knows their service principal inventory. The $3/workload/month cost outside the M365 agreement is the wedge that respects the Microsoft relationship while opening the NHI governance conversation.

Do not say: "You need to rethink your identity strategy." They have one. Respect it. Focus on what it doesn't yet reach.

State 2: Mixed Environment

8–14 of top 20 are Microsoft

Lead with: "Walk me through what happens when a student graduates. How many systems does that touch, and how many of those deprovisioning steps are automated?"

Anchor on: The lifecycle gap across non-Microsoft applications. Manual provisioning into Canvas, Workday, Ellucian. On-premises AD and Entra ID running in parallel, where disabling a local account doesn't automatically lock the cloud account (Infosecurity Magazine, March 2026; architecturally consistent with Microsoft's own Cloud Sync migration rationale). Frame coexistence: Okta as the governance layer across the full portfolio, Entra continuing inside the Microsoft perimeter.

Do not say: "Replace Entra." The buyer built on this. The word is "extend."

State 3: R1 with Multi-Cloud Research Computing

Lead with: "How are you planning to govern service principals and AI agents across your research computing environments for NSPM-33?"

Anchor on: Three compounding gaps. Workload ID Premium is unbundled and has no documented education pricing. Permissions Management is retired with no multi-cloud CIEM replacement. Agent ID requires custom SDK work for non-Microsoft research tools. The total governance cost on Microsoft's platform exceeds what the "bundled" narrative suggests once you add Workload ID per-principal costs on top of the base agreement, plus Agent 365 licensing, plus consumption for Copilot Studio or Foundry. Reference NSPM-33 as the deadline that makes this conversation urgent. The compliance detail belongs to the NSPM-33 feature; here it functions as a forcing mechanism.

Do not say: "Microsoft can't do AI governance." They can, inside their ecosystem. The question for the VP for Research is who governs everything outside it. And whether ungoverned agents on the HPC cluster survive an audit.

Landmines

Do not speculate the education pricing exemption is temporary. The Microsoft FAQ confirms it. Guessing it will expire sounds like FUD. The CIO's Microsoft rep will correct you on the spot.

Do not claim Agent ID is "Microsoft ecosystem only." This was accurate at the May 2025 preview. It is inaccurate at GA. Platform scope expanded; the constraint now is integration method (SDK sidecar or workload identity federation for each non-Microsoft agent). Getting this wrong tells the buyer you stopped reading twelve months ago.

Do not present Workload ID pricing without the "no education discount found" qualifier. The $3/workload/month figure is commercial list. The institution may have negotiated differently through EES. State the list price, flag that education-specific pricing is not publicly documented, and let the buyer verify against their own agreement.

Field Gap Flag