TL;DR
AI-enabled device-code phishing and OAuth supply-chain breaches (Microsoft EvilTokens, Vercel/Context.ai, April 2026) prove that SSO alone is no longer enough for Australian SMBs. Your identity architecture must include conditional access governance and joiner-mover-leaver (JML) automation, not just SAML federation. Choose Entra ID P1 if you are Microsoft-first, Okta if you run multi-cloud SaaS, and Authentik only if you have in-house DevOps capacity to self-host and patch.
The Threat Context: Identity Is the New Perimeter
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Microsoft’s April 2026 disclosure detailed the EvilTokens phishing-as-a-service toolkit, which used dynamic device-code generation to bypass standard 15-minute expiration windows and defeat MFA gating. Around the same period, the Vercel breach showed how a compromised third-party OAuth app (Context.ai) pivoted into corporate Google Workspace sessions, exposing environment variables and enabling persistent inbox rules. For a 10-50 headcount Australian business, the takeaway is blunt: federating passwords via SSO is baseline hygiene. Without device trust, session risk analytics, and automated offboarding, you are one phishing lure away from a business email compromise.
SSO C
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →
overage, Protocols, and SCIM Breadth
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Entra ID P1 ships with roughly 2,800 pre-integrated SAML/OIDC applications and native SCIM provisioning for Microsoft 365, Salesforce, and AWS IAM Identity Center. P2 adds third-party application governance and entitlement management. Okta Workforce Identity remains the integration leader with 7,000+ SAML/OIDC connectors and robust bidirectional SCIM, making it the safer bet if your stack mixes Google Workspace, Slack, Atlassian, and niche vertical SaaS. Authentik supports SAML 2.0 and OIDC natively, but SCIM coverage relies on community providers or manual YAML configuration. If your app portfolio is static and mainstream, Authentik is workable; if you onboard new SaaS monthly, the integration gap will hurt.
Conditional Access and Lifecycle Management
Entra ID P1 delivers location-based, compliant-device, and trusted-named-location policies. P2 upgrades this with Identity Protection, real-time risk detection, and automated access reviews. Okta pairs device trust with ThreatInsight and offers a no-code Workflows engine for JML automation, such as triggering deprovisioning across Slack, Okta, and Google Workspace when your HRIS fires a termination webhook. Authentik provides group and policy primitives, but JML is a build-it-yourself affair: you will script webhooks, write LDAP or REST connectors, and maintain your own offboarding runbooks. For a lean technical lead wearing multiple hats, that engineering tax is real.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →Audit Logging and Operational Overhead
Entra ID sign-in and audit logs feed natively into Microsoft Sentinel or Azure Monitor; P2 retains 30 days of interactive sign-in data by default. Okta’s System Log is API-first and streams easily into Splunk or Sentinel. Authentik emits JSON audit events to file or stdout, but long-term retention and alerting require a self-hosted Loki or ELK stack. If your SMB does not yet run a SIEM, Okta and Entra provide more digestible dashboards out of the box.
At April 2026 pricing, expect:
- Entra ID P1: ~A$9/user/month
- Entra ID P2: ~A$14/user/month
- Okta Workforce Identity: ~A$18/user/month (SSO + lifecycle bundle)
- Authentik: A$0 licensing; infrastructure cost roughly A$80-150/month for VM, backup, and monitoring, plus 4-8 hours/month of senior ops attention.
For a 30-user team, that places Entra P1 at ~A$3,300/year, P2 at ~A$5,000/year, Okta at ~A$6,500/year, and Authentik at ~A$1,500-2,500/year infra-only.
Decision Matrix and Archetype Recommendations
| Capability | Entra ID P1 | Entra ID P2 | Okta | Authentik |
|---|---|---|---|---|
| SAML/OIDC breadth | Very High | Very High | Highest | Moderate |
| SCIM provisioning | Native (MS + major SaaS) | Native + governance | Broad | Manual/YAML |
| Conditional access | Location, device | Risk-based + Identity Protection | ThreatInsight + device | Basic policies |
| JML automation | Graph API/scripts | Identity Governance | Workflows (low-code) | DIY scripts |
| Audit/SIEM integration | Azure-native | Azure-native | API-first | Self-hosted stack |
| Cost (30 users/yr) | ~A$3,300 | ~A$5,000 | ~A$6,500 | Infra only |
| Operational overhead | Low | Low | Low | High |
Go with Entra ID P1 if… you are Microsoft-first (M365, Teams, Azure VMs) and want the lowest friction. Upgrade to P2 only when you handle sensitive financial data or your cyber insurer mandates risk-based conditional access and Identity Protection.
Go with Okta if… you run a multi-cloud or best-of-breed SaaS stack and prefer one policy pane across disparate apps. Accept the premium as an integration-insurance policy.
Go with Authentik if… you are cost-constrained, run Kubernetes or Docker in-house, and your application list is short and static. Treat it as infrastructure, not a SaaS checkbox. If you cannot patch Postgres and reverse-proxy components within 48 hours of a CVE disclosure, do not self-host your identity provider.
FAQ
What is device code phishing and should my SMB worry? Device code phishing hijacks a legitimate OAuth flow by tricking users into authenticating an attacker-controlled session. The April 2026 Microsoft campaign used AI-generated lures tailored to finance roles. If your identity platform cannot detect anomalous token requests or risky sign-in behaviour, MFA alone will not save you.
Is Authentik secure enough for Australian financial or legal compliance? Authentik’s code is open and auditable, but meeting frameworks like SOC 2 or the Essential Eight depends entirely on your ability to harden the host, patch promptly, and retain tamper-proof logs. For most SMBs without a dedicated security engineer, managed SaaS reduces liability.
When do I need Entra ID P2 over P1? Upgrade when you have privileged accounts accessing critical systems, face regulatory requirements for risk-based policies, or your cyber insurance policy explicitly requires Identity Protection and automated access reviews.
Do I need a SIEM for these identity logs? Not strictly at 10-50 users, but centralising logs is ACSC Essential Eight hygiene. Entra ID and Okta both offer built-in dashboards sufficient for triage. Authentik requires at least a self-hosted logging stack to meet the same standard.
Conclusion
OAuth supply-chain attacks and AI-augmented phishing have moved identity architecture from "set and forget" to active defence. Choose the platform that aligns with your existing cloud footprint, enforce conditional access beyond simple password federation, and automate JML workflows before headcount scaling makes manual cleanup impossible. If you are unsure which path fits your risk profile and budget, visit consult.lil.business for a free cybersecurity assessment tailored to Australian SMBs.
References
- Microsoft Security: Inside an AI-enabled device code phishing campaign
- Trend Micro: The Vercel Breach — OAuth Supply Chain Attack
- Australian Cyber Security Centre: Essential Eight
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.