Skip to content
← Journal

Keycloak vs Entra ID: the real tradeoffs nobody puts in a comparison table

Two decades of IAM experience condensed into a candid comparison: licensing maths, protocol flexibility, Conditional Access, migration pain, and why most enterprises end up running both.

Published May 24, 2026·10 min read
  • Keycloak
  • Security
  • Cloud
  • Architecture

If you are building identity infrastructure in 2026, you have two serious options: self-host Keycloak or buy into Microsoft Entra ID. Everything else is either a niche player or a thin wrapper around one of these two.

I have run both in production. I have migrated teams from one to the other. And I have learned that the choice is less about features and more about what you are willing to own.

The core tradeoff

Entra ID gives you zero operations and less control. Microsoft manages the infrastructure, handles the SLA, and pushes updates. You cannot see inside the black box. When something breaks, you file a ticket and wait.

Keycloak gives you full control and full responsibility. You manage the JVM, the database, the Infinispan cluster, the TLS certificates, and the upgrades. When something breaks, you fix it yourself. But you can also fix it yourself, without waiting for a vendor.

This tradeoff is not new. It is the same choice you make for every infrastructure component. But identity is special because when it breaks, everything breaks.

Licensing: the hidden differentiator

Entra ID P2 costs about $9/user/month. For 10,000 users, that is $90,000/month or over $1M/year. Keycloak is free. The cost is your team’s time to run it. The breakeven point is around 2,000–5,000 identities. Below that, Entra ID’s simplicity justifies the premium. Above that, Keycloak’s zero marginal cost per user dominates.

Feature comparison

Entra ID wins on: Conditional Access (best-in-class, integrated with Microsoft Graph and Intune), seamless M365/Azure integration, managed risk detection.

Keycloak wins on: Protocol support (SAML, OIDC, OAuth 2.0, LDAP, Kerberos with zero license restrictions), flexibility (custom authenticators, SPIs, themes), no vendor lock-in, offline tokens and token exchange.

Draw: Conditional Access has no open-source equivalent in Keycloak. Protocol flexibility has no equivalent in Entra ID. Each lacks what the other does best.

The migration pain nobody talks about

Migrating between them is not a config change. It is a re-platforming. Teams budget 3 months and take 9.

  • Token differences. Entra ID issues opaque tokens. Keycloak issues JWT.
  • Group sync. Azure AD groups do not exist in Keycloak without syncing.
  • Service principals. The mapping is not one-to-one.
  • Conditional Access. No export/import. Every rule must be re-implemented.

The hybrid strategy

More organisations than admit it run both. Entra ID for Microsoft 365 and devices, Keycloak for customer-facing apps and custom auth flows. The bridge is federation.

It adds complexity but gives you the best of both worlds.

Verdict

Entra ID if you are a Microsoft shop. Keycloak if you need flexibility or multi-cloud. Most enterprises end up running both because each solves a different problem.

Understand the tradeoff before you commit. Both are excellent at different things.

Was this useful?