Microsoft Entra-only vs. SCIM 2.0 multi-IdP.
Them · Pistachio · Microsoft Entra ID + Mail.ReadWrite
Microsoft Entra ID only. Google Workspace 'planned' but unbuilt. License management via Entra security groups (`pistachio-admin`, `pistachio-sat`, `pistachio-itd`).
- 01 Microsoft SSO is the only admin login path
- 02 Mail.ReadWrite required across all mailboxes (security-committee discovery point)
- 03 ActivityFeed.Read for Presence audit-log access
- 04 License gating via Entra security group membership
- 05 Google Workspace organisations cannot evaluate
Microsoft-only lock-in
Us · Moxso · SCIM 2.0 + service account
Direct SCIM 2.0 with risk-attribute reverse-sync. Multi-IdP across Entra, Okta, and others.
SCIM 2.0 endpoint
Native, every tier
Multi-IdP support
Entra, Okta, plus
Mail.ReadWrite required
No
OSINT engine
Native, every tier
NIS2 evidence
Native to the licence
Multi-IdP, tier-symmetric, no Microsoft lock-in