Built on Entra, not parallel to it.
Apporetum extends Microsoft Entra with the identity governance capabilities Microsoft does not ship, without a parallel directory and without per-user licensing.
Microsoft Entra is the platform. Apporetum is the control plane.
Most identity governance vendors land in Microsoft shops the same way: they install their own directory model, synchronise it to Entra, and ask the customer to reconcile two sources of truth for the next five years. Apporetum is built on Entra, not parallel to it. Microsoft Entra ID stays the authoritative directory. Conditional Access, Multi-Factor Authentication, Privileged Identity Management, B2B invitation, and the Microsoft Graph remain Microsoft's responsibility. Apporetum's job is the deterministic lifecycle and governance discipline Microsoft does not ship.
The result is fewer moving parts, less synchronisation drift, and a governance model that respects what Entra already does well.
Cloud IAM architecture reference
What Apporetum reuses
Microsoft Entra capabilities Apporetum uses, not re-implements
Where Microsoft already does it well, Apporetum gets out of the way. Apporetum's code path orchestrates these primitives rather than replicating them, so you keep using the Microsoft tooling your team already knows.
Conditional Access
Apporetum does not reinvent sign-in policy. Conditional Access in Entra stays the policy authority. Apporetum manages the role memberships those policies depend on.
Privileged Identity Management (PIM)
Apporetum governs the eligible role assignments PIM activates, and applies stricter guardrails and shorter review intervals to privileged roles.
Multi-Factor Authentication (MFA)
MFA stays where Microsoft owns it. Apporetum's administrator and reviewer flows simply sign in through Entra's existing MFA policy.
Microsoft Graph provisioning
Apporetum provisions accounts, group memberships and application role assignments through the Microsoft Graph, the same API Microsoft documents and supports.
B2B invitation
Partner and contractor identities use Entra ID B2B invitation flows. Apporetum governs the lifecycle of those guest accounts once invited.
Entra External ID
CIAM journeys (sign-up, sign-in, self-service password reset) run on Entra External ID. Apporetum governs the lifecycle and access on top.
What Apporetum adds
The Identity Governance and Administration scope Microsoft does not ship
Microsoft Entra ID, even at P2 with Entra ID Governance, leaves gaps. Apporetum fills them, under a flat-fee subscription with no per-user licensing.
Deterministic Joiner-Mover-Leaver automation
Rules-driven state machines for joiner, mover, leaver, re-hire, suspension and secondary admin accounts: auditable, replayable, testable.
Access reviews and access certifications
Manager and app-owner review campaigns with business-friendly role names, continuous reconciliation, and ISO 27001-aligned audit evidence.
Self-service access requests with delegated approval
Application owners and managers approve access in business language. Central guardrails ensure nothing out-of-policy is granted.
Multi-tenant orchestration
One governance model across many Entra tenants (workforce, partner, customer) without re-implementing IGA per tenant.
CIAM lifecycle on Entra External ID
Customer and partner identity lifecycle, consent and recovery on Microsoft Entra External ID, under the same flat-fee model.
ISO 27001 / SOC 2 / Essential Eight access controls
Audit evidence aligned with ISO 27001:2022 (A.5.15–A.5.18, A.8.2, A.8.3), SOC 2 CC6, and the Australian Essential Eight maturity expectations.
Australian data sovereignty: your data stays in your Azure tenant.
Apporetum is deployed from the Microsoft Azure Marketplace into your Azure subscription. There is no shared Apporetum SaaS backend that your identity data flows through. If your tenant runs in Australia East, Australia Central, or Australia Southeast, your Apporetum runtime and identity data sit in that region, under your existing data sovereignty, your existing tenant controls, and your existing Microsoft data-processing agreement.
For Federal Government, State Government and regulated industries with PSPF, IRAP, or APRA CPS 234 obligations, this matters. Identity data (workforce names, manager hierarchies, role memberships) never leaves the perimeter you already audit.
About our Australian provenance
Deployment model
Self-hosted, cloud-native, deployed from Azure Marketplace
Marketplace deployment
Deployed in minutes from the Microsoft Azure Marketplace into your Azure subscription, under your subscription policy and billing.
Self-hosted, cloud-native
Apporetum runs cloud-native inside your tenant. Optional managed-service operation is available if you do not want to run the platform yourself.
Australian-built
Apporetum is built in Canberra, ACT. Engineering, product, and support are Australian, useful where local presence is part of the procurement.
Built on Entra, not parallel to it, and deployed in your tenant.
Apporetum is the Entra-native control plane for Identity Governance and Administration (IGA). Australian data sovereignty, flat-fee subscription, no per-user licensing.