vendor lock-in → exit plan
Get an exact quote
Identity & Access migration path

From ForgeRock to Microsoft Entra ID

Cost comparison, a phase-by-phase migration plan, and the automation to execute it.

Effort
High
Est. timeline
~18 wks
Microsoft Entra ID model
Per-user (P1 / P2)
Open source
No
▶ Model your savings in the calculator

3-year cost calculator

Pre-filled for ForgeRock → Microsoft Entra ID. Adjust every figure with your own numbers.

Every figure here is an illustrative estimate, not a vendor quote. Defaults are editable starting points compiled from public information; real, binding pricing comes from the vendor or an authorized distributor. See our methodology.

Sized at 1,000 users — cost is computed on this.
Stay on ForgeRock (3yr)
$180,000
Move to Microsoft Entra ID (3yr + migration)
$432,000
Projected extra cost
$252,000 (140%)
Payback period
Build a decision report from these numbers:

All figures are illustrative and fully editable — adjust the cost-per-user and migration inputs with your own numbers. Not guaranteed vendor pricing (defaults reviewed May 2026). For a binding quote, use the request form below to reach an authorized distributor or partner.

Quick comparison: ForgeRock vs Microsoft Entra ID

Common trade-offs teams weigh when staying on ForgeRock versus moving to Microsoft Entra ID. These are general, commonly-reported considerations — not statements of fact about any vendor — so check them against your own contract and the vendors' current terms.

ForgeRock Current
Ping Identity · Per-user + modules
  • Already in production — no migration effort or risk
  • Mature ecosystem with vendor support and SLAs
  • Per-user plus per-module licensing
  • Acquisition and roadmap uncertainty
  • Premium support and upgrade costs
  • Ongoing per-user + modules cost to budget for
  • Higher vendor lock-in to weigh
Microsoft Entra ID Planned
Microsoft · Per-user (P1 / P2)
  • Commercial option with vendor support and SLAs
  • Cost model: Per-user (P1 / P2)
  • Requires a migration (~18 weeks, high effort)
  • Per-user (P1 / P2) cost
  • Higher operational learning curve

Why teams evaluate alternatives to ForgeRock

Reasons commonly cited by users and in public industry coverage for re-evaluating ForgeRock. These are general, reported considerations — not statements of fact about Ping Identity — and may not reflect your situation or the vendor's current terms. Verify against your own contract before deciding.

  • Per-user plus per-module licensing
  • Acquisition and roadmap uncertainty
  • Premium support and upgrade costs

The migration plan

Roughly 18 weeks for a mid-size estate, in six phases.

Assessment & discovery
Inventory every workload, dependency, and integration; flag anything high-risk.
Target design & sizing
Size the new platform, design storage and networking, set RPO/RTO and rollback criteria.
Pilot migration
Migrate a small low-risk set end-to-end and validate the runbook.
↳ Stand up the new identity provider, import users and groups via LDAP/SCIM, re-register applications as OIDC/SAML clients, migrate MFA enrollment, and cut over app by app.
Production migration
Move workloads in scheduled waves using automation; verify after each wave.
Validation & optimization
Tune performance, confirm backup/DR, and update monitoring and docs.
Decommission source
Reclaim licenses, retire old infrastructure, and capture lessons learned.

Tooling & automation

Stand up the new identity provider, import users and groups via LDAP/SCIM, re-register applications as OIDC/SAML clients, migrate MFA enrollment, and cut over app by app.

OffVendor's wizard pre-fills these scripts with your environment — inventory export, disk/schema conversion, bulk provisioning, and validation.

Frequently asked

Is migrating from ForgeRock to Microsoft Entra ID worth it?

For most teams facing rising ForgeRock costs, yes — Microsoft Entra ID (per-user (p1 / p2)) typically lowers 3-year total cost of ownership, though the right answer depends on workload complexity and in-house skills. Use the calculator to model your own numbers.

How long does a ForgeRock to Microsoft Entra ID migration take?

A typical mid-size estimate is around 18 weeks across six phases — discovery, design, pilot, waved production migration, validation, and decommission. Larger or more complex estates take longer.

What tools are used to migrate from ForgeRock to Microsoft Entra ID?

Stand up the new identity provider, import users and groups via LDAP/SCIM, re-register applications as OIDC/SAML clients, migrate MFA enrollment, and cut over app by app.

Get a vendor-accurate Microsoft Entra ID quote

A guided builder that turns your estimates into a requirements report you can send to a vendor, partner, or distributor to secure a binding quote.

How this works — and what's yours to provide
  • Your inputs, your responsibility. The figures and estimates here describe your environment and requirements — please make sure they're accurate. OffVendor's defaults are illustrative starting points only, not vendor pricing.
  • It generates a requirements report (RFQ). Use it to capture your sizing and requirements and share it with your authorized vendor / partner / distributor to obtain a final, binding quote.
  • Then close the loop on your TCO. When the real quote comes back, plug those actual prices into the calculator above to refine your TCO and see where reality differs from the estimate.
  1. 1Size it
  2. 2Requirements
  3. 3Your details
  4. 4Channels & export

How big is your ForgeRock estate?

Count the people who need accounts or seats. Not sure? Enter rough numbers — the distributor confirms exact counts later.

1,000 users
Default mid-size assumption (1,000 users)
Estimates are illustrative and configurable; production figures come from vendor list prices and your own quotes.