Identity is the unglamorous foundation of firm-grade security. It decides who can log in to what, from where, on which device, with which second factor, and what happens when they leave. Most UK accounting firms below 30 staff treat identity as "Microsoft 365 with MFA turned on" - which is a defensible starting point and a dangerous endpoint. This guide is for the firm crossing the threshold where ad-hoc identity stops working and proper SSO becomes worth the project effort.
Why SSO matters in a regulated firm
The threats SSO actually addresses: leavers retaining access; staff reusing weak passwords across the stack; phishing harvesting credentials for tools the firm did not even know it had; and the slow drift where every new SaaS sign-up is its own island. The compliance angle is real too - AML supervision and ICO expectations both implicitly assume the firm can answer "who had access to this client's data and when". Without SSO, the honest answer is usually "we don't fully know".
Microsoft Entra ID - what it is and what it covers
Microsoft Entra ID (formerly Azure Active Directory) is the identity layer underneath Microsoft 365. If your firm uses Microsoft 365, you already have Entra; the question is what tier and how you have configured it. Entra ID Free comes with M365 and covers basic SSO, MFA and conditional access. Entra ID P1 adds proper conditional access policies, password protection, dynamic groups and self-service password reset. P2 adds identity protection (risk-based sign-in) and privileged identity management. P1 is the practical baseline for any firm taking security seriously.
Okta - what it is and what it covers
Okta is an identity-first vendor whose entire business is being the SSO and identity layer that sits in front of everything else. Strengths: very broad SaaS catalogue (thousands of pre-integrated apps), strong lifecycle automation (provision and deprovision users in downstream apps when HR adds or removes them), and arguably a more polished admin experience. Weaknesses: it is an additional vendor, an additional cost, and there is no point paying for it if you are not going to use its strengths. Per-user pricing typically runs $2 to $15+ depending on modules.
The honest decision tree
If you are a Microsoft 365 shop and your SaaS catalogue is mainly mainstream tools that already integrate with Entra: use Entra ID P1, do not pay for Okta. If you are a Google Workspace shop and your SaaS catalogue is broad and includes niche tools: Okta is a stronger fit. If you have an HR system and want HR-driven provisioning across 20+ SaaS tools: Okta is genuinely better at this today. If you simply want SSO and MFA over the eight tools your firm actually uses: Entra is fine.
Conditional access - the part most firms underuse
Whichever identity platform you pick, conditional access is where the security value sits. The policies worth configuring: block sign-in from countries the firm does not operate in; require compliant device for access to client data; require MFA for all admin actions; force re-authentication after 12 hours for high-risk apps; block legacy authentication protocols entirely. These take a competent IT engineer a few days to set up properly. The "set and forget" version of MFA is much weaker than this; do not stop at "MFA is on".
Joiners, movers, leavers
The single most common identity failure in small firms is the leavers process. Someone leaves on a Friday, their Microsoft account gets disabled, but nobody disables them in Xero, QuickBooks, the practice tool, the portal vendor, the e-signature tool, and the WhatsApp group. SSO with proper deprovisioning closes this gap: when the master identity is disabled, downstream tools log the user out and revoke access. Build the joiners-movers-leavers process in writing, automate as much as your identity platform supports, and audit it quarterly.
Where the practice tool fits
Your practice tool is one of the most sensitive applications in the firm - it holds client data, AML records, signed engagement letters and time entries. It should be behind SSO with MFA enforced from day one. Accupe supports role-based access so partner, manager, senior and junior see appropriate views, which complements identity-level SSO with application-level authorisation. The two together are stronger than either alone.
A 90-day rollout plan that actually works
Days 1 to 14: inventory every SaaS app the firm uses, including the shadow ones. Days 15 to 30: pick the identity platform, license it, configure baseline conditional access. Days 31 to 60: roll out SSO for the top ten apps by sensitivity. Days 61 to 90: roll out the long tail, formalise the joiners-movers-leavers process, run a tabletop exercise simulating a partner laptop loss. Plan for the project to take longer than this; almost all do. But the structure works.
Closing
Identity is not the kind of project that wins partner enthusiasm. It is the kind of project that, twelve months later, has quietly prevented two incidents you never had to explain to the ICO. Pick the platform that matches your existing posture, set conditional access properly, automate leavers, and treat the practice management tool as a first-class citizen behind it.