Entra ID is the right tool for the corporate-user, cloud-managed case. It is not the right tool for shared terminals, OT segments, air-gapped sites, HMIs, old domains and operator attribution on Sammelkonten. This page is the honest list of nine environments where the cloud-only identity stack runs out of road and where CodeB sits down next to it instead.
This is not an anti-Microsoft page. Most of our customers run Entra ID for their office workforce and CodeB for the parts of the environment Entra ID was not designed for. The two coexist on the same workstation.
Entra ID is a brilliant identity plane for office users, SaaS sign-on, and the modern corporate laptop. The trouble starts when the same playbook is applied to a hospital ward terminal, a CNC operator station, an air-gapped lab, a ten-year-old AD domain running a clinical app, or a manufacturing HMI that boots once a shift. None of those endpoints were designed for cloud-managed identity. Forcing them under Entra ID is either impossible — the endpoint has no internet — or expensive and brittle. CodeB takes over at exactly that boundary.
Each of these is a recurring conversation we have with security architects whose leadership has standardised on Entra ID and discovered, on the way down, that parts of their estate do not fit. The pattern is always the same: the cloud-only model works beautifully on a salesperson’s laptop and gradually loses traction the further from the corporate office the workstation lives.
A clinical ward terminal, a manufacturing-line station, a help-desk PC: dozens of identities share one workstation across a shift. Windows Hello is per-user, per-device — every nurse would have to enrol on every workstation they touch. CodeB issues an NFC card centrally and that card opens the desktop on any workstation in scope, in under a second, with full per-user attribution.
Operational technology segments are typically firewalled off from the corporate network and explicitly forbidden from reaching Microsoft tenants. The Windows machines on those segments still need attributable logon for NIS2, IEC 62443 and internal incident-response policy. CodeB ships as software inside that segment and authenticates against local or AD accounts without leaving the boundary.
A mobile imaging unit on a hospital trolley, a forensic-evidence workstation, a radiation-medicine planning PC, a survey vessel laptop. The endpoint is Windows; the network is sometimes nothing at all. Entra ID still requires periodic token refresh against the cloud; CodeB does not require any connection, ever.
Branch hospitals, remote clinics, ships, offshore platforms, retail outlets at the end of a marginal DSL line. When the internet goes down — and it does — your operators still need to sign in to the workstation in front of them. CodeB authenticates locally; the SaaS identity-provider outage does not become a logon outage.
Embedded Windows HMIs frequently run for ten or fifteen years inside larger machines and were never designed to participate in cloud identity. Replacing them to satisfy an identity refresh is not realistic. CodeB hardens the logon on the existing HMI without rewriting the operator software or touching the OEM’s signed image.
Most enterprises have at least one Active Directory forest that runs a clinical system, an ERP, a litigation case-management tool or a legacy ICS console — and that forest will not move to Entra ID inside the planning horizon. CodeB authenticates against that AD as it stands, with no schema changes, no Entra Connect, no hybrid join.
Bedside terminals and roving clinical workstations need sub-second sign-in, configurable card-remove behaviour, and a session model that handles a clinician moving across wards. Entra ID can authenticate the user but does not deliver this endpoint workflow. CP V2’s card-removal action is policy-configurable: do nothing, lock the workstation, or sign the user off — whichever the ward’s safety policy requires.
German hospitals and manufacturing lines keep historically-grown shared accounts
(Sammelkonten) for clinical-application reasons that auditors do not get to
override. NIS2 and KRITIS regulators still expect attribution. CodeB layers
per-user NFC or TOTP authentication over the shared Windows account so every
action remains traceable to a real person, even when the underlying account is
shared. On NFC, CP V2 goes one step further: at logon and unlock it appends the
authenticating card’s ID to the Office author profile, e.g.
username (EA35CF34). Every Word, Excel and PowerPoint edit, comment
and metadata write then carries that card token, which correlates to the same ID
in the Windows logon event — full document-level attribution on top of a
Sammelkonto.
Industrial OT, regulated research environments, critical-infrastructure SCADA networks and similar settings are commonly physically or logically air-gapped: no Entra ID tenant is reachable, no Microsoft licence server, no telemetry pipe. CodeB is engineered for this case from day one and is deployed on segments where outbound traffic is not a setting but a network boundary.
A short, honest matrix. Where the row says “Entra ID”, run Entra ID. Where the row says “CodeB”, the cloud-only path is the brittle one.
| Endpoint reality | Best fit | Why |
|---|---|---|
| Office laptop, individual user, cloud-managed | Entra ID | Per-device Hello, conditional access, modern enrolment. Use what Microsoft built. |
| SaaS sign-on across the corporate workforce | Entra ID | This is the case Entra ID was designed for. CodeB does not compete. |
| Shared workstation, many shift users, NFC tap | CodeB | Central card issuance, no per-user enrolment, sub-second roaming. |
| OT segment with no outbound route | CodeB | No tenant, no cloud refresh, runs entirely inside the segment. |
| Old AD forest that cannot move | CodeB | Authenticates against AD as-is — no schema changes, no Entra Connect. |
| Clinical roaming, NFC sign-in with card-remove lock or sign-off | CodeB | NFC tap to sign in; card-removal action is policy-configurable (do nothing, lock, or sign-off) and built into the credential provider. |
| Air-gapped network | CodeB | Engineered with the assumption that the internet is not there. |
| HMI / embedded Windows behind an OEM image | CodeB | Layers on top of the existing logon, no machine replacement, no OEM image rebuild. |
| Per-user attribution on a Sammelkonto | CodeB | Layered authentication on top of the shared account; every action stays attributable. |
CP V2 authenticates against local accounts, Active Directory and Microsoft Entra ID from the same installer. Many of our customers run Entra ID for their office workforce on the corporate floor and CP V2 on the same Windows release for clinical workstations, OT machines and air-gapped labs. Group Policy decides which model the machine uses. Nothing about the two is mutually exclusive.
Local, AD and Entra ID accounts work from a single Credential Provider DLL, switched by policy — not a separate product.
The configuration lives in Group Policy and the registry. Your existing AD admins, MDT pipelines and Intune profiles drive it.
You do not have to move the legacy AD forest or the OT segment to Entra ID first. CodeB takes the endpoint as it is today.
Every CodeB logon is written to the standard Windows event log; your Entra ID sign-in logs continue to flow in parallel.
Tell us about both halves — the office floor and the part that cannot move — and we’ll come back with a coexistence plan inside two business days.