Self-Hosted Feature Parity

Self-Hosted Feature Parity — Round 2 Research Report

Session: 20260321-0115 Domain: NetBird Self-Hosted vs Cloud Feature Parity Date: 2026-03-21 Round: 2 (resolving contradictions from Round 1) Tools Used: mcp__claude_ai_Tavily__tavily_search (8 queries), mcp__exa_websearch__web_search_exa (2 queries), WebFetch (7 pages)

Executive Summary

Round 1 research contained critical contradictions about NetBird self-hosted capabilities. This report resolves all of them with high-confidence, source-verified answers.

The bottom line for GSISG: Self-hosted NetBird is genuinely free for unlimited users/peers with no license fees. However, it is not feature-equivalent to the cloud version. You lose 8 specific capabilities, the most operationally significant being: (1) background IdP-Sync (you get JWT-at-login group sync instead), (2) SCIM provisioning (requires commercial license), (3) peer approval (cloud-only), (4) traffic event logging and SIEM streaming (cloud-only), and (5) management server HA (DIY or enterprise license). For GSISG’s 100-user deployment, the JWT group sync workaround is adequate but not identical to the cloud IdP-Sync feature, and single-management-server risk is the primary operational concern.

Question 1: Complete Feature Matrix

Cloud Plans Feature Matrix (from netbird.io/pricing, verified March 2026)

Feature	Free	Team ($5/user/mo)	Business ($10/user/mo)	Enterprise (Custom)	Self-Hosted (Free)
Users	5	Unlimited	Unlimited	Unlimited	Unlimited
Machines	100	100 + 10/user	100 + 10/user	Unlimited	Unlimited
P2P WireGuard encryption	Yes	Yes	Yes	Yes	Yes
Access controls (policies)	Yes	Yes	Yes	Yes	Yes
NetBird Networks	Yes	Yes	Yes	Yes	Yes
Network Routes	Yes	Yes	Yes	Yes	Yes
Private DNS	Yes	Yes	Yes	Yes	Yes
NetBird SSH	Yes	Yes	Yes	Yes	Yes
Setup keys	Yes	Yes	Yes	Yes	Yes
Social SSO & MFA	Yes	Yes	Yes	Yes	Yes (local users + OIDC)
Enterprise IdP SSO/MFA	No	Yes	Yes	Yes	Yes (via external OIDC)
IdP-Sync (background provisioning)	No	Yes	Yes	Yes	NO (JWT sync only)
SCIM provisioning	No	Yes	Yes	Yes	Enterprise license
User invites (email)	No	Yes	Yes	Yes	NO
Peer approval	No	No	Yes	Yes	NO
Device approvals (user-level)	No	No	Yes	Yes	Yes (user approval exists)
Audit events logging	No	Yes	Yes	Yes	NO
Connection traffic events	No	No	Yes	Yes	NO
Audit & traffic events streaming	No	No	Yes	Yes	NO
MDM & EDR integration	No	No	Yes	Yes	NO
Device posture checks	No	No	Yes	Yes	NO
Geo-distributed relays	Yes (managed)	Yes (managed)	Yes (managed)	Yes (managed)	DIY
High availability	Yes (managed)	Yes (managed)	Yes (managed)	Yes (managed)	DIY / Enterprise license
MSP multi-tenant	No	No	No	Yes	NO
DORA compliance	No	No	No	Yes	No
SLAs	No	No	No	Yes	No
On-premise installation support	No	No	No	Yes	N/A
Custom integrations	No	No	No	Yes	No
Support	Community	Ticketing	Priority	Custom SLA	Community only

Confidence: VERY HIGH

Sources: netbird.io/pricing, self-hosted vs cloud, plans and billing

Key Clarifications

Round 1 Contradiction Resolved: The cost-compliance report stated “self-hosted includes Device Posture Checks: Yes, Traffic Events Logging: Yes, Audit Events Streaming: Yes” — this was WRONG. The official self-hosted vs cloud comparison page explicitly lists these as cloud-only features. The Round 1 table was misleading because it conflated “technically possible in the codebase” with “available in the product.”

What self-hosted DOES get that isn’t obvious:

Unlimited users and unlimited machines (no caps at all)
Local user management (v0.62+) with no external IdP dependency
Multiple simultaneous OIDC providers alongside local users
JWT group sync (groups from IdP tokens auto-created in NetBird at login)
User approval (distinct from peer approval — controls whether new users can join)
All core networking features (routes, DNS, SSH, policies, networks)
Reverse proxy (v0.65+, beta, same as cloud)

Question 2: Entra ID Sync — Self-Hosted vs Cloud

The Two Sync Mechanisms

There are two completely different mechanisms for syncing Entra ID data with NetBird, and they are NOT interchangeable:

Mechanism A: Cloud IdP-Sync (Team plan+, cloud only)

Aspect	Detail
Availability	Cloud version only, Team plan and above
How it works	NetBird’s cloud backend connects to Microsoft Graph API using `User.Read.All` + `Group.Read.All` permissions and actively polls Entra ID at regular intervals
Sync timing	Background, automatic, continuous (“syncs at regular intervals”, manual trigger available)
User provisioning	All users (or filtered subset) appear in NetBird immediately, even before they log in
User deprovisioning	Automatic — when removed from Entra ID, access is revoked at next sync
Group names	Display names synced directly (e.g., “Engineering”, “General Users”)
Group limit	No 200-group JWT limit — fetched via API, not token
Pre-populate policies	Yes — you can create policies referencing users/groups before they authenticate

Mechanism B: JWT Group Sync (Self-Hosted)

Aspect	Detail
Availability	Self-hosted (free), also works on cloud
How it works	Groups are embedded in the JWT ID token during OIDC authentication. NetBird reads the `groups` claim and creates/assigns groups
Sync timing	At login time only — groups update when the user authenticates
User provisioning	Users appear in NetBird only after their first login
User deprovisioning	NOT automatic — if a user is disabled in Entra ID, they can’t log in again, but their existing NetBird peer connections remain until the session expires or setup key is revoked. No background check removes them.
Group names	Object IDs (GUIDs) by default, e.g., `a1b2c3d4-5678-90ab-cdef-1234567890ab`. Display names require Azure AD Premium AND cloud-only groups in Entra. NetBird Cloud does not have this limitation.
Group limit	200 groups maximum per JWT token. If a user belongs to more than 200 groups, the claim is omitted entirely. Workaround: select “Groups assigned to the application” to limit to relevant groups.
Pre-populate policies	Partial — you can pre-create groups by name, but they won’t match until users authenticate with matching group claims

The Standalone IdP Manager (Legacy Advanced Setup)

There is a third option: the standalone/advanced setup where you configure NETBIRD_MGMT_IDP="azure" in the setup.env and set up an IdPManagerConfig in management.json. This configures the NetBird management server to use the Microsoft Graph API endpoint (https://graph.microsoft.com/v1.0) with User.Read.All permission.

CRITICAL FINDING: This IdP Manager in the standalone setup is primarily for caching and displaying user names/email addresses in the NetBird dashboard. The official docs state: “NetBird’s management service integrates with some of the most popular IDP APIs, allowing the service to cache and display user names and email addresses without storing sensitive data.” It does NOT provide the same continuous background provisioning/deprovisioning that the cloud IdP-Sync feature offers. It supplements user display data, but group sync still happens via JWT claims at login.

Practical Difference for GSISG

Scenario	Cloud IdP-Sync	Self-Hosted JWT Sync
New employee starts	Appears in NetBird within minutes (background sync)	Must log in first to appear
Employee terminated in Entra ID	Removed from NetBird at next sync, all access revoked	Can’t re-authenticate, but existing sessions/connections persist until timeout
Group membership changed	Updated at next background sync (minutes)	Updated at next user login only
Viewing groups in dashboard	Human-readable names (“Engineering”)	GUIDs (`a1b2c3d4...`) unless Azure AD Premium
200+ groups per user	Works (API-based)	Breaks (JWT token limit)
Policies before first login	Fully functional	Groups must be pre-created manually

Verdict: JWT group sync is a workable alternative but NOT equivalent to IdP-Sync. The biggest operational gap is deprovisioning — there is no automatic revocation when a user is disabled in Entra ID. You would need to manually remove them from NetBird or revoke their setup keys. For a 100-user org, this is manageable but requires a documented offboarding procedure.

Confidence: VERY HIGH

Sources: IdP-Sync docs (cloud), Entra ID sync (cloud), self-hosted IdP docs, self-hosted Entra ID, v0.62 announcement, GitHub issue #2073

Question 3: Self-Hosted HA Story

Official Statement

The NetBird scaling documentation explicitly states:

“If you are looking for a high-availability setup for the Management and Signal services, this is available through an enterprise commercial license.”

What You CAN Do Without Enterprise License

Component	HA Possible?	How
Relay servers	Yes — fully supported	Deploy multiple relay + STUN servers on separate machines. Peers receive relay addresses from Management and connect directly. Authentication via shared secrets.
Database	Yes — migrate to PostgreSQL	Move from SQLite (single-file, not HA-ready) to PostgreSQL on a dedicated server. PostgreSQL itself supports replication/clustering.
Management server	NO without enterprise license	Single instance only. Cannot run multiple instances behind a load balancer in the community edition.
Signal server	NO without enterprise license	Single instance only. Can be extracted to a separate machine but not replicated.
Dashboard	Yes (stateless)	Static files served by nginx; can be load-balanced trivially. But useless without a functioning management server.

What Happens When the Single Management Server Goes Down

Scenario	Impact
Existing P2P (direct) tunnels	Continue working — WireGuard data plane is independent of management server
Existing relayed connections	Continue working — as long as the relay server (separate component) is up
New peer connections	Cannot be established — peers need management for initial config and peer discovery
Policy changes	Cannot be applied until management returns
New user registration	Cannot happen
DNS configuration updates	Cannot be pushed
Client auto-reconnection after outage	Generally works, but known issue: clients sometimes stay offline indefinitely after prolonged management outage and require manual `netbird up`

Practical Mitigation Without Enterprise License

Run the management server on a reliable VM with monitoring and auto-restart (systemd, Docker restart policies)
Regular backups of the SQLite database (or PostgreSQL) — recovery time is minutes, not hours
Separate relay servers — even if management goes down, existing connections continue
Monitoring — set up Uptime Kuma / Prometheus alerts for the management server health endpoint
The blast radius is limited — data plane (actual VPN traffic) is unaffected; only control plane operations are disrupted

Confidence: VERY HIGH

Sources: Scaling guide, self-hosted vs cloud, how NetBird works

Question 4: AGPLv3 License Implications

What Changed in v0.53.0 (August 5, 2025)

Component	Before v0.53.0	After v0.53.0
Repository root	BSD-3	BSD-3 (unchanged)
Client applications	BSD-3	BSD-3 (unchanged)
`management/` folder	BSD-3	AGPLv3
`relay/` folder	BSD-3	AGPLv3
`signal/` folder	BSD-3	AGPLv3
Dashboard repository	BSD-3	AGPLv3

Legacy versions (pre-v0.53.0) remain under BSD-3.

What This Means for GSISG Self-Hosting Internally

Absolutely nothing changes for internal use. NetBird’s official announcement is unambiguous:

“For self-hosters, internal use, absolutely nothing changes. You can continue to download, install, run, and manage NetBird on your own servers for your organization, your homelab, or any other personal purposes. You are free to modify NetBird for your own internal use without any obligation to share those changes; as long as you do not provide the modified software as a service to other users/organizations over a network.”

When AGPL Obligations Trigger

The AGPL source-sharing obligation is triggered ONLY when:

You modify the NetBird server code AND
You offer that modified version as a service to external users/organizations over a network

Simply running NetBird internally — even a modified version — for your own company’s employees does NOT trigger the AGPL obligation. This is explicitly confirmed by NetBird and is consistent with standard AGPL interpretation.

Potential Compliance Concerns for GSISG

Concern	Risk Level	Analysis
Internal deployment without modifications	ZERO	Standard self-hosting, no obligations
Internal deployment with minor modifications	ZERO	Internal use exemption applies
Running NetBird for GSISG employees across offices	ZERO	This is internal organizational use
Corporate policy prohibiting AGPL software on devices	LOW	The NetBird client remains BSD-3. Only server components are AGPL. The client installed on employee devices is NOT AGPL.
Legal review requirement	LOW-MEDIUM	Some corporate legal teams have blanket AGPL caution. Worth a brief legal review to confirm the client/server split satisfies any internal AGPL policies.
Future risk if NetBird changes terms	LOW	AGPL is an irrevocable license. Any version you have under AGPL cannot be retroactively restricted.

If AGPL Is Unacceptable

Contact sales@netbird.io for a commercial non-AGPLv3 license.

Confidence: VERY HIGH

Sources: AGPL announcement, forum post, HN discussion, AGPL text analysis

Question 5: Self-Hosted Enterprise License

What Is It?

NetBird offers a Commercial License for self-hosted deployments with enterprise needs. This is separate from the cloud subscription plans.

What It Unlocks (Beyond Free Self-Hosted)

Feature	Free Self-Hosted	Enterprise Self-Hosted
Management + Signal HA	DIY (single instance)	Multiple instances behind load balancer
SCIM provisioning	Not available	Available
Support	Community only	Custom SLA, dedicated support
On-premise installation assistance	None	Included
Custom integrations	None	Available

Note: The exact feature list for the self-hosted enterprise license is not comprehensively documented. The official docs only explicitly confirm SCIM and HA as gated features. Other cloud-only features (traffic events, SIEM streaming, EDR integration, peer approval) are NOT confirmed as available via the enterprise self-hosted license — they may remain cloud-only.

Pricing

Not publicly listed. Pricing is custom and requires contacting sales@netbird.io.

Third-party reference point: WZ-IT (a German managed services provider) offers fully managed NetBird hosting starting at EUR249.90/month for up to 200 devices (includes setup, SSO, monitoring, updates, and support). This is NOT a NetBird enterprise license — it’s a third-party managed service built on the open-source version.

Confidence: HIGH

Sources: self-hosted vs cloud, pricing page, WZ-IT pricing, advanced guide

Question 6: Local Users + External Entra ID OIDC

Yes, This Is Fully Supported Since v0.62

NetBird v0.62 introduced a fundamental architectural change: the embedded Dex IdP provides local user management, AND you can add multiple external OIDC providers simultaneously from the Dashboard UI.

How It Works

Deploy self-hosted NetBird using the quickstart script (creates the embedded IdP with local users)
Create your admin account via the Dashboard setup wizard (local email/password)
Add Microsoft Entra ID as an external provider:
- Navigate to Settings > Identity Providers > Add Identity Provider
- Select type: entra (for work/school accounts)
- Enter Client ID, Client Secret, and Issuer from your Entra App Registration
- NetBird generates the redirect URI for you
Users see both login options: “Continue with Email” (local) AND a Microsoft button on the login page
Each user’s provider is tracked: Users show a badge in the Users list indicating which IdP they authenticated through (local, Microsoft, Google, etc.)

What This Gives You (SSO Without Cloud IdP-Sync)

Capability	Available?
SSO via Entra ID	Yes — users click “Microsoft” on login page
MFA via Entra ID	Yes — if configured in Entra Conditional Access, it applies
JWT group sync from Entra ID	Yes — configure `groups` claim in the App Registration token configuration, enable JWT group sync in NetBird Settings > Groups
Local users alongside SSO users	Yes — both coexist; local auth is always available as fallback
Multiple OIDC providers simultaneously	Yes — add Google, Okta, Keycloak, etc., alongside Entra ID
Background user/group sync	No — this is the cloud IdP-Sync feature, not available
Automatic deprovisioning	No — disabled Entra users can’t re-authenticate but aren’t auto-removed
Group display names (not GUIDs)	No — requires Azure AD Premium + cloud-only groups, or use NetBird Cloud

Practical Architecture for GSISG

GSISG Self-Hosted NetBird
|
+-- Embedded Dex IdP (local user management)
|   |-- Admin account (local, email/password)
|   |-- Break-glass accounts (local, for emergency access)
|
+-- Microsoft Entra ID (external OIDC provider)
|   |-- 100+ employees authenticate via SSO
|   |-- Groups sync via JWT claims at login
|   |-- MFA enforced via Entra Conditional Access
|
+-- (Optional) Additional OIDC providers
    |-- Google Workspace for contractors
    |-- Self-hosted Keycloak/Authentik

Key advantage: You get SSO through Entra ID without needing the cloud Team plan. The only thing you miss is the background sync (user/group changes propagate at next login, not immediately).

Confidence: VERY HIGH

Sources: v0.62 announcement, local user management docs, identity providers overview, self-hosted Entra ID

Consolidated: What You Lose Going Self-Hosted

Features Lost (Cloud-Only)

#	Feature	Cloud Plan	Impact for GSISG	Workaround
1	IdP-Sync (background provisioning)	Team+	MEDIUM-HIGH — no auto-provisioning/deprovisioning	JWT group sync at login; manual offboarding procedure
2	SCIM provisioning	Team+ (cloud), Enterprise (self-hosted)	MEDIUM — no standardized user lifecycle	JWT group sync; or purchase enterprise license
3	Peer approval	Business+	MEDIUM — any device with a valid setup key can join	User approval exists; restrict setup key distribution; use setup key expiration
4	Traffic events logging	Business+	LOW-MEDIUM — no connection-level audit trail	Use WireGuard interface packet captures, or NetBird API for peer status
5	Audit & traffic events streaming	Business+	LOW — no SIEM integration	Manual log aggregation from management server
6	MDM & EDR integration	Business+	LOW for GSISG — no CrowdStrike/Intune posture checks	Enforce compliance through Intune separately; manual verification
7	Device posture checks	Business+	LOW-MEDIUM — no OS version / process enforcement	Manual policy enforcement; Intune compliance as separate check
8	User invites (email)	Team+	LOW — can’t send email invitations	Share setup keys or login URL directly
9	MSP multi-tenant	Enterprise	NONE for GSISG — single org	N/A
10	Geo-distributed relays	All cloud plans	LOW — relay traffic is e2e encrypted anyway	Deploy own relay servers in Azure regions near offices

Features Retained (Available in Self-Hosted)

All core networking: P2P WireGuard, access controls, network routes, networks, private DNS, split DNS, custom DNS zones, SSH, setup keys, SSO/OIDC, local user management, reverse proxy (beta), user approval, unlimited users, unlimited machines.

Resolving Round 1 Contradictions

Contradiction	Resolution
”Self-hosted is genuinely free for unlimited users” vs “IdP-Sync is only on Team plan”	Both are true. Self-hosted IS free with unlimited users. IdP-Sync (background provisioning) IS cloud Team+ only. Self-hosted uses JWT group sync instead (login-time only).
”Self-hosted HA requires enterprise license” vs “DIY HA”	Both are partially true. Relay server HA is DIY (no license needed). Management + Signal HA requires enterprise commercial license. You cannot run multiple management server instances without it.
Cost-compliance report listing Device Posture Checks as “Yes” for self-hosted	INCORRECT in Round 1. Device posture checks are Business+ cloud-only features. The Round 1 table was wrong.
”SCIM provisioning requires commercial license for self-hosted”	CORRECT. Explicitly stated in docs: “SCIM provisioning: Enterprise license” for self-hosted.

Recommendation for GSISG

Path 1: Self-Hosted Free (Recommended Starting Point)

Cost: Azure infrastructure only (~$25-30/month)
Identity: Entra ID as external OIDC provider + local admin accounts
Group sync: JWT group sync (groups update at login)
Offboarding: Manual process to remove users from NetBird when terminated in Entra ID
HA: Single management server with monitoring/alerts, separate relay server(s)
Risk: Single point of failure for management server (mitigated by data plane independence)

Path 2: Cloud Team Plan (If IdP-Sync Is Critical)

Cost: $5/user/month = $500/month = $6,000/year for 100 users
Identity: Full Entra ID background sync with auto-provisioning/deprovisioning
Offboarding: Automatic — disabled Entra users lose access at next sync
HA: Included, managed by NetBird
Relays: Geo-distributed, managed

Path 3: Self-Hosted + Enterprise License (Best of Both Worlds)

Cost: Custom pricing (contact sales@netbird.io) + Azure infrastructure
Identity: SCIM provisioning for automated user lifecycle
HA: Multiple management server instances with load balancing
Control: Full data sovereignty with enterprise support
Risk: Unknown pricing; may exceed cloud Team plan cost

Decision Matrix

Priority	Path 1 (Self-Hosted Free)	Path 2 (Cloud Team)	Path 3 (Self-Hosted Enterprise)
Cost minimization	Best	Moderate	Unknown
Data sovereignty	Best	Moderate (NetBird cloud)	Best
Auto-deprovisioning	Manual workaround	Best	Good (SCIM)
Management HA	Weakest	Best	Good
Operational simplicity	Moderate	Best	Moderate
Compliance control	Best	Moderate	Best

Sources & Tool Usage Log

Search Queries (8 Tavily, 2 Exa)

Tool	Query	Purpose
Tavily	NetBird self-hosted HA management server enterprise license	Q3: HA gating
Tavily	NetBird AGPLv3 license change v0.53.0 implications	Q4: License analysis
Tavily	NetBird self-hosted enterprise license cost pricing	Q5: Enterprise tier
Tavily	NetBird self-hosted JWT group sync vs IdP sync	Q2: Sync mechanisms
Tavily	NetBird self-hosted local user management external OIDC v0.62	Q6: Local + SSO
Tavily	NetBird management.json IdPManagerConfig Azure Graph API	Q2: Background sync
Tavily	NetBird self-hosted features cloud-only missing	Q1: Feature matrix
Tavily	GitHub netbirdio/netbird IdpManagerConfig azure management idp	Q2: Source code
Exa	NetBird self-hosted features missing compared to cloud 2025 2026	Q1: Community views
Exa	NetBird self-hosted IdPManagerConfig azure management.json	Q2: Technical config

Pages Fetched (7 WebFetch)

URL	Purpose
netbird.io/pricing	Q1: Complete pricing matrix
docs.netbird.io/about-netbird/self-hosted-vs-cloud	Q1: Feature comparison
docs.netbird.io/selfhosted/identity-providers/managed/microsoft-entra-id	Q2/Q6: Entra ID setup
docs.netbird.io/manage/team/idp-sync	Q2: Cloud IdP-Sync docs
docs.netbird.io/selfhosted/maintenance/scaling/…	Q3: Scaling/HA guide
netbird.io/knowledge-hub/netbird-agpl-announcement	Q4: AGPL details
docs.netbird.io/selfhosted/identity-providers/managed/advanced/microsoft-entra-id	Q2: Legacy Entra setup

Key Source URLs

Feature Matrix: https://netbird.io/pricing
Self-Hosted vs Cloud: https://docs.netbird.io/about-netbird/self-hosted-vs-cloud
IdP-Sync (cloud): https://docs.netbird.io/manage/team/idp-sync
Self-Hosted IdP: https://docs.netbird.io/selfhosted/identity-providers
Entra ID Self-Hosted: https://docs.netbird.io/selfhosted/identity-providers/managed/microsoft-entra-id
Scaling Guide: https://docs.netbird.io/selfhosted/maintenance/scaling/scaling-your-self-hosted-deployment
AGPL Announcement: https://netbird.io/knowledge-hub/netbird-agpl-announcement
v0.62 Local Users: https://netbird.io/knowledge-hub/local-users-simplified-idp
Local User Docs: https://docs.netbird.io/selfhosted/identity-providers/local
Reddit (self-hosted limits): https://www.reddit.com/r/netbird/comments/1rr51ab/limited_selfhosted_feature/
Forum (user invites): https://forum.netbird.io/t/no-way-to-invite-users-via-email-invite-or-idp/51
GitHub #2073 (OIDC sync): https://github.com/netbirdio/netbird/issues/2073
GitHub #5335 (external IdP): https://github.com/netbirdio/netbird/issues/5335
Peer Approval Docs: https://docs.netbird.io/manage/peers/approve-peers