Browse all topics
Microsoft Entra (Identity)

Entra Permissions Management

Av Emil Björk · Microsoft-ekosystemskonsult, Göteborg

Microsoft's Cloud Infrastructure Entitlement Management (CIEM) product, covering Azure, AWS, and GCP permissions.

Microsoft Entra Permissions Management is Microsoft's Cloud Infrastructure Entitlement Management (CIEM) product — a tool for discovering, analysing, and right-sizing permissions across Azure, AWS, and GCP simultaneously. It addresses a problem that grew quietly with cloud adoption: identities and roles in cloud platforms accumulate far more permissions than they actually use.

What CIEM is for

In a typical cloud environment:

  • Users, service principals, and workload identities have direct permission grants through roles.
  • Most are over-permissioned by an order of magnitude — granted Contributor when they need Reader, granted Owner when they need Contributor on one resource group.
  • Inactive permissions (granted but unused) are an attack surface waiting to be exploited.
  • Multi-cloud organisations have no consolidated view across Azure, AWS, and GCP.

CIEM tools — including Entra Permissions Management, Sonrai, Ermetic, Wiz — discover, analyse, and recommend right-sized permissions.

What Permissions Management provides

After connecting your Azure subscriptions, AWS accounts, and GCP projects, the product shows:

  • Permission Creep Index (PCI) per identity and resource — a score from 0 to 100 of how over-permissioned each identity is.
  • Used vs granted permissions — what each identity actually used in the last 90 days versus what it has access to.
  • Anomalous activity — identities suddenly using permissions they hadn't before.
  • Right-sizing recommendations — automated suggestions to reduce permissions safely.
  • Just-in-time access — temporary elevation through approval workflows.
  • Investigation — drill-down into specific identities and their permission usage history.

How it differs from PIM

Privileged Identity Management (PIM) focuses on Entra ID roles and time-bound activation. Permissions Management focuses on cloud resource roles — the permissions inside Azure subscriptions, AWS accounts, GCP projects — across multi-cloud. They're complementary:

  • PIM manages who can be an Entra ID Global Admin or Owner of an Azure subscription.
  • Permissions Management identifies which Contributor / IAM role / GCP role has too much within the subscriptions and accounts themselves.

Common findings

A typical first scan in a mature environment surfaces:

  • Hundreds of inactive privileged identities — accounts with high permissions that haven't been used in months.
  • Service principals with broad permissions they never exercise.
  • Cross-account or cross-subscription drift where similar roles have wildly different permission scopes.
  • Permissions granted via group nesting that admins didn't realise were in scope.

Operational model

The product is most valuable as part of an iterative right-sizing programme:

  1. Inventory — connect the environments, run discovery.
  2. Prioritise — focus on highest-PCI privileged identities first.
  3. Remediate — accept recommendations, monitor for breakage, adjust.
  4. Repeat quarterly — permissions drift back as projects evolve.

Licensing

Permissions Management is licensed per billable resource (cloud identities and resources protected), with a free tier for evaluation.

For organisations running multi-cloud with serious permission complexity, CIEM is now considered standard practice. For Azure-only Microsoft 365 customers, Entra-native PIM and Azure RBAC may be sufficient.