Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra Permissions Management

Microsoft's Cloud Infrastructure Entitlement Management (CIEM) product, covering Azure, AWS, and GCP permissions.

Microsoft Entra Permissions Management is Microsoft's Cloud Infrastructure Entitlement Management (CIEM) product — a tool for discovering, analysing, and right-sizing permissions across Azure, AWS, and GCP simultaneously. It addresses a problem that grew quietly with cloud adoption: identities and roles in cloud platforms accumulate far more permissions than they actually use.

What CIEM is for

In a typical cloud environment:

  • Users, service principals, and workload identities have direct permission grants through roles.
  • Most are over-permissioned by an order of magnitude — granted Contributor when they need Reader, granted Owner when they need Contributor on one resource group.
  • Inactive permissions (granted but unused) are an attack surface waiting to be exploited.
  • Multi-cloud organisations have no consolidated view across Azure, AWS, and GCP.

CIEM tools — including Entra Permissions Management, Sonrai, Ermetic, Wiz — discover, analyse, and recommend right-sized permissions.

What Permissions Management provides

After connecting your Azure subscriptions, AWS accounts, and GCP projects, the product shows:

  • Permission Creep Index (PCI) per identity and resource — a score from 0 to 100 of how over-permissioned each identity is.
  • Used vs granted permissions — what each identity actually used in the last 90 days versus what it has access to.
  • Anomalous activity — identities suddenly using permissions they hadn't before.
  • Right-sizing recommendations — automated suggestions to reduce permissions safely.
  • Just-in-time access — temporary elevation through approval workflows.
  • Investigation — drill-down into specific identities and their permission usage history.

How it differs from PIM

Privileged Identity Management (PIM) focuses on Entra ID roles and time-bound activation. Permissions Management focuses on cloud resource roles — the permissions inside Azure subscriptions, AWS accounts, GCP projects — across multi-cloud. They're complementary:

  • PIM manages who can be an Entra ID Global Admin or Owner of an Azure subscription.
  • Permissions Management identifies which Contributor / IAM role / GCP role has too much within the subscriptions and accounts themselves.

Common findings

A typical first scan in a mature environment surfaces:

  • Hundreds of inactive privileged identities — accounts with high permissions that haven't been used in months.
  • Service principals with broad permissions they never exercise.
  • Cross-account or cross-subscription drift where similar roles have wildly different permission scopes.
  • Permissions granted via group nesting that admins didn't realise were in scope.

Operational model

The product is most valuable as part of an iterative right-sizing programme:

  1. Inventory — connect the environments, run discovery.
  2. Prioritise — focus on highest-PCI privileged identities first.
  3. Remediate — accept recommendations, monitor for breakage, adjust.
  4. Repeat quarterly — permissions drift back as projects evolve.

Licensing

Permissions Management is licensed per billable resource (cloud identities and resources protected), with a free tier for evaluation.

For organisations running multi-cloud with serious permission complexity, CIEM is now considered standard practice. For Azure-only Microsoft 365 customers, Entra-native PIM and Azure RBAC may be sufficient.