Permissions Management (CIEM)

Microsoft Defender for Cloud's integration with Microsoft Entra Permissions Management (Permissions Management) provides a Cloud Infrastructure Entitlement Management (CIEM) security model that helps organizations manage and control user access and entitlements in their cloud infrastructure. CIEM is a critical component of the Cloud Native Application Protection Platform (CNAPP) solution that provides visibility into who or what has access to specific resources. CIEM ensures that access rights adhere to the principle of least privilege (PoLP), where users or workload identities, such as apps and services, receive only the minimum levels of access necessary to perform their tasks. CIEM also helps organizations to monitor and manage permissions across multiple cloud environments, including Azure, AWS, and GCP.

Integrating Permissions Management with Defender for Cloud (CNAPP) strengthens cloud security by preventing security breaches caused by excessive permissions or misconfigurations. Permissions Management continuously monitors and manages cloud entitlements, helping to discover attack surfaces, detect threats, right-size access permissions, and maintain compliance. This integration enhances the capabilities of Defender for Cloud in securing cloud-native applications and protecting sensitive data.

This integration brings the following insights derived from the Microsoft Entra Permissions Management suite into the Microsoft Defender for Cloud portal. For more information, see the feature matrix.

Common use-cases and scenarios

Permissions Management capabilities integrate as a valuable component within the Defender Cloud Security Posture Management (CSPM) plan. The integrated capabilities are foundational, providing the essential functionalities within Microsoft Defender for Cloud. With these added capabilities, you can track permissions analytics, unused permissions for active identities, and over-permissioned identities and mitigate them to support the best practice of least privilege.

The integration creates recommendations under the Manage Access and Permissions security control on the Recommendations page in Defender for Cloud.

Known limitations

AWS and GCP accounts that were onboarded to Permissions Management before being onboarded to Defender for Cloud can't be integrated through Microsoft Defender for Cloud.

Feature matrix

The integration feature comes as part of Defender CSPM plan and doesn't require a Permissions Management license. To learn more about other capabilities that you can receive from Permissions Management, refer to the feature matrix:

Category	Capabilities	Defender for Cloud	Permissions Management
Discover	Permissions discovery for risky identities (including unused identities, overprovisioned active identities, super identities) in Azure, AWS, GCP	✓	✓
Discover	Permissions Creep Index (PCI) for multicloud environments (Azure, AWS, GCP) and all identities	✓	✓
Discover	Permissions discovery for all identities, groups in Azure, AWS, GCP	❌	✓
Discover	Permissions usage analytics, role / policy assignments in Azure, AWS, GCP	❌	✓
Discover	Support for Identity Providers (including AWS IAM Identity Center, Okta, GSuite)	❌	✓
Remediate	Automated deletion of permissions	❌	✓
Remediate	Remediate identities by attaching / detaching the permissions	❌	✓
Remediate	Custom role / AWS Policy generation based on activities of identities, groups, etc.	❌	✓
Remediate	Permissions on demand (time-bound access) for human and workload identities via Microsoft Entra admin center, APIs, ServiceNow app.	❌	✓
Monitor	Machine Learning-powered anomaly detections	❌	✓
Monitor	Activity based, rule-based alerts	❌	✓
Monitor	Context-rich forensic reports (for example PCI history report, user entitlement & usage report, etc.)	❌	✓

Related content

Learn how to enable Permissions Management in Microsoft Defender for Cloud.