Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Effective April 1, 2025, Microsoft Entra Permissions Management will no longer be available for purchase.
On October 1, 2025, Microsoft will retire and discontinue support for this product. Learn more about the retirement of Microsoft Entra Permissions Management.
The deprecation of Microsoft Entra Permissions Management doesn't affect any existing CIEM capabilities in Microsoft Defender for Cloud. Learn more about the future of CIEM in Microsoft Defender for Cloud.
Microsoft Defender for Cloud includes native cloud infrastructure Entitlement Management (CIEM) capabilities within the Defender Cloud Security Posture Management (CSPM) plan to help organizations discover, assess, and manage identity and access risks across their multicloud environments. These capabilities are designed to secure infrastructure by enforcing the principle of least privilege (PoLP), reducing the attack surface, and preventing the misuse of human and workload-based identities across Azure, AWS, and GCP.
How Defender for Cloud analyzes permissions
Defender for Cloud continuously analyzes identity configurations and usage patterns to identify excessive, unused, or misconfigured permissions. It assesses human and application identities, including users, service principals, groups, managed identities, and service accounts, and provides recommendations to reduce the risk of privilege misuse.
CIEM capabilities in Defender for Cloud support:
Microsoft Entra ID users, groups, and service principals
AWS IAM users, roles, groups, serverless functions, and compute resources
Google Cloud IAM users, groups, service accounts, and serverless functions
Key capabilities
Multicloud identity discovery
Track and analyze permissions across Azure, AWS, and GCP in a single, unified view. Identify which users, groups, service principals, or AWS roles have access to cloud resources and how those permissions are used.
Effective permission analysis
Understand not just who has access, but the potential risk of what they can access. Defender for Cloud evaluates effective permissions to identify identities that can reach sensitive or business-critical resources. Use Cloud Security Explorer to search for specific identities or critical resources (for example, containing sensitive data, exposed to the internet) and determine who has access, what level of access they have, and how that access could be exploited.
Identity risk insights
Reduce identity-related risk by receiving proactive guidance via recommendations. Defender for Cloud surfaces recommendations such as:
Removing inactive, guest, or blocked accounts with access
Limiting administrative privileges to a defined set of users
Right-sizing permissions for overprovisioned identities based on actual usage
Enforcing MFA and strong password policies for IAM users
Add any other relevant examples
Lateral movement detections
Defender for Cloud correlates identity risks with attack path analysis, surfacing lateral movement opportunities that originate from overprivileged identities or misconfigurations. For example, an attacker could compromise a service principal with excessive rights to move laterally from a compromised resource to a sensitive database. This context allows security teams to prioritize high-impact identity issues that may otherwise go unnoticed.
How to view identity and permission risks
Defender for Cloud provides several ways to monitor and address access risk:
Cloud Security Explorer: The Security Explorer allows you to query all identities in your environment with access to resources. These queries allow you to get a complete mapping of all your cloud entitlements with contextual information for the resources that the identities have permissions to.
Attack Path Analysis: The Attack Path Analysis page lets you view attack paths that an attacker could take to reach a specific resource. With Attack Path Analysis, you can view a visual representation of the attack path and see which resources are exposed to the internet. Internet exposure often serves as an entry point for attack paths, especially when the resource has vulnerabilities. Internet-exposed resources often lead to targets with sensitive data.
Recommendations: Defender for Cloud provides risk-based recommendations for various CIEM misconfigurations. The built-in recommendations provide guidance for remediating inactive identities, overprovisioned permissions, and insecure identity settings.
CIEM Workbook: The CIEM workbook provides a customizable visual report of your cloud identity security posture. You can use this workbook to view insights about your identities, unhealthy recommendations, and attack paths.
Related content
Learn how to enable CIEM in Microsoft Defender for Cloud.