Enable Permissions Management (CIEM)
Microsoft Defender for Cloud's integration with Microsoft Entra Permissions Management (Permissions Management) provides a Cloud Infrastructure Entitlement Management (CIEM) security model that helps organizations manage and control user access and entitlements in their cloud infrastructure. CIEM is a critical component of the Cloud Native Application Protection Platform (CNAPP) solution that provides visibility into who or what has access to specific resources. It ensures that access rights adhere to the principle of least privilege (PoLP), where users or workload identities, such as apps and services, receive only the minimum levels of access necessary to perform their tasks. CIEM also helps organizations to monitor and manage permissions across multiple cloud environments, including Azure, AWS, and GCP.
Before you start
You must enable Defender CSPM on your Azure subscription, AWS account, or GCP project.
Have the following roles and permissions
- AWS and GCP: Security Admin, Application.ReadWrite.All
- Azure: Security Admin, Microsoft.Authorization/roleAssignments/write
Enable Permissions Management (CIEM) for Azure
When you enabled the Defender CSPM plan on your Azure account, the Azure CSPM standard is automatically assigned to your subscription. The Azure CSPM standard provides Cloud Infrastructure Entitlement Management (CIEM) recommendations.
When Permissions Management (CIEM) is disabled, the CIEM recommendations within the Azure CSPM standard won’t be calculated.
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
Navigate to Environment settings.
Select relevant subscription.
Locate the Defender CSPM plan and select Settings.
Enable Permissions Management (CIEM).
Select Continue.
Select Save.
The applicable Permissions Management (CIEM) recommendations appear on your subscription within a few hours.
List of Azure recommendations:
Azure overprovisioned identities should have only the necessary permissions
Permissions of inactive identities in your Azure subscription should be revoked
Enable Permissions Management (CIEM) for AWS
When you enabled the Defender CSPM plan on your AWS account, the AWS CSPM standard is automatically assigned to your subscription. The AWS CSPM standard provides Cloud Infrastructure Entitlement Management (CIEM) recommendations. When Permission Management is disabled, the CIEM recommendations within the AWS CSPM standard won’t be calculated.
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
Navigate to Environment settings.
Select relevant AWS account.
Locate the Defender CSPM plan and select Settings.
Enable Permissions Management (CIEM).
Select Configure access.
Select the relevant permissions type.
Select a deployment method.
Run the updated script on your AWS environment using the onscreen instructions.
Check the CloudFormation template has been updated on AWS environment (Stack) checkbox.
Select Review and generate.
Select Update.
The applicable Permissions Management (CIEM) recommendations appear on your subscription within a few hours.
List of AWS recommendations:
AWS overprovisioned identities should have only the necessary permissions
Permissions of inactive identities in your AWS account should be revoked
Enable Permissions Management (CIEM) for GCP
When you enabled the Defender CSPM plan on your GCP project, the GCP CSPM standard is automatically assigned to your subscription. The GCP CSPM standard provides Cloud Infrastructure Entitlement Management (CIEM) recommendations.
When Permissions Management (CIEM) is disabled, the CIEM recommendations within the GCP CSPM standard won’t be calculated.
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
Navigate to Environment settings.
Select relevant GCP project.
Locate the Defender CSPM plan and select Settings.
Toggle Permissions Management (CIEM) to On.
Select Save.
Select Next: Configure access.
Select the relevant permissions type.
Select a deployment method.
Run the updated Cloud shell or Terraform script on your GCP environment using the on screen instructions.
Add a check to the I ran the deployment template for the changes to take effect checkbox.
Select Review and generate.
Select Update.
The applicable Permissions Management (CIEM) recommendations appear on your subscription within a few hours.
List of GCP recommendations:
GCP overprovisioned identities should have only necessary permissions
Permissions of inactive identities in your GCP project should be revoked