Enable permissions management

Microsoft Defender for Cloud's integration with Microsoft Entra Permissions Management provides a Cloud Infrastructure Entitlement Management (CIEM) security model that helps organizations manage and control user access and entitlements in their cloud infrastructure. CIEM is a critical component of the Cloud Native Application Protection Platform (CNAPP) solution that provides visibility into who or what has access to specific resources. It ensures that access rights adhere to the principle of least privilege (PoLP), where users or workload identities, such as apps and services, receive only the minimum levels of access necessary to perform their tasks. CIEM also helps organizations to monitor and manage permissions across multiple cloud environments, including Azure, AWS, and GCP.

Before you start

• You must enable Defender CSPM on your Azure subscription, AWS account, or GCP project.

• Have the following roles and permissions

  • AWS and GCP: Security Admin, Application.ReadWrite.All
  • Azure: Security Admin, Microsoft.Authorization/roleAssignments/write

• AWS Only: Connect your AWS account to Defender for Cloud.

• GCP only: Connect your GCP project to Defender for Cloud.

Enable permissions management for Azure

When you enabled the Defender CSPM plan on your Azure account, the Azure CSPM standard is automatically assigned to your subscription. The Azure CSPM standard provides Cloud Infrastructure Entitlement Management (CIEM) recommendations.

When Permission Management is disabled, the CIEM recommendations within the Azure CSPM standard won’t be calculated.

1. Sign in to the Azure portal.

2. Search for and select Microsoft Defender for Cloud.

3. Navigate to Environment settings.

4. Select relevant subscription.

5. Locate the Defender CSPM plan and select Settings.

6. Enable Permissions Management.

   

7. Select Continue.

8. Select Save.

The applicable permissions management recommendations appear on your subscription within a few hours.

Enable permissions management for AWS

When you enabled the Defender CSPM plan on your AWS account, the AWS CSPM standard is automatically assigned to your subscription. The AWS CSPM standard provides Cloud Infrastructure Entitlement Management (CIEM) recommendations. When Permission Management is disabled, the CIEM recommendations within the AWS CSPM standard won’t be calculated.

1. Sign in to the Azure portal.

2. Search for and select Microsoft Defender for Cloud.

3. Navigate to Environment settings.

4. Select relevant AWS account.

5. Locate the Defender CSPM plan and select Settings.

   

6. Enable Permissions Management.

7. Select Configure access.

8. Select the relevant permissions type.

9. Select a deployment method.

10. Run the updated script on your AWS environment using the onscreen instructions.

11. Check the CloudFormation template has been updated on AWS environment (Stack) checkbox.

    

12. Select Review and generate.

13. Select Update.

The applicable permissions management recommendations appear on your subscription within a few hours.

Enable permissions management for GCP

When you enabled the Defender CSPM plan on your GCP project, the GCP CSPM standard is automatically assigned to your subscription. The GCP CSPM standard provides Cloud Infrastructure Entitlement Management (CIEM) recommendations.

When Permission Management is disabled, the CIEM recommendations within the GCP CSPM standard won’t be calculated.

To enable permissions management for GCP:

1. Sign in to the Azure portal.

2. Search for and select Microsoft Defender for Cloud.

3. Navigate to Environment settings.

4. Select relevant GCP project.

5. Locate the Defender CSPM plan and select Settings.

   

6. Toggle permissions management to On.

7. Select Save.

8. Select Next: Configure access.

9. Select the relevant permissions type.

10. Select a deployment method.

11. Run the updated Cloud shell or Terraform script on your GCP environment using the on screen instructions.

12. Add a check to the I ran the deployment template for the changes to take effect checkbox.

    

13. Select Review and generate.

14. Select Update.

The applicable permissions management recommendations appear on your subscription within a few hours.

Next step

Microsoft Entra Permissions Management.