Microsoft Entra Permissions Management: CIEM for Small Businesses in Berlin
Cloud infrastructure permissions have a well-documented problem: they accumulate. A developer is granted broad permissions to a cloud environment to complete a project, and those permissions are never removed. A service account is provisioned with owner-level access because it was easier than scoping it correctly. A contractor is added to an Azure subscription for a month and their access persists for years. The result is a gap between the permissions identities have and the permissions they actually use — a gap that represents standing attack surface. Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) product that discovers, measures, and enforces right-sized permissions across Azure, AWS, and Google Cloud Platform by identifying the gap between granted permissions and actively used permissions.
The Permissions Gap Problem
The core issue is not that administrators grant excessive permissions intentionally — it is that permissions are easy to grant and rarely reviewed. In Azure environments specifically:
- Azure RBAC role assignments accumulate over time as new resources are created and new people need access
- Custom role definitions are created for specific needs and never rationalized
- Service principals and managed identities are provisioned with Contributor or Owner roles because it works, without scoping to the specific resource operations they actually require
- Break-glass accounts and emergency access accounts retain broad permissions permanently
- Guest users from expired projects retain directory membership and resource access
Individually, each of these is a manageable problem. At scale across Azure, AWS, and GCP simultaneously, they produce an environment where the blast radius of any single compromised credential is dramatically larger than it needs to be.
What Entra Permissions Management Measures: The Permissions Creep Index
Entra Permissions Management introduces the Permissions Creep Index (PCI) — a score from 0-100 for each identity that measures the gap between granted permissions and used permissions. An identity with a PCI of 100 has been granted permissions to perform many actions but has performed very few of them in the observed period. The PCI is calculated per identity, per cloud, and aggregated to environment-level scores.
This gives security teams a quantitative, prioritized view of permissions risk: which identities, in which cloud environment, have the highest gap between what they can do and what they actually do. The remediation action — right-sizing permissions to match actual usage — reduces the PCI and the blast radius of that credential.
Discovery: What the Platform Inventories
After connecting Entra Permissions Management to your cloud environments (Azure subscriptions, AWS accounts, GCP projects), the platform inventories:
- All identities — users, groups, service principals, managed identities, roles, and policies — and their permission assignments
- All resources across the connected environments and which permissions are required to perform operations on them
- Actual permission usage over the configured observation period (typically 90 days) — which identities actually performed which API calls against which resources
- Super identities — identities that have permissions to perform a high percentage of all actions in the environment
- Inactive identities — identities that have not performed any actions in the observation period but retain permissions
Automated Right-Sizing: AI-Recommended Roles
Based on actual usage patterns, Entra Permissions Management generates right-sized role recommendations: custom role definitions containing only the specific permissions each identity has actually used in the observation period. These recommendations can be reviewed and applied directly from the Permissions Management interface, creating a custom Azure RBAC role with minimum necessary permissions and replacing the overly broad assignment.
For Berlin SMBs concerned about the operational overhead of right-sizing permissions, this automation addresses the main practical barrier: it is not necessary to manually audit every permission assignment and manually craft minimal roles. The platform derives the minimal role from observed usage and proposes it.
On-Demand Permissions: Just-Enough-Access Workflows
Entra Permissions Management includes an on-demand permissions workflow that allows identities to request temporary elevated permissions for specific tasks, with automatic revocation when the task window expires. This addresses the common operational pattern of granting permanent elevated access because temporary access processes are too cumbersome — the platform provides the temporary access process, eliminating the justification for permanent elevation.
Multi-Cloud Scope: Azure, AWS, and GCP Unified
For Berlin SMBs operating in multiple cloud environments, the unified view across Azure, AWS, and GCP is significant. Permissions risk in an AWS account cannot be observed through the Azure portal, and vice versa. Entra Permissions Management connects to all three major clouds through cloud-provider-specific read-only connectors (Azure management APIs, AWS IAM read roles, GCP service account with appropriate viewer permissions) and presents a unified permissions risk view across all connected environments.
Integration with Entra ID Governance
Entra Permissions Management integrates with Entra ID Governance access reviews — permissions identified as unused by Permissions Management can be flagged for review in Entra access reviews, triggering a review workflow for the resource owners. This connects the CIEM discovery layer (what permissions exist and what is actually used) with the governance enforcement layer (periodic review and approval or removal).
Licensing
Microsoft Entra Permissions Management is an add-on product, not included in standard Microsoft Entra ID P1/P2 or Microsoft 365 Business Premium. It is licensed per resource in each connected cloud environment. Pricing should be verified with Microsoft or a licensing partner; a free trial is available. For Berlin SMBs evaluating CIEM solutions, the trial is the appropriate starting point — running the discovery phase reveals the actual permissions creep in the environment before committing to ongoing licensing.
Related Articles
- Microsoft Entra Conditional Access: Right-sized permissions enforced by Permissions Management reduce the blast radius of compromised credentials — Conditional Access provides the authentication gate that determines when and from where those permissions can be exercised, creating layered identity security with both access control and permission scope controls
- Microsoft Entra Verified ID: Permissions Management right-sizes permissions for existing identities — Verified ID extends identity assurance to external parties whose credentials cannot be audited through your own directory, addressing different ends of the permissions and identity risk spectrum
Related Articles
- Microsoft Entra ID Protection: Permissions Management quantifies what an identity can access; ID Protection assesses whether that identity has been compromised — together they answer both sides of the privilege risk equation: how much blast radius exists and whether the holder of that access is currently under attack
- Microsoft Entra Privileged Identity Management: Where Permissions Management eliminates standing over-privilege across cloud infrastructure, PIM eliminates standing admin role assignments within Microsoft 365 and Azure — together they enforce just-in-time access at both the infrastructure permission and the directory role layer