This chapter covers Microsoft Entra Permissions Management, a cloud infrastructure entitlement management (CIEM) solution that provides visibility and control over identities and permissions across multi-cloud environments. For the SC-900 exam, this topic falls under Objective 2.4: Describe the capabilities of Microsoft Entra, specifically the identity governance and permission management features. Expect 1-2 questions on the exam related to CIEM, the difference from Azure RBAC, and the key features of Permissions Management. Mastering this topic helps you understand how organizations can reduce the risk of excessive permissions and achieve least-privilege access across AWS, Azure, and GCP.
Jump to a section
Think of a large corporation where every employee has a badge that grants access to different floors and rooms. Over time, employees change roles or leave, but their badges still work. The security team has no single view of who can access what. Entra Permissions Management is like hiring an independent auditing firm that installs sensors on every door, logs every badge swipe, and produces a comprehensive report: 'Employee A has access to floor 5 (needed) and floor 7 (not needed since 2019). Employee B has 27 unused permissions.' The auditor doesn't block anyone but provides data to the security team to revoke excess access. Similarly, Entra Permissions Management continuously discovers and analyzes permissions across AWS, Azure, and GCP, identifying unused, over-privileged, and risky permissions, and provides actionable remediation recommendations without automatically changing permissions.
What is Microsoft Entra Permissions Management?
Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities (users, groups, roles, and service principals) across major cloud platforms: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). It continuously monitors, analyzes, and recommends actions to reduce the risk of over-permissioned identities, thereby helping organizations enforce the principle of least privilege. Unlike traditional identity governance tools that focus on on-premises or hybrid environments, Permissions Management is purpose-built for the scale and complexity of cloud IAM.
Why It Exists
Cloud platforms have hundreds of built-in roles and thousands of permissions. Organizations often grant broad permissions (like Contributor or Owner in Azure, AdministratorAccess in AWS) because they are simpler to manage, but this creates significant security risks. Studies show that over 90% of cloud permissions are unused. Permissions Management addresses this by providing:
A unified dashboard across AWS, Azure, and GCP.
Automated discovery of all identities and their permissions.
Risk assessment based on usage patterns (active vs. inactive permissions).
Remediation recommendations, including permission reduction and policy creation.
Forensic capabilities to investigate historical permission usage.
How It Works Internally
Permissions Management uses a data-collection architecture based on read-only connectors to each cloud provider's IAM and activity logs. The process involves:
Onboarding: An administrator configures a collector (a virtual appliance or agentless scanner) in each cloud account/subscription. For Azure, this is done via an app registration with read-only permissions to Microsoft Graph and Azure Resource Manager. For AWS, it uses an IAM role with a trust policy allowing the collector to assume the role. For GCP, it uses a service account with read-only roles.
2. Data Collection: The collector pulls: - Identity data: All users, groups, roles, and service principals from the cloud provider's identity store. - Permission data: Role definitions, policy documents, and direct assignments. - Activity data: From CloudTrail (AWS), Activity Log (Azure), and Audit Logs (GCP) for the last 90 days (default retention).
Normalization: Permissions Management normalizes permissions across clouds into a common schema. For example, the AWS policy {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "*"} is mapped to a permission object with action s3:GetObject and resource *.
4. Analysis: The engine computes: - Permission usage: Which permissions are actually used based on activity logs. - Permission risk score: Based on factors like the number of unused permissions, the sensitivity of the resource, and whether the permission is high-risk (e.g., write to critical data). - Identity risk score: Aggregated risk across all permissions for an identity.
5. Recommendations: The system generates: - Unused permissions: Permissions not used in the last 90 days (configurable). - Over-permissioned identities: Identities with more permissions than needed. - Policy recommendations: Suggestions to create custom roles with only required permissions.
Key Components and Defaults
Permissions Management Console: Web-based UI at https://entra.microsoft.com under "Permissions Management".
Data Collection Interval: By default, data is collected every 24 hours. On-demand collection is possible.
Activity Log Retention: Analyzes up to 90 days of historical activity (configurable).
Permission Creep Index (PCI): A metric from 0 to 100 that measures the risk of over-permissioning. Higher values indicate more risk.
Identity Types: Supports Human Identities (users) and Non-Human Identities (service principals, managed identities, IAM roles).
Supported Clouds: Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP).
Configuration and Verification
To configure Permissions Management, an administrator in Azure needs:
Global Administrator or Privileged Role Administrator role in Entra ID.
For each cloud account, appropriate read-only permissions (e.g., Reader role in Azure, SecurityAudit or ReadOnlyAccess in AWS).
Example steps for Azure onboarding:
1. In the Permissions Management console, select "Data Collectors" > "Azure".
2. Click "Create Collector" and provide a name.
3. Follow the wizard to create an app registration in the target Azure tenant with the required API permissions (e.g., Directory.Read.All, AuditLog.Read.All).
4. Assign the app registration the Reader role on each subscription to be monitored.
5. Verify connectivity by checking the collector status (should show "Connected").
Interaction with Related Technologies
Microsoft Entra ID: Permissions Management uses Entra ID as the identity store for Azure users and service principals. It does not replace Entra ID but augments it with permission analytics.
Azure Policy: Can be used to enforce custom RBAC roles recommended by Permissions Management.
Microsoft Defender for Cloud: Provides some IAM recommendations (e.g., excessive permissions on VMs), but Permissions Management offers deeper, multi-cloud CIEM capabilities.
Microsoft Purview Compliance Manager: Can integrate with Permissions Management for compliance reporting related to access controls.
Key Numbers and Values
Default unused permission threshold: 90 days (configurable).
Permission Creep Index (PCI): 0-100; above 80 considered critical.
Number of supported clouds: 3 (AWS, Azure, GCP).
Data collection frequency: Every 24 hours by default.
Maximum activity log history: 90 days (configurable up to 365 days in some cases).
Examination of Mechanism
When a user in Azure has the Contributor role on a subscription, Permissions Management will:
Discover that the user has the Contributor role (which includes write, read, delete on all resource groups).
Analyze CloudTrail-equivalent logs to see which actions the user actually performed (e.g., only read operations on a specific storage account).
Calculate a PCI score for that user (likely high due to many unused permissions).
Recommend creating a custom role with only Microsoft.Storage/storageAccounts/read and assign it to the user, removing the Contributor role.
The recommendation is not automatically applied; an administrator must review and approve the change.
Step-by-Step Workflow
Onboard cloud accounts into Permissions Management.
Collect data automatically or on-demand.
View the dashboard showing top risks, PCI scores, and unused permissions.
Drill down into specific identities or resources.
Review recommendations and generate reports.
Implement changes manually or via automated scripts (e.g., PowerShell, CLI).
Monitor the impact and adjust as needed.
Common Exam Traps
Confusing Permissions Management with Privileged Identity Management (PIM): PIM manages just-in-time access for privileged roles; Permissions Management analyzes all permissions continuously.
Thinking it automatically revokes permissions: It only recommends; it does not auto-remediate.
Assuming it only works for Azure: It supports AWS and GCP as well.
Believing it replaces Azure RBAC: It augments RBAC by providing visibility and recommendations.
Conclusion
Microsoft Entra Permissions Management is a critical tool for achieving least-privilege access in multi-cloud environments. For SC-900, focus on its purpose (CIEM), supported clouds, key features (PCI, unused permissions identification), and the fact that it provides recommendations, not automatic changes.
Onboard Cloud Accounts
To start using Permissions Management, an administrator must first onboard each cloud account (Azure subscription, AWS account, GCP project). This involves creating a data collector in the Permissions Management console and configuring read-only access for the collector to the target cloud's IAM and activity logs. For Azure, this means creating an app registration with permissions like Directory.Read.All and AuditLog.Read.All, and assigning the Reader role on each subscription. For AWS, an IAM role with a trust policy is created, and for GCP, a service account with appropriate roles. The collector then establishes a connection and begins pulling data.
Collect Identity and Permission Data
Once connected, the collector retrieves all identities (users, groups, service principals, roles) and their permission assignments from each cloud. This includes built-in and custom roles, direct assignments, and group memberships. The data is normalized into a common schema. The initial collection may take several hours depending on the size of the environment. Subsequent collections occur every 24 hours by default, but administrators can trigger on-demand collection.
Collect Activity Logs
Permissions Management also pulls activity logs from each cloud provider's auditing service (Azure Activity Log, AWS CloudTrail, GCP Audit Logs). It retrieves up to 90 days of historical data by default. This log data is used to determine which permissions were actually used by each identity. The system analyzes each API call and maps it to the specific permission required. For example, a call to list storage accounts maps to Microsoft.Storage/storageAccounts/read.
Analyze and Calculate Risk Scores
The analysis engine compares the permissions assigned to each identity against the permissions actually used. It calculates a Permission Creep Index (PCI) score for each identity, ranging from 0 (least risk) to 100 (most risk). Factors include the number of unused permissions, the sensitivity of accessible resources, and whether the identity has high-risk permissions like write access to critical data. The system also identifies unused permissions and generates a list of identities with excessive permissions.
Generate Recommendations and Reports
Based on the analysis, Permissions Management produces actionable recommendations. These include removing unused permissions, creating custom roles with only needed permissions, and revoking direct assignments in favor of group-based assignments. Administrators can view these recommendations in the console, export reports, or set up alerts. The recommendations are not automatically applied; they require manual approval. This ensures that changes are reviewed before implementation.
Enterprise Scenario 1: Multi-Cloud Least-Privilege Enforcement
A large financial services company uses AWS, Azure, and GCP for different workloads. Their security team discovered that many developers had broad permissions (e.g., Contributor on Azure, AdministratorAccess on AWS) because of legacy role assignments. They deployed Permissions Management to gain a unified view. The tool identified that over 60% of permissions were unused. For example, a developer had Contributor on Azure, which includes permission to delete resources, but only ever performed read operations on a specific storage account. Permissions Management recommended a custom role with only Microsoft.Storage/storageAccounts/read. The security team created that role and assigned it, then removed the Contributor role. This reduced the attack surface significantly. The PCI score for that developer dropped from 85 to 10. The company now runs monthly reviews using Permissions Management reports.
Enterprise Scenario 2: Incident Response and Forensics
A healthcare organization suffered a breach where an attacker used a compromised service principal to exfiltrate data from an AWS S3 bucket. The security team used Permissions Management to investigate the service principal's permissions and activity. They found that the service principal had s3:GetObject on all buckets, but only one bucket had sensitive data. Permissions Management showed that the permission was never used before the breach. The team used this evidence to justify implementing stricter policies: they created a custom policy that allowed access only to the specific bucket and added a condition requiring MFA. They also set up alerts for any new unused permissions.
Common Misconfigurations
Not onboarding all accounts: If an account is not monitored, it becomes a blind spot. Attackers often target unmonitored accounts.
Ignoring recommendations: Some organizations collect data but never act on recommendations, leaving risks unmitigated.
Over-relying on default thresholds: The default 90-day unused permission threshold may be too long for high-risk environments. Setting it to 30 days is more aggressive but reduces risk.
Not reviewing service principals: Non-human identities often have excessive permissions that are forgotten. Permissions Management covers them, but administrators must review them regularly.
Performance Considerations
For very large environments (hundreds of accounts, thousands of identities), the initial data collection can take 24-48 hours. The system scales well but may require multiple collectors to avoid throttling from cloud APIs. Permissions Management uses a pay-as-you-go pricing model based on the number of monitored resources. The cost can be significant for large enterprises, so budgeting is important.
SC-900 Exam Coverage (Objective 2.4)
The SC-900 exam tests your understanding of Microsoft Entra Permissions Management as part of the broader identity governance capabilities. Specifically, you should know: - What CIEM is: Cloud Infrastructure Entitlement Management. - Supported cloud platforms: AWS, Azure, GCP. - Key features: Permission Creep Index (PCI), unused permissions identification, multi-cloud visibility, recommendations (not automatic remediation). - Difference from Privileged Identity Management (PIM): PIM is for just-in-time privileged access; Permissions Management is for continuous permission analysis. - Difference from Azure RBAC: RBAC is the mechanism to assign permissions; Permissions Management analyzes those assignments.
Common Wrong Answers
"Permissions Management automatically removes unused permissions." – This is false. It only recommends actions; an administrator must implement them.
"Permissions Management only works with Azure." – False. It also supports AWS and GCP.
"Permissions Management is the same as Privileged Identity Management." – False. PIM is for just-in-time activation of privileged roles; Permissions Management analyzes all permissions.
"Permissions Management can enforce policies across clouds." – It does not enforce; it provides visibility and recommendations. Enforcement requires native cloud tools or third-party solutions.
Exam Numbers and Terms
Permission Creep Index (PCI): 0-100 scale.
Default unused permission threshold: 90 days.
Supported clouds: AWS, Azure, GCP (three).
Data collection frequency: Every 24 hours.
Activity log retention: 90 days.
Edge Cases
Service principals and managed identities: The exam may ask whether Permissions Management covers non-human identities. Yes, it does.
Cross-cloud recommendations: Permissions Management provides separate recommendations per cloud; it does not unify them into a single cross-cloud role.
Custom roles: Permissions Management can recommend creating custom roles, but the actual creation must be done in the native cloud console.
How to Eliminate Wrong Answers
If a question asks about a feature that automatically changes permissions, eliminate that answer because Permissions Management is read-only and only recommends. If a question mentions only Azure, check if the answer includes AWS and GCP – the correct answer will mention multi-cloud. If a question confuses PIM and Permissions Management, remember that PIM is time-based activation, while Permissions Management is continuous analysis.
Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) tool for AWS, Azure, and GCP.
It provides visibility into all identities and permissions across multi-cloud environments.
Key metric: Permission Creep Index (PCI) ranges from 0 (low risk) to 100 (high risk).
Default data collection frequency is every 24 hours; activity logs are analyzed for up to 90 days.
Permissions Management generates recommendations but does not automatically apply them.
It covers both human identities (users) and non-human identities (service principals, IAM roles).
It is distinct from Privileged Identity Management (PIM), which manages just-in-time privileged access.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Entra Permissions Management
CIEM solution for multi-cloud (AWS, Azure, GCP)
Continuous analysis of all permissions
Provides recommendations for least privilege
Uses Permission Creep Index (PCI)
Does not automatically activate or assign roles
Azure Privileged Identity Management (PIM)
Just-in-time privileged access management for Azure AD roles and Azure resources
Activates roles on demand for a limited time
Requires approval and justification for activation
Does not analyze unused permissions
Automatically deactivates roles after expiry
Mistake
Permissions Management automatically revokes unused permissions.
Correct
Permissions Management only provides recommendations; it does not automatically revoke or modify permissions. An administrator must manually implement changes.
Mistake
Permissions Management only works for Azure resources.
Correct
It supports three major cloud providers: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
Mistake
Permissions Management is the same as Privileged Identity Management (PIM).
Correct
PIM manages just-in-time access for privileged roles. Permissions Management continuously analyzes all permissions across clouds to identify over-permissioned identities. They are complementary but distinct.
Mistake
Permissions Management can enforce least privilege across clouds.
Correct
It provides visibility and recommendations, but enforcement must be done using native cloud tools (e.g., Azure Policy, AWS IAM, GCP IAM) or automation scripts.
Mistake
The Permission Creep Index (PCI) is a measure of how many permissions an identity has.
Correct
PCI measures the risk of over-permissioning based on unused permissions, not the total count. A high PCI indicates many unused or excessive permissions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Permissions Management is a CIEM tool that continuously analyzes all permissions across AWS, Azure, and GCP to identify over-permissioned identities and unused permissions. It provides recommendations but does not automatically change permissions. PIM, on the other hand, is a just-in-time privileged access management solution for Azure AD roles and Azure resources. PIM allows users to activate privileged roles for a limited time, often requiring approval. They are complementary: PIM reduces standing access, while Permissions Management helps clean up existing permissions.
Yes. Microsoft Entra Permissions Management supports three major cloud providers: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). It can discover identities and permissions across these clouds and provide a unified view. The onboarding process differs per provider (app registration for Azure, IAM role for AWS, service account for GCP), but the analysis and recommendations are consistent.
No. Permissions Management is a read-only tool that provides visibility and recommendations. It does not automatically revoke or modify any permissions. Administrators must review the recommendations and implement changes manually or through automation scripts. This design ensures that changes are deliberate and approved, reducing the risk of accidental lockouts.
The Permission Creep Index (PCI) is a metric from 0 to 100 that quantifies the risk of over-permissioning for an identity. A score of 0 indicates that the identity has only the permissions it uses (ideal least privilege), while a score of 100 indicates many unused or excessive permissions. The PCI is calculated based on factors like the number of unused permissions, the sensitivity of accessible resources, and the type of permissions (e.g., write vs. read).
By default, data collection occurs every 24 hours. This includes both identity/permission data and activity logs. Administrators can trigger an on-demand collection if needed. The activity logs are retained for up to 90 days by default, but this is configurable. The collection frequency and retention period can be adjusted in the settings.
Yes. Permissions Management covers both human identities (users) and non-human identities, including service principals, managed identities, and IAM roles. This is important because non-human identities often have excessive permissions that are overlooked. The tool provides the same analysis and recommendations for these identities as for users.
Azure RBAC is the authorization system that defines and assigns permissions to Azure resources. Permissions Management is a CIEM tool that analyzes those RBAC assignments (and equivalent in AWS/GCP) to identify over-permissioned identities and unused permissions. RBAC is the mechanism; Permissions Management is the audit and recommendation layer. They work together: Permissions Management helps optimize RBAC configurations.
You've just covered Microsoft Entra Permissions Management — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?