What is Microsoft Entra Permissions Management?

We’ve all seen it. From legacy Active Directory domains, modern Azure tenants, and other SaaS applications, the security landscape is littered with inactive accounts, unknown accounts, and unused permissions.

Add to that growing privilege creep and lack of least privilege principals, and you’ve got a potentially catastrophic security problem on your hands.

Microsoft’s purchase of CloudKnox back in July 2021, combined with the existing Azure security and governance tools, aims to end all that.

And it’s not just about human identities either – IoT devices, services, and other resources also come into play.

Those of you with keen eyes will have seen the Microsoft Entra (preview) banner appear in Azure AD. It’s been generally available since August 2022.

Microsoft Entra is the name for Microsoft’s new identity management portal, covering traditional Azure AD tasks, Verified ID, and the rebranded CloudKnox solution.

It’s this rebranded solution, now called Permissions Management, that we’ll be taking a closer look at.

What is Permissions Management?

Known as a Cloud Infrastructure Entitlement Management service, or CIEM, Permissions Management offers continuous permissions monitoring and proactive response. This bridges the gaps between the more reactive Defender for Cloud and Defender for Cloud Apps.

It’s no secret that Microsoft are looking to streamline their products so that things can be accessed via one portal. With this latest acquisition, Microsoft are moving closer and closer to realising that ambition within identity and access management.

It should be noted that there is already an Entra integration available in Defender for Cloud.

Better still, Permissions Management isn’t just confined to the Azure Cloud. A big selling point is the similar insight and response options are also available for Amazon Web Services (AWS) and Google Cloud Platform (GCP).

Why is Permissions Management needed?

Organisations don’t typically operate on a single cloud platform. According to the Flexera 2022 State of the Cloud Report, 89% of organisations operate a multi-cloud approach to business.

This presents a series of challenges:

• The number of identities within an organisation is on the rise.
• There’s a massive explosion in the number of cloud workloads.
• The permissions granted to individuals is larger than needed – the dreaded permissions gap is growing.
• Access management across cloud platforms is often inconsistent.

With Permissions Management in place, however, these problems can be easily taken care of and their effects mitigated, because:

• You’ll have highly detailed, granular visibility across all of your cloud platforms
• You’ll be able to enforce least privilege policies at the right time, helping to shrink that permissions gap
• Increased visibility will allow you to uncover potential permissions risks
• You’ll be able to monitor and detect permission anomalies across your cloud platforms

Benefits of Entra Permissions Management

After the initial setting up and configuration period, you’ll start to see some great insights appear in Permissions Management, which are broken down into different areas.

Response actions are available throughout, and generally you’re only removing permissions not in use, so you can go ahead without having an impact. Some changes can also be “unapplied” after the fact.

Dashboard

On the Dashboard screen, we see an overview of the general security posture. Each service is separated, so you will need to manually move between AWS, Azure, and GCP.

• The Permission Creep Index (PCI) gives us an overview of permission changes found over time. It separates users into different levels of permission creep – low, medium, and high.
• The Identity card shows us general findings around inactivity, privileges, and security. The cards vary depending on the service.
• Some services also show a Resource card, e.g., in Azure it may spot a Managed Key and in in AWS an S3 bucket with public access.

Analytics

The Analytics screen allows us to search and filter the events that have been detected. You can filter between Users, Groups, and other resources. Again, this is done per service.

Results include the PCI for each object, as well as details on how the score was calculated and which permissions are unused.

What’s also great is being able to see (and edit) what permissions a given group actually provides.

Remediation

The Remediation screen allows you to easily view and amend permissions across resources, including roles, policies, and users. You can then start to configure all roles and permissions across your cloud providers through a single pane of glass.

Especially interesting, is being able to assign specific permissions to an identity on a schedule, e.g., a service user that only needs access at 1-2 am on a Monday.

Furthermore, a role can be created based on the activities of a given user – that is, being able to select the exact permissions somebody used for a certain task, rather than all the permissions that may come with a role.

Permissions can also be requested granularly if the available roles are too permissions rich.

Autopilot

Autopilot, not to be confused with a Microsoft service of the same name, allows us to set up rules to automatically remediate access issues, both around users and roles. For example, you could automatically remove unused AWS roles for service users inactive for the last 90 days.

Audit

Audit allows us to search across each authorisation system for any relevant changes over a given time, including via query search.

For example, you may want to see what permissions a certain user has had added or removed over the last month.

Reports

Reports allows you to run a pre-built permission report, as well as create custom ones. This area is also where you’re taken if you drill down into some cards on the dashboard. These can be viewed online in the dashboard, with some being available for CSV download.

Many reports are also shown as visual dashboards, giving a clear and high-level insight into any current problems.

Activity Triggers

Activity and Anomaly Triggers allow you to configure alerts, based on custom or built-in triggers.

For example, we can create alerts for when a certain user in GCP hits an authorisation failure rule, when a resource or identity performs a particular task for the first time, or if overprovisioned identities are detected.

Getting set up

So how does it all work?

Firstly, you’ll need to set up ‘controllers’, i.e., connectors, for each service. For Azure, this is a little easier than for AWS and GCP, as Microsoft have a built in ‘app’ that does this for you.

With AWS and GCP, you will need to create an OIDC app with API permissions in the local platform, and create some service accounts and configurations in the instance you wish to inspect.

Note that a given service ‘controller’ is tied to a specific subscription in Azure, an account in AWS, or a project in GCP, so you may need multiple controllers per service in any case.

By default, ‘read only’ permissions are given for each controller. Additional steps are needed to make changes in the given platform, i.e., to remediate problems.

Where you don’t enable write access, Permissions Management can generate a script for you to run locally in the respective environment to make the very same changes.

Entra Permissions Management pricing and licensing

Permissions Management is available today as a standalone solution, priced at $125 per resource, per year.

The resources supported are:

• Compute resources
• Container clusters
• Serverless functions
• Databases across Amazon Web Services, Microsoft Azure, and Google Cloud Platform

There is also a 90-day free trial of Entra Permissions Management available. With it, you’ll be able to run a comprehensive risk assessment, identifying the top permission risks across your multi-cloud infrastructure.

Conclusion

With organisations increasingly embracing multi-cloud operations, dealing with permissions correctly is becoming more and more crucial.

Individuals within organisations collecting permissions privileges they don’t need or use is a huge – and surprisingly common – problem.

With Permissions Management in place, not only will organisations be able to remediate these issues as they happen, but they’ll be able to proactively deal with them before they become a problem.

Although there is still some work to smooth out the transition from CloudKnox, Permissions Management looks set to be a key part of the Microsoft IAM stack moving forward.

Closer and closer proximity to Defender for Cloud and Cloud Apps can only enlighten the products further.

Key takeaways

Next steps

Like this? Don’t forget to share.