You dont have javascript enabled! Please enable it!

Understanding Microsoft Entra Permissions Management

8 Min. Read

Zero Trust is a security strategy used to design security principles for your organization. Zero Trust helps secure corporate resources by implementing the following security principles: verify explicitly, use least privilege access, and assume breach.

In this article, we will delve into the details of Microsoft Entra Permissions Management, a cutting-edge solution that provides comprehensive visibility and control over permissions for any identity and any resource in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Introduction

The adoption of multi-cloud has led to a massive increase of identities, permissions, and resources across cloud platforms, increasing complexity and expanding organizations’ attack surface. Identity and security teams lack enterprise-wide visibility into permissions and are unable to implement consistent access policies, leaving their cloud resources exposed to potential permission misuses.

Microsoft recently unveiled a range of enhanced Security Service Edge (SSE) features as a component of their Microsoft Entra technology suite. Among these developments, Microsoft also introduced another product known as Microsoft Entra Permissions Management to help you discover, remediate, and monitor multi-cloud permission risks.

Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides a unified platform to discover, remediate, and continuously monitor permissions for all identities, both users and workloads, across Amazon Web Services, Microsoft Azure, and Google Cloud, strengthening your Zero Trust Security and protecting your multi-cloud environment.

It gives you granular cross-cloud visibility into every action performed by every identity on every resource. By automatically detecting which permissions are unused and risky, it allows you to enforce the principle of least privilege at the cloud scale, granting additional permissions on demand when needed, and with high-precision machine-learning-based anomaly detection alerts and detailed forensic reports, you can continuously monitor your infrastructure for future permission creep.

// See Also: Microsoft Entra Global Secure Access that provides robust security and seamless access to resources.

Prerequisites

To follow this guide, you need to have a Microsoft 365 / Microsoft Entra (formerly Azure AD) Tenant. If you don’t have a tenant yet, you can create a free one here.

To use Entra Permissions Management, you need to have a free 45-day trial or paid license. You can sign up for a free 45-day trial at: aka.ms/TryPermissionsManagement by filling in the details with your email account.

Microsoft Entra Permissions Management Trial
Microsoft Entra Permissions Management Trial

If your trial has expired, you can purchase licenses at: aka.ms/BuyPermissionsManagement or by contacting your Microsoft sales representative.

Once you have the trial and license sorted out, you can access the Permissions Management portal at: https://pm.cloudknox.io/

Permissions Management

Let’s see now how Microsoft Entra Permissions Management can help you get granular cross-cloud visibility, enforce the principle of least privilege, and continuously monitor permissions with alerts and reports.

On the main dashboard, Permissions Management allows you to discover, remediate, and monitor permissions risks in your multi-cloud infrastructure. As shown in the dashboard below, the Permission Creep Index (PCI) represents the level of risk associated with the number of unused or excessive permissions across your identities and resources. The heat map shows the total number of identities contributing to the PCI.

The panes beneath the heat map show the relevant findings about identities and resources. In this example, the dashboard is filtered for Amazon Web Services (AWS). To see data for a different cloud authorization system type, you can select the drop-down arrow and choose Microsoft Azure or Google GCP.

Permission Creep Index (PCI)
Permission Creep Index (PCI)

The findings in the Identity and Resource panes use terminology specific to the cloud platform you’re analyzing, enabling you to easily communicate any findings to the appropriate team.

On the heat map, you can hover over the bubble to see how many identities are in the high, medium, and low-risk categories. If you click on the bubble, you will see a breakdown of the risk levels for users, applications, and managed identities, as well as the PCI trend over the last several weeks.

Risk levels for users, applications, and managed identities
Risk levels for users, applications, and managed identities

The right pane shows the highest PCI change for each account. You can select an account to drill into the data further.

The Identity and Resource findings at the bottom of the page highlight the top risks among identities and resources, in this example, Azure. Each finding links to the Permissions Analytics report.

Identity and Resource findings
Identity and Resource findings

For example, if we open the Over Provisioned Active Users findings. The report will show the number of permissions Used, the number of permissions Granted, and the PCI for each user in this account. The greater the disparity between the permissions used and the permissions granted, the higher the PCI.

Permissions Analytics Report
Permissions Analytics Report

If you select a user, you will see the direct roles, group roles, and permissions assigned to a specific user presented on the User Info tab.

Direct roles, group roles, and permissions assigned to a user
Direct roles, group roles, and permissions assigned to a user

On the Tasks Info tab, you can audit all the tasks the user has performed and determine which permissions they need. For example, if we expand Microsoft.APIManagement task. Here, you can see the specific permissions this employee is using.

Audit all the tasks performed by a user
Audit all the tasks performed by a user

The Activity tab will show details about the user’s high-risk activities, including the resource name, resource type, task name, and start date for each.

On the Resources tab, you can see the total number of tasks and high-risk tasks this user has performed on each resource. On the Permissions tab, you will see all the permissions assigned to the user, including the subscriptions, roles, and resources granted.

Analytics

Moving into the Analytics dashboard of Permissions Management.

On the Analytics view page, you can query and investigate items. Here you need to select the drop-down arrow at the top of the page. The system tracks analytics for users, groups, active resources, and more.

If we drill into the analytics for any user, we can see a single view of the analytics for the user. For example, you can change the view to see the user’s Azure Roles.

Analytics | Users view
Analytics | Users view

You can focus on the data you’re interested in by using the filters at the top of the page. To broaden the view to all data for Azure, you can change the Identity Type filter and choose between Role, App, Service, or Resource.

This will help you to see all the identities associated with apps and services in the Azure environment. Just like user accounts, these identities can have unnecessary permissions granted to them and pose a risk if compromised.

Remediation

The Remediation dashboard in Permissions Management is where you create custom roles to manage permissions creep that grant only the permissions a user needs to do their job.

Remediation dashboard
Remediation dashboard

When creating a role, you can select how would you like to create the role. You have the option to create the role for a user(s), group(s), or app(s), or choose from an existing tole.

In this example, we’ll create the role based on the activity of the user. Select the user in the list and then continue to the next step.

Create a role based on the activity of the user
Create a role based on the activity of the user

Next, you need to provide a name for the custom role. You can review the tasks that the user has performed and ensure only the necessary permissions are included for the role.

Once you are satisfied, continue to the next step. And before submitting the role, you can preview the Selected Tasks under Actions.

Actions list
Actions list

You can also select the JSON tab that shows the exact permissions that will be generated. The Script tab will show the Azure CLI command that will be executed to create the role in Permissions Management. You can also download the JSON and/or the Script commands if you want to review them later or execute the commands manually.

Azure CLI command to create a custom user role
Azure CLI command to create a custom user role

Once you are satisfied, you can submit the role.

Now, if a cloud user needs permissions they do not currently have, they can submit a request for approval from the My Requests tab.

Request for approval
Request for approval

On the My Requests page, select New Request.

Next, select the environment you are requesting permissions for, such as AWS, Azure, or GCP.

Next, select the specific account and identity you need permissions for.

Next, you can request a policy, request a task, or use a preconfigured template. In this example, we’ll request a policy.

Create a new request policy
Create a new request policy

Select the desired policy to assign to your identity, and then continue to the next step.

Next, provide a summary of the request that includes a brief business justification for the approver. You can also specify a schedule for the permissions change.

You can schedule the permissions to be granted ASAP, Once, or regularly (Daily, Weekly, or Monthly) which can be useful for apps or services that only need permissions during certain periods. In this example, we only need the permissions granted Once to make a configuration change.

Schedule the permissions to be granted ASAP
Schedule the permissions to be granted ASAP

Last, review the information, and then submit the request. A notification will appear indicating that the request was successfully submitted.

On the Requests tab, here, a manager with appropriate permissions can review the requests and choose to Approve or Reject them.

Approve a request
Approve a request

Autopilot

The Autopilot dashboard in Permissions Management is where you can set up rules to automatically monitor environments and make permissions changes automatically.

When you create a new rule, you can see some examples of rules you can create for the different cloud environments (AWS, AZURE, or GCP). For example, the following rule automatically removes permissions for unused applications and managed identities in the Azure environment.

Create Autopilot Rule
Create Autopilot Rule

Audit

The Audit dashboard will help you capture all high-risk activity in a centralized location and allow system and identity administrators to query user activity performed in their authorization system.

To run a query, you select Search. Then you can edit and create advanced queries for each cloud environment (AWS, AZURE, or GCP), as well as audit the activities performed within Permissions Management as a platform.

To query Permissions Management, you need to select the drop-down arrow and select Platform. Querying the platform enables you to see who approved or rejected requests in the system, made changes, created policies, and more.

Audit and query Permissions Management
Audit and query Permissions Management

Next, let’s look at an example of a system report in Permissions Management.

Reports

Moving into the Reports dashboard of Permissions Management.

The reports in the Resource pane enable you to review and audit permissions assigned to resources. For example, if we select Blob Containers Accessible Externally.

This report will show all blob containers that are accessible externally. This information can help security teams determine whether identity permissions are aligned properly and whether external access should be removed from these resources. Please note that Microsoft Entra Permissions Management is NOT a cloud security posture management (CSPM) solution, for CSPM you need to use Microsoft Defender for Cloud (MDfC).

Permissions Analytics Report | Blob Containers Accessible Externally
Permissions Analytics Report | Blob Containers Accessible Externally

The Permissions Analytics Report shows your Permission Creep Index, PCI score distribution, identities with a high PCI score, and identities that can escalate privileges. The report also shows how many identities can administer security tools and access secret information, and tracks metrics on S3 bucket access, in the case of AWS for example.

Permissions Analytics Report | Permission Creep Index
Permissions Analytics Report | Permission Creep Index

Next, let’s look at how to configure alerts.

Customizable machine learning-powered anomaly and outlier detection alerts will notify you of any suspicious activity, such as deviations in usage profiles or abnormal access times. Alerts can be used to alert on permissions usage, access to resources, indicators of compromise (IOC), insider threats, or to track previous incidents. You can configure alerts to trigger based on activities in your environment.

Create Alerts
Create Alerts

You can also configure alerts to trigger Rule-Based Anomalies. To do so, you select Create Anomaly Trigger and then provide a name for the alert.

Next, select the environment you want to create the alert trigger for (AWS, AZURE, or GCP). In this example, we’ll select Azure. Next, select the rule for the trigger.

We’ll configure the alert to trigger when any resource is accessed for the first time, and then proceed to the Next step.

Create an alert to trigger when any resource is accessed for the first time
Create an alert to trigger when any resource is accessed for the first time

Then select the Azure account you want to apply the rule to. Next, select configuration. You can also specify a time interval for the alert. In this example, we’ll configure the alert to trigger activities that have occurred over the past 90 days, and then Save your changes.

Alert configuration
Alert configuration

You can review the results of the alert once they are ready, and see all the activities that have been flagged by the alert.

Review the results of the alert
Review the results of the alert

On the Statistical Anomaly tab, you can create and configure alerts to trigger based on statistical anomalies.

Similarly, on the Permission Analytics tab, you can create and trigger alerts based on permission analytics. You have built-in triggers available for each cloud environment (AWS, AZURE, or GCP) that you can use.

Create alert triggers for different cloud environments
Create alert triggers for different cloud environments

There you have it!

Wrapping Up

In this guide, you’ve learned how Microsoft Entra Permissions Management can help you get granular cross-cloud visibility, enforce the principle of least privilege, and continuously monitor permissions with alerts and reports.

As more services are moved to the cloud, users and workloads continue to accumulate permissions over time. Left unused and unmonitored, these permissions become prime targets for attackers or simple misuse.

The unified multi-cloud Permissions Management in Microsoft Entra provides a single, unified platform to manage permissions for all identities – users and workloads – across all major cloud infrastructures (Amazon AWS, Microsoft Azure, and Google GCP).

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 20+ years of IT experience. As a Swiss Certified ICT Security Expert, CCSP, CISM, MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

The Importance of Vulnerability Assessment – Protect Your Business

9 Reasons of Protecting Your Network from Cyber Attacks

Next

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in 'Black' by selecting the Code. Thank You!