Microsoft Entra Permissions Management

Entra has combined three existing solutions under entra.microsoft.com:

Azure Active Directory (Azure AD) 

Multicloud identity and access management solution with integrated security. 

Microsoft EntraPermissions Management​ 

One unified model to manage permissions ​of any identity across any cloud. 

Microsoft Entra Verified ID​ 

Enable more secure interactions while respecting privacy with an industry-leading global platform

Permission management

Microsoft released Entra permissions management which is a re-branded CloudKnox. For those that don’t know, Microsoft acquired CloudKnox a while back.

What is the feature about?

Entra is a permissions management tool for multi-cloud environments. It provides a single, unified platform to manage permissions for all identities – users and workloads – across all major cloud infrastructures. It allows organizations to discover, monitor, and remediate permissions risks and achieve Zero Trust security by implementing the principle of least privilege across their entire digital estate.

Key Capabilities

It provides comprehensive visibility into permissions for all identities (both user and workload), actions, and resources across multi-cloud infrastructures. Permissions Management helps detect, right-size, and monitor unused and excessive permissions, and mitigates the risk of data breaches by enforcing the principle of least privilege in Microsoft Azure, Amazon Web Services, and Google Cloud Platform. Microsoft Entra Permissions Management will be a standalone offering generally available worldwide this July 2022 and will be also integrated within the Microsoft Defender for Cloud dashboard, extending Defender for Cloud’s protection with CIEM.

So pricing isn’t yet publicly available, it will be announced later this year.

Portal experience

First of all, sorry for all the Europeans, Entra Permission Manageent isn’t yet available inside Europe. If You want to try it out, provision a tenant to US and fire-up the trial from there.

Once the page loads, you will see the following.

Create the Service principal with az ad sp create –id or with Graph if you don’t have a subscription available.

Consent to Graph API

And for the Application read write access

Then click Enable to start your journey.

Once done, you will get a message saying provisioning was successful and you will be re-directed to Entra Permissions Management home page https://c3.app.mciem.cloudknox.io/home/

From there you can see Amazon, Azure and Google clouds

If you open Azure, you can add 10 different subs to govern. The provisioning will be done via Azure CLI

For Amazon, you have to create an Open ID Connect Application first

And provide your Amazon account

And for Google the process is similar.

Let’s try out with another Azure Subscription, add it and it will start Discovering those services.

Once done with the inventory, click the ID

Microsoft probably decided to combine these three solutions to the same portal because they fall under the same Zero Trust umbrella.

All the three features have core security features for securing your single or multi-cloud environments.

Here my preview of Verifiable credentials as a PowerShell edition.

Excellent stuff Microsoft, just excellent! Some features are and will be behind a pay wall but who wouldn’t pay for solutions like this?

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *