Microsoft Entra Permissions Management Retirement: Analysis and guidance

Microsoft Entra Permissions Management, the standalone tool providing Cloud Infrastructure Entitlement Management (CIEM) for Azure, AWS, and GCP, is set to be retired. After October 1, 2025, this product will no longer be available or supported. In its place, Microsoft will integrate select CIEM features into Microsoft Defender for Cloud—a core component of its Cloud Security Posture Management (CSPM) solution—ensuring that organizations retain the ability to track and manage permissions across multi-cloud environments.

What’s happening?

Microsoft has announced that no new deployments or purchases of Entra Permissions Management will be accepted after April 1, 2025 for Enterprise Agreement or direct customers and May 1, 2025 for Cloud Solution Provider customers. This decision marks a strategic shift in Microsoft’s approach to CIEM, where the emphasis will be on enhancing integrated security through Defender for Cloud. For customers requiring a full, standalone CIEM alternative, Microsoft is partnering with Delinea, an independent software vendor, to offer a solution that matches or exceeds the capabilities previously provided.

Before and after: Implications for Azure users

Availability of Entra Permissions Management: Before the retirement, Entra Permissions Management was available as a standalone product specifically designed for Cloud Infrastructure Entitlement Management (CIEM) across Azure, AWS, and GCP. It could be purchased by new customers, making it a go-to solution for those seeking comprehensive multi-cloud entitlement control. However, after the retirement, new purchases will no longer be accepted after April 1, 2025 (for EA/direct customers) or May 1, 2025 (for CSP customers), with full support concluding on October 1, 2025.

License/subscription model: Initially, the solution was offered as a separate add-on for Microsoft Entra (formerly Azure AD), allowing customers to augment their existing setups with advanced CIEM capabilities. With the retirement, the standalone add-on is no longer available for new customers, limiting its use strictly to legacy customers until the end-of-support. This shift marks a significant change in the licensing and subscription model, impacting how organizations plan their CIEM strategy moving forward.

Integration with Microsoft Defender for cloud: Previously, organizations had two distinct ways to access CIEM features: either through the standalone Permissions Management solution or via integration with Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) offering. Following the retirement, Microsoft recommends a singular, integrated approach by leveraging Defender for Cloud’s evolving CIEM features alongside its CSPM capabilities. This consolidation aims to streamline CIEM adoption while enhancing security postures through a unified platform.

Multicloud permissions and governance: Prior to the retirement, multicloud permissions and governance were primarily managed through either Entra Permissions Management or third-party CIEM tools. In the post-retirement landscape, organizations will need to rely on Defender for Cloud’s CSPM in tandem with any external CIEM solution, such as Delinea, to effectively manage multi-cloud entitlements and governance. This transition emphasizes a broader, more integrated security ecosystem to address the complexities of multicloud environments.

Impact on Azure IAM (Entra ID): It is important to note that the retirement of Entra Permissions Management does not directly affect the core capabilities of Azure IAM (now Microsoft Entra ID). The standard features, such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA), will continue to function without disruption. The changes are focused solely on the CIEM add-on, ensuring that the foundational identity management features remain intact and reliable for all users.

Support and updates: During its lifecycle, Entra Permissions Management was backed by full support from Microsoft, including regular updates and patches to ensure robust security and functionality. With the product’s retirement, official support from Microsoft will come to an end, redirecting attention and resources towards Defender for Cloud and third-party solutions like Delinea for advanced CIEM capabilities. This change signals a shift in where organizations should seek innovation and support for their entitlement management needs.

Impact on Identity and Access Management

The retirement of Entra Permissions Management does not impact core Identity and Access Management (IAM) services provided by Microsoft Entra ID (formerly Azure AD). Fundamental features like Single Sign-On (SSO), Multi-Factor Authentication (MFA), user and group management, and Conditional Access will remain unchanged. 

Organizations that previously leveraged Entra Permissions Management as a centralized view for Azure, AWS, and GCP entitlements should now evaluate whether the integrated CIEM features in Defender for Cloud meet their needs. Even better is opting for an independent identity security platform, such as Unosecur, to address their advanced security and compliance requirements.

The Unosecur advantage

Unosecur is an AI-powered comprehensive identity security platform designed for multi-cloud environments, offering comprehensive Cloud Infrastructure Entitlement Management (CIEM) across Azure, AWS, and GCP. Its solution centralizes identity governance by providing continuous monitoring, automated least privilege enforcement, and real-time identity threat detection. 

This unified approach makes it a compelling alternative for organizations transitioning away from Microsoft Entra Permissions Management by ensuring that cloud permissions and entitlements remain securely managed through an integrated, multi-cloud dashboard.

Targeted at enterprise-scale environments, Unosecur seamlessly integrates with existing cloud security ecosystems, including Azure AD and Microsoft Defender for Cloud, to enhance native capabilities with advanced identity analytics and automated remediation workflows. 

With features such as detailed auditing for compliance, rapid agentless deployment, and no-code policy automation, Unosecur is well-equipped to support organizations in maintaining secure, compliant, and efficient identity and access management across multiple cloud platforms.

‍