Entra Permissions Management Onboarding Guide

In today’s digital world, permissions management and access control are critical to preserve organisational data and resources. With the expansion of the cloud, organisations are experiencing a new level of complexity in managing identities and permissions across these various environments. Microsoft Entra Permissions Management delivers a robust cloud infrastructure entitlement management (CIEM) solution to meet the demands.

Introducing Microsoft Entra Permissions Management 

Microsoft Entra Permissions Management is part of Microsoft’s Entra product family that addresses identity and access management challenges in the cloud era by securing identities, securing the basis for risk decisions and more importantly for managing identity life cycles, enforcing least-privilege access control and streamlining access management workflows. As a comprehensive offering, Microsoft Entra Permissions Management enables organisations to achieve security and compliance goals by offering innovations around identity protection and access management’ which ‘improve the control and experience of access for teams and individuals.

 Addressing the Permissions Gap 

A key challenge for organisations is the Permissions Gap, which is the difference between the permissions granted to a user or a resource, and the permissions the entity actually uses. According to a report by Microsoft Security the data shows that more than 90% of identities are utilising less than 5% of the permissions they’ve been granted individually. And each unused permission increases the likelihood that your organisation will be subject to a breach. The reality is that, if you’re not utilising a certain permission, it’s going to sit around unused, dormant and neglected – it’s like having a spare key, except it opens up a lot more than just your front door to your entire personal life. Today, all it takes is just one masked attacker with an internet connection to find that spare key and breach your account and your organisation. The scale of the problem is considerable – more than 90%of identities utilise less than 5 per cent of their permissions – which is one of the reasons unauthorised access and breaches continue to plague organisations. Microsoft Entra Permissions Management enables you to spot-check permission usage granularly via its Permission Creep Index (PCI) and then ensure that least privilege access policies are in place to allow only what is absolutely necessary to keep the organisation productive.

Enabling Permissions Management: Azure Subscription Onboarding 

This first part of the blog series illustrates how to enable the Permissions Management using an onboarded Azure subscription. Prior to proceeding, ensure the following prerequisites are configured:

• You need to be a global administrator account in the Azure AD tenant in order to enable permissions management.
• Azure CLI- Azure CLI or PowerShell must be installed so you can run commands during the onboarding process.
• Make sure you have the appropriate permissions (Microsoft.Authorization/roleAssignments/write permission for the on-boarding process).

Once you have the prerequisites ready, follow these steps to onboard your Azure subscription:

1. Log in to Entra Portal and sign in using your credentials.
2. Click on ‘Permission Management’ in the portal dashboard.
3. Under ‘Data Collectors,’ select ‘Azure’.
4. Click on ‘Create Configuration.’
5. Choose ‘Automatically Manage’ if you would like to automatically track your current and any future subscriptions for you.
6. Provide permission for the Cloud Infrastructure Entitlement Management application at the subscription level using PowerShell or Azure CLI commands.

 Using PowerShell:

Connect-AzAccount

New-AzRoleAssignment -ApplicationId <CIEM_Application_ID> -Scope /subscriptions/<Subscription_ID> -RoleDefinitionName "Contributor"

Replace <CIEM_Application_ID> with the Application ID of the CIEM application, and <Subscription_ID> with your Azure subscription ID.

 Using Azure CLI:

az login

az role assignment create --assignee <CIEM_Application_ID> --scope /subscriptions/<Subscription_ID> --role Contributor

Again, replace <CIEM_Application_ID> with the Application ID of the CIEM application, and <Subscription_ID> with your Azure subscription ID. 

7. Click ‘Verify now and save’ configuration to save the above configuration.

8. Check on the connection again in minutes to verify if the subscription is ‘Onboarded.’

With these steps fulfilled, your Azure subscription is configured and connected to Microsoft Entra Permissions Management.