Cookies & analytics Essential cookies keep the site working. With your consent we also use Google Analytics and Microsoft Clarity to measure traffic and understand how these public pages are used (anonymous heatmaps and session insights) — no ad tracking, no marketing, never in the signed-in app. You can change this anytime. Cookie policy.

Permafrost EPM
STEP 01/03·Understand

Connect your tenant. See your gap.

Three steps to a measurable least-privilege baseline. Read-only, reversible, and scoped to identity and permission data.

1
Understand
2
Consent
3
Discovery

Read-only access required

Permafrost needs Reader permissions to audit your environment

Permafrost will never modify your Azure environment. All access is strictly read-only. We collect identity and permission data, correlate it with activity logs, and analyze the gap between assigned and used permissions.
Permissions we request
Full details ↗
Core identityRequired — always granted
Directory.Read.All

Read users, groups, service principals, managed identities, and app registrations

RoleManagement.Read.Directory

Read Azure AD role definitions and role assignments

AuditLog.Read.All

Read sign-in logs to determine when permissions were last exercised

Application.Read.All

Read app registrations and enterprise apps

GroupMember.Read.All

Read group memberships to trace inherited permissions

Policy.Read.All

Read Conditional Access policies and authentication settings

Azure resourcesRequired — granted at initial consent
Azure Resource Manager — user_impersonation

Read ARM RBAC role assignments on subscriptions, resource groups, and resources

Privileged Identity ManagementEnables PIM findings and activation analysis
RoleAssignmentSchedule.Read.Directory

Read active PIM role assignment schedules

RoleEligibilitySchedule.Read.Directory

Read eligible PIM role assignments

RoleManagementPolicy.Read.Directory

Read PIM activation policy rules (MFA gate, approval, time limits)

Conditional AccessEnables CA posture analysis
AuthenticationContext.Read.All

Read authentication context class references referenced by CA policies

IntuneEnables Intune RBAC surface
DeviceManagementRBAC.Read.All

Read Intune RBAC role definitions and assignments

Microsoft PurviewEnables eDiscovery RBAC surface (requires Step-2 setup)
eDiscovery.Read.All

Read eDiscovery case memberships and eDiscovery Manager / Administrator role holders

Microsoft DefenderEnables Defender unified RBAC surface
RoleManagement.Read.Defender

Read Defender unified RBAC role definitions and assignments

SharePointEnables SharePoint site inventory
Sites.Read.All

Read SharePoint site inventory (site names, URLs, external sharing status)

SharePointTenantSettings.Read.All

Read tenant-wide external sharing and access settings

TeamsEnables Teams ownership analysis
Team.ReadBasic.All

Read Teams list, ownership, and guest-access settings

Viva EngageEnables Viva Engage community inventory
Community.Read.All

Read Viva Engage native-mode community inventory and admin memberships

EngagementRole.Read.All

Read Viva Engage Network Admin and Verified Admin role memberships

Agent IdentitiesEnables Microsoft Entra agent identity surface
AgentIdentity.Read.All

Read Microsoft Entra agent identity objects

AgentIdentityBlueprint.Read.All

Read agent identity blueprints and their sponsor relationships

AgentIdentityBlueprintPrincipal.Read.All

Read blueprint principal authorizations

Core and ARM permissions are granted immediately. Feature permissions (Intune, Defender, SharePoint, etc.) are added progressively when you enable each surface — your tenant is never granted more access than needed for your current configuration. Read the full permissions guide.

By continuing you agree to our Terms and Privacy Policy.