When did Microsoft retire Entra Permissions Management?

Microsoft retired Entra Permissions Management on November 1, 2025. New purchases ended on April 1, 2025. Microsoft's published guidance directs existing customers to plan a transition to alternative CIEM solutions.

What is the successor to Entra Permissions Management?

Microsoft has not shipped a first-party standalone replacement. Customers on Microsoft Cloud are evaluating Azure CIEM tools instead. Permafrost EPM is the CIEM platform for Microsoft Cloud that covers the work ex-MEPM customers depended on. Permission discovery runs across every identity in your connected tenants. The permission-gap analysis is the same methodology that produced PCI. Right-sized custom roles are generated from observed usage and exported as ARM, Bicep, or Terraform.

Is Permafrost EPM multi-cloud like MEPM was?

No. Permafrost covers Microsoft Cloud only. AWS, GCP, and on-premises infrastructure are out of scope, and they will stay out of scope. Azure-only is the strategic choice that lets us ship depth a multi-cloud vendor cannot match. Teams that need cross-cloud coverage should plan a separate path for those clouds.

Does Permafrost recover the Permissions Creep Index (PCI) metric?

Yes, for Azure RBAC. Permafrost ships the Unused Permission Risk Score (UPRS), a per-identity 0-to-100 metric for the gap between permissions granted and permissions actually exercised. UPRS is the deterministic recovery of the PCI methodology on Azure. Every score points to a specific role assignment with ARM activity-log evidence behind the finding.

Was MEPM the same product as CloudKnox?

Microsoft acquired CloudKnox in 2021 and rebranded it Entra Permissions Management. The November 1, 2025 retirement ended Microsoft's offering of the CloudKnox-derived product. Teams searching for a CloudKnox replacement and teams searching for a Permissions Management replacement land on the same successor question.

How does Permafrost handle remediation without write access to my tenants?

Mode A is a Markdown analyst walkthrough an admin runs by hand. Mode B is a downloadable script the customer executes inside their own change-management process. Both ship today across SP credentials, incident actions, and NHI lifecycle. Mode C — a session-scoped OAuth grant that leaves zero residue — is in active security modeling with a GA target of 2026-06-10. Permafrost never holds a write-capable token to a customer tenant in any mode.

How long does it take to evaluate Permafrost against my Azure tenant?

Connecting a tenant takes minutes through read-only OAuth consent. Initial discovery typically completes within hours. The first permission-gap report is available the same day. The 90-day Professional Edition trial unlocks full coverage so the comparison against your last MEPM report runs on your real environment.

What does Permafrost cost compared to MEPM?

Permafrost publishes two editions. Community Edition is free forever for privileged-only coverage. Professional Edition unlocks full coverage — start with a 90-day free trial. Professional Edition pricing details are coming soon; contact us for information. Pricing scales with identity objects, not log volume.

Does Permafrost cover Microsoft Entra (Azure AD) directory roles?

Yes. Permafrost models both planes: Azure RBAC on the resource side, and the Entra ID directory plane where directory roles and Graph application permissions live. The two surfaces stay distinct first-class signals. Collapsing them into one composite number loses the information a CISO needs to act on either.

How does Permafrost EPM compare to other CIEM tools for MEPM migration?

Several multi-cloud CIEM vendors compete in this category. Permafrost EPM is the Azure-only alternative. Different shapes of customer fit each option. Multi-cloud platforms fit teams that valued MEPM's cross-cloud aggregation. Permafrost fits Azure-focused teams that want depth over breadth and want a vendor that does not hold standing write access to their tenants. Teams that used MEPM exclusively for Azure should evaluate both shapes.

What is the Microsoft Defender for Cloud CIEM workbook and does it replace MEPM?

The CIEM workbook in Microsoft Defender for Cloud is a customizable Azure Workbooks view of cloud identity posture, enabled by the Defender CSPM plan. It is not a one-to-one MEPM replacement. Microsoft deprecated the Permissions Creep Index single-number metric on the Defender side, and the dedicated right-sized custom-role generator that shipped with MEPM is not a present-day Defender feature. If your team used MEPM mostly for the dashboard view, the CIEM workbook covers part of that gap. If your team used MEPM for actionable permission-gap reporting, Permafrost EPM is the closer functional successor. (Source: Microsoft Learn — Defender for Cloud Permissions Management.)

Is there a CIEM tool that is Azure-only, not multi-cloud?

Permafrost EPM is. Several multi-cloud CIEM vendors compete in this category, and every other named CIEM product on the market today is multi-cloud. Azure-only is the strategic choice that lets Permafrost ship Azure-specific depth a multi-cloud vendor cannot match: PIM activation patterns, ARM activity-log evidence per finding, customer-app-registration sovereignty, and denied-probe surfacing for failed escalation attempts.

Migration

Microsoft Entra Permissions Management successor

Microsoft retired Entra Permissions Management on November 1, 2025. There is no first-party standalone successor. Permafrost EPM is the CIEM platform for Microsoft Cloud, designed for ex-MEPM customers. UPRS recovers the Permissions Creep Index methodology on Azure with ARM activity-log evidence behind every finding. Read-only OAuth into your connected tenants. No standing write access.

What happened

Microsoft retired Microsoft Entra Permissions Management (formerly CloudKnox) on November 1, 2025. New purchases ended on April 1, 2025. Microsoft now directs existing customers to evaluate alternative CIEM solutions. There is no first-party standalone successor.

Microsoft sources

Microsoft Learn — Permissions Management overview End of sale and retirement announcement (March 2025)11 days remaining notice (October 2025)Microsoft offboarding guidance

CloudKnox to MEPM to Permafrost

Microsoft acquired CloudKnox in 2021 and rebranded it Microsoft Entra Permissions Management. MEPM retired on November 1, 2025. Permafrost EPM is the Azure continuation.

What customers used MEPM for

Three jobs covered the bulk of MEPM usage in the field.

Permission discovery. Cross-identity inventory across Azure, and across AWS and GCP for multi-cloud customers. Who has what, where.
Permissions Creep Index. The 0–100 metric for the gap between permissions granted and permissions used. The number an executive tracked quarterly.
Permissions on demand. A request-based workflow for time-limited elevated access, typically wired into the customer’s ticketing system.

How Permafrost covers the same use cases

The goal is use-case parity on Azure, not feature-for-feature parity with the MEPM UI. The shape of the work is what matters.

Permission discovery. Permafrost inventories every identity in the customer’s connected Azure tenants — users, guests, security groups, service principals, managed identities, AI agent identities — with every role assignment they hold across management groups, subscriptions, resource groups, and individual resources.
Permission-gap analysis (the UPRS). The Unused Permission Risk Score is the deterministic recovery of the PCI methodology on Azure. Every score points to a specific role assignment, with the ARM activity-log evidence that proves (or fails to prove) usage. The longer treatment lives at /docs/permissions-creep-index.
Right-sized custom-role generation. Permafrost writes least-privilege custom Azure roles from the permissions an identity actually exercises. Exports land as ARM, Bicep, or Terraform so the role ships through the customer’s change-management process, not a vendor’s.
Incident timeline with pattern matching. For IR teams, Permafrost lays out the privilege-path patterns an attacker could traverse from a given starting identity. The patterns are the five canonical Permafrost incident classes (P1 through P5), each with a one-sentence customer-facing description.

What Permafrost does not do that MEPM did

MEPM was a multi-cloud product. Permafrost covers Microsoft Cloud only — AWS, GCP, and on-premises infrastructure are out of scope.

Migration readers need that constraint up front. Teams that used MEPM exclusively for Azure find Permafrost a clean replacement on permission discovery, gap analysis, and right-sized custom roles. Teams that used MEPM for multi-cloud need a separate path for AWS and GCP, and should plan for two tools rather than one.

Two narrower gaps worth naming:

Permissions on demand. Permafrost does not ship a request-based elevated-access workflow today. For just-in-time elevation inside a customer’s Azure tenant, Permafrost integrates with the customer’s existing Privileged Identity Management (PIM) setup rather than replacing it.
Multi-cloud aggregate scoring. PCI rolled every cloud into one number. UPRS is Azure-scoped by design. We do not ship a cross-cloud composite because we do not cover the other clouds, and we will not pretend otherwise.

How a migration would look

The path from MEPM to a Permafrost evaluation is read-only end to end. No write-access dependency at any step.

Most teams also evaluate multi-cloud CIEM platforms during this window. Those are credible options if cross-cloud aggregation was the load-bearing MEPM value for your team. If Azure-specific depth and zero-standing-write matter to your evaluation, Permafrost belongs on the shortlist.

Connect a tenant. An admin in the customer organization grants read-only OAuth consent on one Azure tenant. Adding more tenants later is a per-tenant repeat of the same flow.
Run discovery. The initial pass enumerates identities, role assignments, and recent activity-log evidence. First findings appear the same day. Full UPRS scoring settles over the next measurement window.
Compare to your last MEPM PCI report. Run the Permafrost permission-gap report against the identities you tracked in MEPM. The two scoring methodologies line up closely enough that a side-by-side review is direct. The 90-day Professional Edition trial unlocks full coverage so the comparison runs on your real environment.

Connect a tenant Start the free trial

Why the timing matters

The retirement window is finite. Teams that have not yet evaluated an Azure CIEM successor are operating with their permission-posture signal degraded. The MEPM dashboards have stopped refreshing. Every week the operational gap between “we used to track this” and “we track this again” widens.

Permafrost closes that gap without standing write access to your tenants and without a multi-month deployment project. The 90-day Trial is shaped for exactly this evaluation: connect a tenant, compare against your last MEPM report, decide.

Next stop

Permissions Creep Index

The longer treatment of how Permafrost's UPRS recovers the PCI methodology on Azure, with deterministic activity-log evidence per finding.

Next stop

How Permafrost works

The CIEM architecture and the ARM RBAC versus Entra consent split that lets Permafrost ship a defensible Azure CIEM scoring signal.