Three-mode remediation
Every recommendation Permafrost surfaces ships in three modes. Mode A is a manual Markdown playbook. Mode B is a downloadable script with full preview. Mode C will be a session-scoped OAuth action with zero standing write access. The customer picks the mode that fits their change-control posture.
The three modes
Every Permafrost recommendation can be acted on in one of three ways. The mode the customer picks turns on how much friction their change-control process allows. It does not turn on what Permafrost can detect.
Mode A
Manual playbook
Permafrost generates a step-by-step analyst walkthrough as a Markdown artifact. The analyst executes the steps directly in the Azure portal, in Graph Explorer, or in the customer’s own tooling. Permafrost has no write capability in this mode.
Mode B
Downloadable script
Permafrost generates a PowerShell or Az CLI script and shows a preview of every command before download. The analyst runs the script in their own session, with their own credentials. The artifact is a signed script for audit. Permafrost has no write capability in this mode.
Mode C
In-product action
The analyst will click the action in Permafrost; an OAuth flow will open to Microsoft; the analyst will authorize a session-scoped grant. Permafrost will execute the action against the customer’s tenant using that grant, then discard the token. The token will live in memory only and will expire inside one hour.
Modeling status. Mode C is in active security modeling. The 25-day blast-radius review opened 2026-05-15; GA target 2026-06-10. Mode A and Mode B ship today; Mode C is available for evaluation under co-pilot agreement before GA.
Zero standing write access
The load-bearing invariant. Permafrost never holds a write-capable token to a customer tenant. No service principal in the backing store carries credentials that could modify customer state. There is no always-on write path.
Mode A and Mode B are constructive by design. The customer runs the change; Permafrost is not party to the write. Mode C will require a fresh, time-limited, in-memory OAuth grant from a customer-authenticated session at the moment of action, then discard the token. The customer keeps full control over what they authorize and for how long.
The invariant is auditable two ways. From the customer’s side, the consent grants visible in the tenant’s enterprise-app blade show only read-only scopes; no write scope sits there waiting to be used. From Permafrost’s side, the absence of stored write credentials is structural, not a runtime policy.
Why three modes and not one
Customers operate under different change-control regimes. A single delivery model would force a compromise that fits no one well.
- Strict change-management. A customer running formal change advisory cannot accept anything beyond Mode A. The playbook is the artifact that goes into the change ticket. The analyst executes the steps through the customer’s own process.
- Mature DevSecOps. A customer with scripted-deployment patterns prefers Mode B. The script is reviewable, version-controllable, and runnable through the customer’s existing pipeline. The signed artifact is the audit unit.
- Active incident response. A customer mid-IR will need the speed Mode C brings. The session-scoped OAuth grant gives the responder a minute-grade time-to-action without breaking the zero-standing-write invariant.
Mode availability by tier
Mode A is available on every tier: Community, Trial, Professional, and Enterprise. Mode B is available on Trial and above. Mode C, once GA, will be available on Trial and above. The matrix below shows current coverage by action.
Per-action mode coverage
| Action | Mode A | Mode B | Mode CBeta |
|---|---|---|---|
Right-size role assignment Replace an over-privileged role assignment with a custom role scoped to the permissions the identity actually uses. | Available | Available | BetaBeta — GA target 2026-06-10 |
Revoke unused role assignment Remove a role assignment from an identity that has not exercised the permissions inside the measurement window. | Available | Available | BetaBeta — GA target 2026-06-10 |
Revoke service-principal credential Invalidate a long-lived secret or certificate on a service principal that no longer needs the credential. | Available | Available | BetaBeta — GA target 2026-06-10 |
Restrict scope of assignment Move a high-scope role assignment (subscription or above) to a narrower scope based on observed usage. | Available | Available | BetaBeta — GA target 2026-06-10 |
Disable dormant identity Disable a user, service principal, or managed identity that has held no active session inside the measurement window. | Available | Available | BetaBeta — GA target 2026-06-10 |
Coverage expands as new finding types ship. New actions arrive in all three modes by default.
Next stop
Security posture
The broader posture claims that sit alongside the zero-standing-write invariant: operator boundary, tenant isolation, and what Permafrost does not store.
Next stop
Pricing
Which tier covers Mode B and Mode C. Community is Mode A only. Trial, Professional, and Enterprise include Mode B and Mode C (Mode C ships GA 2026-06-10).