Where Permafrost fits

Permafrost scores the gap between the permissions an identity holds and the permissions it actually uses — across users, service principals, managed identities, and the agent-identity class — and turns that gap into evidence-backed findings and least-privilege remediation. The Microsoft controls below each own an adjacent job. The table reads each relationship at a glance; the sections beneath it give procurement the reasoning to defend the verdict.

The outcome. Defender for Cloud reduces resource-plane exposure: misconfigured storage, open network paths, unpatched workloads, and compliance drift against the resources in your subscriptions. Permafrost reduces identity-plane exposure: the standing permissions an attacker would inherit if they compromised a principal. Run together, they cover both halves of the blast radius — the resource and the right to reach it.

The overlap, named. Defender for Cloud's CIEM-adjacent recommendations flag some over-permissioned identities. Permafrost goes deeper on the same axis: a per-principal risk score across eight factors, eligible-versus-active PIM assignments treated as separate signals, Entra directory roles modelled with the same rigor as Azure RBAC, and the granted-versus-used permission gap evidenced by the ARM activity log. Where Defender raises a flag, Permafrost produces the right-sized custom role to close it.

Verdict: complementary. Different planes. Keep Defender for Cloud for resource posture; add Permafrost for the entitlement posture it does not score.

The outcome. Entra ID Governance runs the lifecycle: access packages, joiner-mover- leaver provisioning, and periodic access reviews with attestation. It answers “should this person still have this access?” and routes the approval. Permafrost answers a different question first: “is this access actually being used, and what would it cost if it were abused?” — so a reviewer attests against measured evidence, not a name on a list.

The overlap, named. Both touch entitlement review, so this is a genuine overlap rather than a clean seam. The distinction that matters in an evaluation: access reviews are campaign-driven and human-attested over the directory; Permafrost is continuous, evidence-first, and reaches the Azure RBAC depth and the non-human identities — service principals, managed identities, agent identities — that a review campaign rarely covers. The two compose well: Permafrost's used-versus-granted evidence makes each review decision defensible instead of a rubber stamp.

Verdict: overlap, not replacement. Permafrost does not run lifecycle provisioning or HR-system integration. Keep Entra ID Governance for the lifecycle and attestation system of record; use Permafrost to feed it evidence and to cover the entitlement risk it does not score.

The outcome. PIM lowers the standing-privilege count by making high-impact roles eligible rather than permanent: a user activates with MFA, a justification, and an approval, for a bounded window. That is exactly the control Permafrost recommends. The two are built for the same goal from opposite ends — PIM enforces just-in-time elevation; Permafrost finds the standing grants that should be moved behind it.

The overlap, named. Permafrost is PIM-aware by design: it reads eligible and active assignments as distinct signals, so a just-in-time elevation is never mistaken for standing access, and it reads the activation policy on each eligibility — whether MFA, justification, and approval are actually required — to grade how strong the gate is. It surfaces the permanent assignments that belong in PIM and the eligibilities whose policy is too weak to count. PIM does not tell you which roles should be eligible in the first place, or whether an eligibility's gate is hollow; Permafrost does.

Verdict: complementary. PIM is the enforcement mechanism; Permafrost is the analysis that tells you what to route through it and where the gate is too weak. Use both.

Honest scoping is part of the evaluation. None of the boundaries below are roadmap promises in disguise — they are the jobs Permafrost does not do, so you can keep the right tool for each.

• Not a SIEM. For event detection, log retention, and incident-investigation log analytics, use a dedicated SIEM. Permafrost answers what could happen if a credential were abused, not a forensic record of what already did.
• Not a CSPM. For resource-configuration drift, network exposure, and resource-plane compliance benchmarks, use a dedicated CSPM such as Defender for Cloud. Permafrost scores the identity plane.
• Not a full IGA. For joiner-mover-leaver provisioning, attestation campaigns, and HR-system integration, use a dedicated identity-governance platform. Permafrost supplies the entitlement-risk evidence those reviews lack.
• Not a PAM. For session brokering, credential vaulting, and the just-in-time elevation gate itself, use PIM or a dedicated privileged-access platform. Permafrost holds no write-capable standing credential to any tenant.

One thing that is not on this list any longer: multi-cloud. Permafrost is deepest on Microsoft Cloud today, and AWS and GCP entitlement coverage is on the roadmap — modelled at the same depth as Microsoft rather than flattened to a lowest-common-denominator schema. Microsoft Cloud is available now; AWS and GCP are coming.

The fastest way to self-qualify before you book time. The left column is where Permafrost earns its place; the right column is where another category is the better first call. The right column is the honest part of the pitch — none of it is a roadmap promise in disguise.

Sitting in the middle? The per-control comparison above reads each relationship to the Microsoft tooling you already run, and the read-only demo walks the product on a synthetic tenant with no sign-in.

The reason Permafrost layers cleanly on top of the controls above is architectural. It holds no write-capable token to any customer tenant. Analysis runs from read-only access; remediation runs through one of three customer-chosen modes — a manual playbook, a downloadable reviewed script, or a session-scoped delegated authorization that lives in memory for under an hour and is never persisted. Adding Permafrost does not widen your standing-credential footprint, which is the first question a security review of any new tool will ask.