Event banner
Event details
1. Will Permissions Management ever be able to automate Principle of Least Privilege for Global Administrators that are not yet associated with a Subscription or have access to a resource? Certain global administrators are not showing up in CloudKnox.
2. Is it possible to configure what is deemed “Over-provisioned”, to be stricter? Like setting exceptions for all Global Administrator that can set Access management to all resources enabled?
3. Will onboarding mode set to: Automatically Manage, change existing permissions for Azure Resources? Is there any risk to current assigned permissions?
4. Will it be possible to change the option for deletion of a configuration instead of OTP (since the default receiver does not have a mailbox)
5. At what date is the official launch for Permissions Management (end of PREVIEW)?
6. Despite being signed up for trial in EU and it being active, it is not showing in the Entra portal. I could however force our tenant to be onboarded with the following link https://c16.app.ciem.cloudknox.io/tenant/onboard . Permissions Management is still not showing up in Entra or in Azure AD highlights.
MicrosoftHello! Thanks for the questions.
1. Currently Entra Permissions Management looks at the permissions assignment in the subscriptions. Support for Azure AD roles is in future roadmap.
2. Currently, we do not have configurations for “Over-provisioned” since we calculate permissions creep index (PCI) scores by what we see in your environments measured by high, medium or low risk. You can exclude the Global Administrators from the overall permission creep index by tagging “exclude_from_pci”.
3. There are two types are onboarding, controller enabled or disabled. With controller disabled mode, you can assign Read-Only permissions. With controller mode enabled, admin can choose to remediate the over-privilege identities, create new roles from the Entra Permissions Management console.
4. The option of deletion cannot be changed as we use the OTP mechanism as a step to ensure consent of deletion. You will need to ensure the Global Admin or admin of Entra Permissions Management under User Management require an email account.
5. Official launch: July 7th, 2022. Public preview has ended, all accounts onboarded to public preview will go offline on October 7th, 2022. You can sign up for a trial license to continue using the product in a trial manner https://aka.ms/TryPermissionsManagement
6. Can you access the link directly https://pm.cloudknox.io ? If you still see the issue, please open a support ticket.
Thank you for taking the time to reply to all my questions. Yes I can access the PM CloudKnox and the link you mentioned. The Permissions Management shortcut in the Entra portal, however, is missing. When I used the link that i posted ending with /onboard, my tenant was automatically onboarded within seconds (without me actually having to Enable PM or perform any PowerShell actions). Is this by design?
- Nick_Wryter
The design is to enable Entra Permissions Management automatically after a license acquisition. You will need to go through process of onboarding AWS, Azure or GCP.
- AWS-- https://docs.microsoft.com/en-us/azure/active-directory/cloud-infrastructure-entitlement-management/onboard-aws
- Azure -- https://docs.microsoft.com/en-us/azure/active-directory/cloud-infrastructure-entitlement-management/onboard-azure
- GCP -- https://docs.microsoft.com/en-us/azure/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp
I have registered for the license and it is showing as active in Microsoft 365 > Billing > Your products.
I am Global Administrator, and the "Assign license" is grayed out having 100 unassigned licenses.
Despite of this, PM CloudKnox still works, and last week I onboarded both an AWS Account and an Azure Subscription (and it shows data from both of these).
Permissions management in Entra admin center is still missing there (on the left hand side)