Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities – users and workloads – actions, and resources across cloud infrastructures. It detects, right-sizes, and monitors unused and excessive permissions and enables Zero Trust security through least privilege access in Microsoft Azure, AWS, and GCP.
The entire company's on-prem accounts are synced with Azure Active Directory. We use that as an identity provider to log in to Azure and everything else.
Entra ID is the core of the identity management that we have. This is the key product that we are using.
I am currently also looking into Entra Private Access because we are planning to deploy about 50,000 desktops into Azure and use Azure Virtual Desktop. We would like to give access to the users from the desktop to on-premises applications. I learned that Entra Private Access is a good solution. That is not yet GA, but that is what we are looking for.
Entra provides a single pane of glass for managing user access, but because our company also integrates with Nebula API, only administrators use Entra's pane. A normal person who wants to get onboarded can do self-service using Nebula.
The features for whitelisting and other things are definitely there. That is what we use specifically. Application IDs, enterprise applications, and all those things are already there, so we have more efficiency. There is also security because we usually do not allow user identities to get direct access to Azure resources. Usually, we use the service principles from Entra ID, so this way, it increases security.
Entra has helped to save time for our IT administrators. We tend to automate a lot of things. We can do automation using Graph APIs and save time. It is hard to quantify the time savings, but there has been a medium amount of time savings.
Entra has helped to save our organization money. We care about security and risk more than money, but it also saves money. We are premium customers, and because we have a commit-to-consume contract with Microsoft of multi-million dollars, the money does not come into it because we have to consume those resources.
Multifactor authentication is valuable. The way we use it is that we have multiple accounts for the administrator. We use the high-privilege account for the administrative work, and then we also use the lease time period and everything else for authentication. For authorization, we have resource-based authorized access. Not everybody has everything. Some people have read access, and some have write access, depending upon the privilege account.
We use a third-party API called Nebula API to integrate the account for authorization. The time-bound access area in Entra can be a problem. It can be improved in terms of the granularity of the permissions.
Entra ID is the new name. Earlier, it was Azure Active Directory. We have been using that since 2018.
I would rate it a seven out of ten in terms of stability because we sometimes have issues.
I would rate it an eight out of ten in terms of scalability.
Their support is not good. I do have the Azure Rapid Response (ARR) for SMC support and other things, but their first-level support is not good. We do not always get the correct answer. I would rate their support a five out of ten.
Neutral
We did not use any other solution. Microsoft Active Directory was there for ages, and then we went to Azure Active Directory. However, for other cloud provider's identity federation, we use something called Ping.
We do not just look at our subscription or renewal costs; we look at the whole picture of the vendor. When it comes to Microsoft, we have the M365 suite for every user. We have Entra ID. We have Azure. We have Power Automate and Power BI. Everything is there, so we look at the complete picture.
We work with multiple cloud providers, such as AWS, GCP, Oracle, and Azure. We are really big in AWS, but because Microsoft has some very lucrative products, we are moving some applications like IoT, OpenAI, as well as the Azure Virtual Desktop, to Entra ID. They are all bound by Entra as an identity provider.
I have been involved in the deployment of not only Entra but the whole Azure platform. Because we are a large company, there is Microsoft's customer architecture team that works hand in hand with me.
We created our own architecture to deploy all the things. For me, it was very good and seamless. It was not, as such, straightforward, but it was a collaborative effort to implement our processes in Azure.
We use Microsoft's team, and then we use Cognizant as a partner for some development work, not for the admin work or architect work.
We have seen an ROI. Otherwise, we would not use it. In certain areas, we want to migrate all the on-prem application questions to the cloud. Azure was not our primary cloud provider, but with Entra ID and other Azure resources, where we see it suitable, we will be going to Azure, such as Azure Virtual Desktop. It will eventually save a lot of money because a lot of administration will be reduced. We do need to keep applying security updates and everything else. They will be taken care of automatically in the cloud.
We are a Fortune 500 company, so we always negotiate with Microsoft.
We always get a dev tenant. We always evaluate. We have multiple Azure landing zones where when we progress to different levels, we put things in production. We do not straightaway put a new product. We always go through stages, work with Microsoft, get answers from Microsoft experts, and learn that product.
I would rate Microsoft Entra Permissions Management a seven out of ten at this time.
