Permissions Creep Index

The Permissions Creep Index was the signature metric of Microsoft Entra Permissions Management. Microsoft acquired CloudKnox in 2021 and rebranded it MEPM; PCI carried over from the CloudKnox era.

Per Microsoft’s published documentation, PCI was an aggregated metric that periodically evaluates the level of risk associated with unused or excessive permissions across identities and resources. The scale was 0–100. Higher meant more gap between permissions granted and permissions used. One number per identity, one rollup per tenant.

Microsoft retired Permissions Management on November 1, 2025. The PCI metric retired with the product. Microsoft also deprecated PCI on the Defender side, so the Defender for Cloud CIEM workbook is not a one-to-one replacement for the single-number metric.

PCI did two jobs in the same number. Security teams used the per-identity score as the unit of work for right-sizing. The executive layer used the tenant rollup as the quarterly KPI for the access-review program.

A dropping PCI was the proof that the program was working. A rising PCI was the proof the team needed more headcount or tighter controls. The number translated cleanly between the analyst and the board.

For ex-MEPM customers, the loss of PCI is not a UI inconvenience. It is the loss of the metric that connected permission-posture work to executive reporting.

Permafrost ships the Unused Permission Risk Score (UPRS). UPRS is a 0–100 per-identity score for the gap between Azure RBAC permissions granted and Azure RBAC permissions exercised inside a 90-day activity window. It rolls up to a customer-wide aggregate across the identities in the customer’s connected Azure tenants. The aggregate is the executive-reporting unit that PCI used to provide.

The deliberate constraint: UPRS is Azure-RBAC-only. The score is driven from ARM activity logs, not from directory-side signals. That is a scoping decision, not a coverage gap.

The reason is defensibility. Every UPRS finding points to a specific Azure role assignment and the ARM activity-log evidence that proves it is unused. A composite score that mixes Azure RBAC with directory-side signals collapses two different evidence types into one number. The customer cannot tell which signal moved the score. The tool cannot explain itself. We keep the signals separate: UPRS for Azure RBAC, a first-class directory-side findings surface for Microsoft Graph application permissions and Entra directory roles.

That is what purpose-built Azure CIEM looks like. One score, one evidence type, one remediation unit.

UPRS bands at the conceptual level. The thresholds are tunable per customer; the descriptions below are how Permafrost surfaces the bands by default.

• Critical. The identity holds substantially more permissions than it has exercised, and at least one unused permission sits at a high blast-radius scope (subscription-level or above). Right-size urgently.
• High. The identity holds substantially more permissions than it has exercised, but the unused permissions sit at narrower scopes. Right-size in the next access-review cycle.
• Medium. A meaningful gap between granted and used permissions, but within the range an access-review cycle can absorb. Track the trend.
• Low. The identity’s assigned permissions broadly match the usage pattern inside the 90-day activity window. No immediate action.

The specific scoring weights and the formula that produces a band assignment are part of Permafrost’s proprietary methodology and are not published. The bands are customer-visible. The weights are not.

• Surfaced in the privileged-set filter. High-UPRS identities land at the top of the Identities dashboard’s privileged-set view, sorted by score. The number is the work queue.
• Wired to a right-sized custom-role suggestion. For each high-UPRS identity, Permafrost generates a least-privilege custom Azure role that maps the actually exercised permissions over the 90-day window. The export is ARM, Bicep, or Terraform, ready for change-managed deployment in your pipeline.
• Routed through the three remediation modes. Every high-UPRS recommendation ships in Mode A (manual playbook), Mode B (downloadable script with preview), or Mode C (in-product action via session-scoped OAuth). The customer picks the mode that fits their change-control posture. The longer treatment lives at /docs/three-mode-remediation.

If you arrived here searching for PCI specifically because you are migrating off Microsoft Entra Permissions Management, this page is the technical answer. The page below is the full migration brief: what MEPM did, what Permafrost covers, what it deliberately does not, and how the evaluation runs end to end.