Positioning

The two disciplines are adjacent and complementary. They are not interchangeable.

Every Permafrost signal answers a permission-posture question: who can do what they should not be able to do. A SIEM tells you what already happened. A CIEM tells you what could happen if a credential were abused. Permafrost does not try to do the SIEM job, and a SIEM does not do the CIEM job well.

A multi-cloud CIEM has to settle for a lowest-common-denominator model that fits AWS IAM, GCP IAM, and Azure RBAC at the same time. The trade-off is real. Azure-specific signals get discarded because they do not translate to the other clouds.

A single-cloud Azure CIEM has no such constraint. The seven capabilities below are signals a single-cloud tool models end-to-end without flattening.

• PIM-aware analysis. Eligible-versus-active assignments treated as separate signals, not collapsed into one.
• Entra directory role coverage. Directory-side admin roles modelled with the same rigor as ARM RBAC, not as a footnote.
• Administrative unit scoping. Scope-aware queries respect AU boundaries so findings match the customer's delegation model.
• Conditional Access context. Risk signals folded into the per-identity picture, not hidden behind a separate console.
• ARM activity-log integration. Every permission-gap finding can point to a control-plane log row that proves an assignment is unused.
• Agent identity discovery. AI agents and copilot identities discovered alongside users and service principals — modern Azure tenants have both.
• Custom role generation. Least-privilege custom Azure roles exported as ARM, Bicep, or Terraform, ready for change-managed deployment.

Honest scoping is part of the product. None of the items below are future-roadmap promises.

• Not a SIEM. For event detection, log retention, and incident-investigation log analytics, use a dedicated SIEM platform.
• Not a CSPM. For resource-configuration drift, network exposure, and compliance benchmarks against the resource plane, use a dedicated CSPM platform.
• Not an IGA. For joiner-mover-leaver lifecycle, attestation campaigns, and HR-system integration, use a dedicated identity-governance platform.
• Not a PAM. For session brokering, credential vaulting, and just-in-time elevation gates, use a dedicated privileged-access management platform.
• Not multi-cloud. Permafrost covers Microsoft Cloud only. AWS, GCP, and on-prem are out of scope. This is a deliberate focus, not a roadmap gap.

Microsoft retired Entra Permissions Management on November 1, 2025. The product’s flagship metric, the Permissions Creep Index, was retired alongside it. There is no first-party standalone successor. Permafrost EPM is the CIEM platform for Microsoft Cloud, designed for ex-MEPM customers. The page below covers what carries over, what does not, and how a migration would look.