What is Permafrost

Permafrost EPM is a Cloud Infrastructure Entitlement Management (CIEM) platform for Microsoft Cloud. It discovers every identity in a customer’s connected Azure tenants, maps the permissions those identities hold, and compares granted permissions against the permissions actually exercised in the measurement window.

The product runs on read-only OAuth consent. UPRS is the per-identity score for the Azure RBAC gap. Alongside UPRS, Permafrost ships a deterministic finding stream for unsafe assignments and toxic combinations, and a generator for right-sized custom Azure roles you deploy through your own change-management process.

Permafrost is built around one CIEM question: who in this customer’s connected tenants has more permission than they actually need, and what is the smallest change that closes the gap. Every number on screen points to a role assignment, an identity, and the activity-log evidence (or its absence) behind the number. A security team acting on a finding can defend the change to a change advisory board, an auditor, or the identity owner who pushes back.

Three reader profiles use Permafrost regularly.

• Security engineering leads who own Azure RBAC across one or more of their tenants. They need a defensible picture of who can do what, and which assignments are not being used. Permafrost drives the quarterly permission-gap closure program and keeps the privileged set sized to what the business actually needs.
• Incident response teams mid-investigation on an identity-driven incident. They need the privilege paths an attacker could traverse from a given starting identity. Permafrost lets a responder pivot from “this account was compromised” to “here is the blast radius and here is what to lock down first.”
• Identity governance owners running periodic access reviews. They need data that holds up in audit: every finding linked to the role assignment and the activity-log evidence that justifies it. Permafrost turns the access-review cycle into a permission-gap review instead of a checkbox exercise.

Permafrost is a CIEM for Microsoft Cloud. The product optimizes for the gap between Azure RBAC granted and exercised, and makes that signal defensible to the customer who has to act on it.

Permafrost is not a SIEM (which measures security events over time), not a CSPM (which measures resource-side misconfiguration), not an IGA (which runs joiner-mover-leaver lifecycle), and not a PAM (which brokers privileged sessions). The work each of those categories does is valuable. It is simply not the work this product does. A longer treatment lives at /docs/positioning.

Honest scoping. These are not future-roadmap items. They are decisions about what the product is.

• No sign-in log analytics. Permafrost does not ingest sign-in logs as a primary surface and does not run behavioral identity detection. Microsoft Defender for Identity and Entra ID Protection cover that ground; Permafrost does not duplicate it.
• No multi-cloud. Microsoft Cloud only. AWS, GCP, Oracle Cloud, and on-premises Active Directory are out of scope, and they will stay out of scope. Azure-only is the strategic choice that lets a single-cloud tool ship depth a multi-cloud vendor cannot match.
• No standing write access. Permafrost never holds a write-capable token to a customer tenant. Remediation runs through one of three modes the customer chooses: a manual Markdown playbook, a downloadable script with full preview, or a session-scoped OAuth grant that lives in memory only and expires inside an hour.
• No log archive. Permafrost holds just enough activity-log data to evidence permission-gap findings. It is not a log retention destination and it does not bill by ingested log volume.