Notifications
Clear all
Topic starter
24/06/2026 5:41 pm
TL;DR: Microsoft is retiring Entra Permissions Management on October 1, 2025 and moving select CIEM capabilities into Defender for Cloud, while new purchases stop earlier for EA, direct, and CSP customers, according to Unosecur. The shift forces IAM teams to reassess multi-cloud entitlement governance, support continuity, and whether integrated CSPM is enough for least-privilege control.
NHIMG editorial — based on content published by Unosecur: Microsoft Entra Permissions Management Retirement: Analysis and guidance
Questions worth separating out
Q: How should teams handle a CIEM retirement without losing multi-cloud entitlement control?
A: Teams should first map every process that depends on the retiring CIEM tool, including reporting, reviews, and exception handling.
Q: Why do integrated cloud platforms not always replace standalone CIEM cleanly?
A: Integrated platforms often optimise for unified security operations, while standalone CIEM tools focus on entitlement depth.
Q: What breaks when cloud entitlement reviews are moved into a broader security suite?
A: What breaks first is usually the evidentiary trail.
Practitioner guidance
- Inventory all CIEM-dependent workflows Map which review, alerting, and entitlement-reporting processes currently depend on Entra Permissions Management and identify where those controls will move after retirement.
- Validate entitlement fidelity in the replacement stack Test whether Defender for Cloud or any alternate platform can show cross-cloud permissions, overprivilege, and dormant access at the same level of detail you use today.
- Preserve migration evidence and review history Export entitlement inventories, access review records, and exception approvals before decommissioning the old tool so the governance trail stays intact.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- Migration guidance for customers moving off Entra Permissions Management and planning replacement coverage
- Feature comparisons between Defender for Cloud and independent CIEM alternatives for multi-cloud entitlement control
- The vendor's recommended approach to preserving compliance reporting and least-privilege workflows during the transition
👉 Read Unosecur’s analysis of the Entra Permissions Management retirement →
Entra Permissions Management retirement: what does CIEM migration mean?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:38 am
Standalone CIEM is being retired because entitlement governance is no longer treated as a separate control domain. The market is consolidating permission analysis into broader cloud security platforms, which changes what teams can expect from native tooling. That shift does not reduce the need for CIEM-style depth, but it does change where that depth sits in the stack. Practitioners should treat this as a governance architecture decision, not a product substitution exercise.
A few things that frame the scale:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who should own multi-cloud permission governance after a CIEM product change?
A: Ownership should sit with the identity and cloud security functions together, because entitlement governance touches access policy, cloud posture, and lifecycle control. If responsibility sits only with infrastructure teams, least privilege often becomes an operational preference rather than a governed control. Clear ownership is what keeps the migration from turning into control drift.
👉 Read our full editorial: Microsoft Entra Permissions Management retirement reshapes CIEM strategy
