Entra Permissions Management retirement: what IAM teams should do now

TL;DR: Microsoft’s retirement of Entra Permissions Management leaves a CIEM gap across Azure, AWS, and Google Cloud, with SailPoint positioning its CIEM offering as the replacement path for visibility, least-privilege enforcement, and review workflows. The real issue is not product substitution but whether cloud entitlement governance is mature enough to survive a platform exit without losing control of privilege creep.

NHIMG editorial — based on content published by SailPoint: Microsoft ends Entra Permissions Management and the case for CIEM

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

Questions worth separating out

Q: How should security teams govern cloud entitlements after a CIEM platform retirement?

A: Treat the retirement as a programme test, not a procurement event.

Q: Why do cloud entitlements drift out of control in multi-cloud environments?

A: Cloud entitlements drift because access is often granted through different native models, inherited roles, and exceptions that are not reconciled against current job need.

Q: What breaks when access reviews do not include cloud service accounts and projects?

A: Reviews miss the places where overprovisioning often hides.

Practitioner guidance

• Map cloud entitlement sources end to end Inventory where permissions are assigned across Azure, AWS, and Google Cloud, then document which identity governance process owns each access path.
• Tie entitlement reviews to lifecycle events Trigger cloud access review and removal when a user changes role or leaves, and retain evidence that the change was completed across all cloud providers.
• Prioritise effective access over assigned access Focus reviews on what an identity can actually do in the cloud, not just what appears on paper in a directory.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• The product-specific CIEM capability set for Azure, AWS, and Google Cloud entitlement management
• The customer example showing audit-cycle effort reduction and how reporting was centralised
• The article's own positioning on SailPoint Identity Security Cloud integration and migration path from Microsoft Entra
• The vendor's commentary on why its CIEM features are framed as the replacement option

👉 Read SailPoint’s blog on Microsoft ending Entra Permissions Management and CIEM options →

Entra Permissions Management retirement: what IAM teams should do now?

Explore further

View Full Forum →  |  NHI Foundation Course →