* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/)
* Extending CIEM for Micros...

# Extending CIEM for Microsoft Azure, Simplifying Multi-Cloud Permissions

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fciem-microsoft-azure-multicloud-permissions%2F)  
[](https://twitter.com/share?text=Extending+CIEM+for+Microsoft+Azure%2C+Simplifying+Multi-Cloud+Permissions&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fciem-microsoft-azure-multicloud-permissions%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fciem-microsoft-azure-multicloud-permissions%2F&title=Extending+CIEM+for+Microsoft+Azure%2C+Simplifying+Multi-Cloud+Permissions&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/ciem-microsoft-azure-multicloud-permissions/&ts=markdown)  
\[\](mailto:?subject=Extending CIEM for Microsoft Azure, Simplifying Multi-Cloud Permissions)  
Link copied  
By [Dan MacKenzie](https://www.paloaltonetworks.com/blog/author/dan-mackenzie/?ts=markdown "Posts by Dan MacKenzie")  
Nov 16, 2021  
6 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown)  
[Azure](https://www.paloaltonetworks.com/blog/tag/azure/?ts=markdown)  
[CIEM](https://www.paloaltonetworks.com/blog/tag/ciem/?ts=markdown)  
[IAM Security](https://www.paloaltonetworks.com/blog/tag/iam-security/?ts=markdown)

###### Prisma Cloud extends innovative Cloud Infrastructure Entitlement Management capabilities to Microsoft Azure to enable multi-cloud entitlement analysis and protection against excessive permissions.

As organizations increasingly adopt Infrastructure-as-a-Service (IaaS) models for cloud development, the number of entities that are granted access to critical infrastructure necessarily grows as well. However, organizations must ensure these entitlements are tightly controlled. [Gartner recently reported](https://www.gartner.com/en/documents/4002548/innovation-insight-for-cloud-infrastructure-entitlement-) that "the vast majority of granted entitlements in IaaS are unnecessary. More than 95% of accounts in IaaS use, on average, less than 3% of the entitlements they are granted, which greatly increases the attack surface for account compromises."

To help our customers better address these growing risks, we are releasing a comprehensive expansion of our [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/2020/10/cloud-CIEM/?ts=markdown) (CIEM) solution within Prisma Cloud:

* [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/2020/10/cloud-CIEM/?ts=markdown) (CIEM) [**for Azure**](https://docs.google.com/document/d/12YXXRMGiUVsFsPCblLo15q6Lx7U9DwJAZ_GKZSjhJr0/edit#heading=h.x4nhayvbgw11)\*\*:\*\*Net-effective permissions analysis and visibility for accounts, resources, and workloads managed by Azure.
* [Azure AD integration](https://docs.google.com/document/d/12YXXRMGiUVsFsPCblLo15q6Lx7U9DwJAZ_GKZSjhJr0/edit#heading=h.712527deinb4): Ingest single sign-on (SSO) data from Azure AD to calculate net-effective user permissions, no matter which CSP or service the user is accessing.

## CIEM and CSPM Work Together to Addresses Security Gaps

Security teams have become adept at monitoring resource configurations, ensuring compliance and detecting threats -- collectively known as [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management?ts=markdown). However, controlling user access and permissions is equally important, and most CSPM solutions can't monitor user privileges.

Even a single misconfiguration in these controls can be massively damaging. In 2020, Unit 42 researchers [demonstrated how IAM misconfigurations could be used](https://unit42.paloaltonetworks.com/highlight-cloud-threat-report-iam/) to obtain admin access to an entire Amazon Web Services (AWS) cloud environment -- a potentially multi-million dollar data breach in the real world.

CIEM tools address this gap, going beyond what traditional identity governance and administration (IGA) and privileged access management (PAM) tools offer to address the unique challenges of cloud environments. For example, they can provide visibility into ever-changing IaaS architectures, or offer automated suggestions to remediate excessive privileges across multiple cloud providers.

## The Difficulty of Securing Identities in the Cloud

There are several factors that make it difficult to calculate the minimum level of access a user or entity needs to perform a role -- known as the principle of least privilege.

First, each cloud service provider (CSP) uses different definitions of controls for users that are authenticated (signed in) and authorized (have permission) to modify infrastructure. There are competing and overlapping controls that can be attached to any given user.

Then, there is the volume of possible entitlements. In the same report linked above, Gartner noted that the average number of distinct entitlements across cloud providers now exceeds 5,000. Manually calculating how any one of those entitlements affects net-effective permissions is effectively impossible.

[![Flow chart for determining permissions in Microsoft Azure](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/11/Azure-Permissions-Flow-Chart.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/11/Azure-Permissions-Flow-Chart.png?ts=markdown) Flow chart for determining permissions in Microsoft Azure

Finally, there is simply an inherent level of risk in users having access to cloud infrastructure. These users have privileged access to resources, permissions, and data. Developers and DevOps teams need this kind of access to execute efficiently, but this must be balanced against broader risk management considerations.

These issues are why Prisma Cloud has pioneered the integration of Cloud Security Posture Management (CSPM) with Cloud Infrastructure Entitlement Management (CIEM) capabilities. The [combined functionality](https://www.paloaltonetworks.com/blog/prisma-cloud/iam-security-essential-cspm/?ts=markdown) helps users apply the same level of precision and certainty needed to confidently administer large-scale, multi-cloud environments to an increasing number of entitlements that come with them.

## New Innovations for Securing Cloud Infrastructure Entitlements

The latest innovations to Prisma Cloud put a greater number of cloud entitlements under users' direct control, with features that significantly reduce the work needed to understand and remediate entitlement issues.

##### Cloud Infrastructure Entitlement Management (CIEM) for Azure RBAC

*Available: Today*

Prisma Cloud can now calculate and analyze net-effective permissions, monitor for risky and unused entitlements, and offer least privilege recommendations for Microsoft Azure cloud accounts managed with Azure RBAC, in addition to Amazon Web Services (AWS).

**Visibility to Net-Effective Permissions**

Get detailed visibility of which users have the ability to perform a given action, and on which resources. Prisma Cloud can precisely determine net-effective permissions by analyzing and correlating entitlements granted through role assignments including security principals, role definitions and scopes.
![Viewing effective permissions](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/11/graphical-user-interface-text-application-descr-2.png)
Viewing effective permissions

**Rightsizing Permissions**

[Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/2020/10/cloud-CIEM/?ts=markdown) (CIEM) includes specialized, pre-built policies that help detect risky entitlements and remove excess privileges to cloud resources. Once your Azure account is onboarded, it can automatically begin detecting overly permissive user access, then provide suggestions to right size them to achieve least privilege

**Investigate Cloud Infrastructure Entitlements**

Customers can gain deep insights into specific entitlements using Prisma Cloud Resource Query Language (RQL). Examples of identity-related questions include:

* *What users have access to* *resources A, B and C?*
* *What accounts, services, or resources can User\_1 access?*
* *Is resource Y accessible to the entire company?*

You can view the documentation on [Prisma Cloud RQL](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/rql) to see the breadth of potential insights.

**Permissions Audits for Internal Compliance**

Prisma Cloud already includes a resource audit trail that captures changes made to a resource from the moment it's deployed. The permissions tab expands this information by showing the permissions "of" a resource and "to" the resource. It also lets users to look back to understand when an overly permissive entitlement was granted, and which user or entity granted it.
![Entitlement audit in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/11/graphical-user-interface-application-table-desc.png)
Entitlement audit in Prisma Cloud

**Auto Remediation**

If excessive permissions are identified, Prisma Cloud will suggest the remediations needed to get the user or entity back into a state of least privilege. You can also set up automatic adjustments to help support continuous privilege enforcement.

##### Azure AD Integration

*Available: Today*Prisma Cloud now integrates with Azure Active Directory (Azure AD) to ingest single sign-on (SSO) data as part of net-effective permissions calculation. This lets users view the effective permissions of Azure AD users for any service they log in to, such as Azure and AWS. This enhances RQL functionality, helping answer identity management questions such as, \*Is \[Azure AD User\] able to create an AWS IAM user?\*The answer can highlight potential back doors into your cloud environment, which in turn helps you mitigate security breaches.

![Investigating user entitlements](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/11/table-description-automatically-generated.png)
Investigating user entitlements

## How to Start Using the New Enhancements

These new features are available immediately for existing Prisma Cloud customers. You can view our [technical documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-iam-security/investigate-iam-incidents-on-prisma-cloud.html) to begin ingesting Azure account logs and Azure AD roles into Prisma Cloud.

You can also experience the new CIEM features along with our CSPM functionality by signing up for a [hands-on trial](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial?ts=markdown) of Prisma Cloud.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown)

[#### Prisma Cloud Extends CIEM to Simplify Multi-Cloud Permissions Management](https://www.paloaltonetworks.com/blog/cloud-security/ciem-graph-gcp-announcement/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Prisma Cloud at Ignite '21: What to Know](https://www.paloaltonetworks.com/blog/cloud-security/prisma-cloud-ignite-21/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### Strengthen Your CIEM Strategy with a New Dashboard to Guide Security Teams](https://www.paloaltonetworks.com/blog/cloud-security/ciem-strategy/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### A CIEM Leader and Outperformer](https://www.paloaltonetworks.com/blog/cloud-security/2024-gigaom-radar-for-ciem/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown)

[#### Abuse and Mitigation of Misconfigured SAS Tokens](https://www.paloaltonetworks.com/blog/cloud-security/sas-token-abuse-mitigation/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Prisma Cloud Integration With AWS IAM Identity Center and AWS Tag Support](https://www.paloaltonetworks.com/blog/cloud-security/prismacloud-aws-identity-center/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language