CIEM for Microsoft Cloud

Manage andremediate your cloudidentity andprivilege sprawl.

Permafrost scores the gap between the permissions every identity is granted across Azure, Entra ID and Microsoft 365 and the ones it actually exercises, then walks the risky grants back. granted and the ones it uses.

Start free How scoring works

Read-only OAuth · Zero stored credentials · Zero standing write access

CORE SAMPLE ↓ 0m

CORE 01 — The gap

One score to add meaning to all.

UPR is the Unified Principal Risk: 0 to 100 per identity, the ratio of permissions granted to permissions exercised over a 90-day window, with additional factors.

WindowEvery score reads from a rolling 90-day evidence window.
EvidenceARM activity-log evidence behind every score. No black-box numbers.
ScopeRBAC-only by design. The score measures what role assignments actually grant.
TenantTenant-level UPR is the weighted average across every identity.

38.2Tenant UPR · lower is better

2,118Human 1,364Non-human 41Agent identities

CORE 02 — Inventory

Every identity.

Class — Human

2,118

Employees and guests with Entra ID accounts. Sign-in and ARM activity feed every score.

Median UPR 31

Class — Service principal

876

App registrations and automation credentials. The fastest-growing class in most tenants, and the least reviewed.

Last exercised 94d ago

Class — Managed identity

447

Workload identities bound to Azure resources. Granted broadly at scope, exercised narrowly in practice.

12% median action coverage

Class — Agent identity

AI agents acting under their own credentials. A new class with an old problem: standing over-grant.

Last run 41d ago

CORE 03 — Evidence

Severity you can defend.

Every finding drills to the rows behind it: the role assignment, the scope, and the activity-log evidence that proves what was exercised and what never was. When the board asks why an identity is critical, the answer is a query result, not a vendor adjective.

DrillEach severity chip opens the filtered list it was counted from.
ProofFindings cite ARM activity-log entries, not heuristics.

Critical

Owner unexercised for 94 days

sp-deploy-prodSP/subscriptions/prod-payments

UPR

Critical

Global Administrator, zero sign-ins in 60 days

j.virtanen@northwind…Humantenant root

UPR

High

User Access Administrator inherited at MG scope

mi-aks-ingressMI/mg/northwind-prod

UPR

All 148 findings →

CORE 04 — Remediate

Three modes. Zero credentials.

Every recommendation ships with a walk-back path. You choose how much of the work Permafrost does, and none of the modes require it to hold a secret.

Mode 01 — Manual

Guided steps

A precise, scoped runbook for the change: the exact role assignment, the exact scope, the portal path. You stay on the keyboard the whole time.

Nothing leaves your tenant

Mode 02 — Script with preview

Download, review, run

A generated script with a full preview of every action it will take. Review it, diff it, run it from your own shell under your own account.

You sign, you execute

Mode 03 — Session-only OAuth

Apply in one session

Consent once, apply the change, done. The OAuth access token lives in memory for one hour at most, then it is gone. Permafrost stores zero customer credentials.

In-memory token · ≤1 hour · then gone

Isolation

Tenant isolation by design. Every query, every row, every export is scoped to one customer.

Scope

CIEM, not a SIEM. Permafrost reads entitlements and the evidence that proves their use. It is not a log lake.

Cadence

Minimum 60-minute sync cadence per tenant. No surprise scans, no unannounced load.

Connect in minutes

Take a core sample.

The first sync is read-only. No card required.

Connect a tenant