Permafrost documentation
Reference and orientation for the CIEM platform for Microsoft Cloud. Start with what Permafrost is, then move into architecture, remediation, and security posture.
Highlighted entry points
The principal risk score (UPR)
A 0–100 multi-factor risk score per security principal: privilege tier, unused permission, blast radius, dormancy, sensitive permissions, PIM/CA posture, and open findings. Every factor's contribution shown.
Read the briefCoverage across Azure and Microsoft 365
One CIEM across Azure RBAC, Entra directory roles, and the Microsoft 365 control planes. How Permafrost models each surface and keeps the signals legible.
Read the briefThe library
What is Permafrost
Product framing, who Permafrost is for, and what category it lives in.
OpenHow it works
CIEM architecture. The ARM-RBAC vs Entra-consent split. Data flow at the conceptual level.
OpenConnecting your tenant
Admin consent vs. your own app registration. Why federation stores no credential, and how to harden the admin-consent path.
OpenThree-mode remediation
Manual playbook, downloadable script, in-product OAuth session. Zero standing write access.
OpenSecurity posture
Read-only by default. Operator boundary. Tenant isolation. What Permafrost does not store.
OpenPositioning
CIEM-not-SIEM. Permission posture. What Permafrost is not.
OpenPricing
Metered per identity object, with a 30-day free trial. How principals are counted and what Professional includes.
OpenLooking for the marketing landing instead? Permafrost EPM home. Ready to try it? Start the free trial.