The principal risk score (UPR)

A single security principal carries risk on several axes at once. It might hold a Tier-0 role, sit dormant for months, carry a wide gap of unused standing permission, and lack a Conditional Access policy on its sign-ins. Read any one axis alone and the picture stays partial.

UPR reads all of them together. For each principal it produces a single 0–100 score from eight factors, and shows what each one contributed. Higher means more exploitable risk today. The score is the work queue.

The score is built from evidence, not estimates. Eight factors, each with its own contribution shown on the principal detail page.

• Privilege tier. How close the principal sits to control-plane, crown-jewel access. A Tier-0 role weighs far more than a narrow data-plane assignment.
• Unused standing permission. The standing-privilege gap, surfaced as Unused Permission %: round(unused ÷ assigned × 100) over the principal’s Azure RBAC permissions, measured against the ARM activity log over a 90-day activity window. This was the original RBAC-only score; it is now one factor inside UPR.
• Blast radius. The scope at which the principal’s permissions sit. An assignment at subscription scope weighs more than the same assignment at a single resource.
• Dormancy. Whether the principal still holds standing access with no recent sign-in or control-plane activity. Live privilege on a dormant principal is a standing liability.
• Sensitive permissions. Whether the principal holds specific high-impact permissions, such as credential management or role assignment, that raise risk beyond what blast radius alone captures.
• PIM and Conditional Access posture. Whether privileged access is held standing or eligible-only through PIM, and whether Conditional Access gates the principal’s sign-ins. Weak posture raises the score.
• Open findings. The deterministic findings already raised against the principal feed back into its score, so an active issue lifts the number rather than sitting in a separate list.

UPR combines these into one number and shows each factor’s contribution, so a security team can defend the score to a change board. The unused-permission factor still points to the specific role assignments and the activity-log range measured against.

UPR is a composite, but it is not a black box. Each of the eight factors carries its own contribution on the principal detail page, and each traces to the data that produced it.

The unused-permission factor is the clearest example. It points to a specific Azure role assignment and the ARM activity-log evidence that proves the assignment is unused, so a security team can defend that input to a change board. Privilege tier traces to the role definitions held, blast radius to the scope of each assignment, dormancy to sign-in and activity history, and PIM and Conditional Access posture to the policies that gate the principal.

Because every contribution is shown, the customer can always read which factor moved the score. The composite gives the security team one number to triage on; the breakdown keeps it auditable.

UPR bands at the conceptual level. The thresholds are tunable per customer; the descriptions below are how Permafrost surfaces the bands by default.

• Critical. Several high-risk factors stack: a high privilege tier, a wide unused-permission gap, broad blast radius, or sensitive permissions held with weak PIM or Conditional Access posture. Act urgently.
• High. A meaningful concentration of risk factors, but at narrower scope or lower privilege tier than a critical principal. Address in the next access-review cycle.
• Medium. A moderate factor mix, within the range an access-review cycle can absorb. Track the trend.
• Low.The principal’s factors broadly sit within a least-privilege posture. No immediate action.

The specific factor weights and the formula that produces a band assignment are part of Permafrost’s methodology and are not published. The bands and each factor’s contribution are customer-visible. The weights are not.

• Surfaced in the privileged-set filter. High-UPR principals land at the top of the Identities dashboard’s privileged-set view, sorted by score. The number is the work queue.
• Wired to a right-sized custom-role suggestion. When the unused-permission factor drives the score, Permafrost generates a least-privilege custom Azure role that maps the actually exercised permissions over the 90-day window. The export is ARM, Bicep, or Terraform, ready for change-managed deployment.
• Routed through the three remediation modes. Every high-UPR recommendation ships in Mode A (manual playbook), Mode B (downloadable script with preview), or Mode C (in-product action via session-scoped OAuth). The customer picks the mode that fits their change-control posture. The longer treatment lives at /docs/three-mode-remediation.

Read-only OAuth into your connected Azure tenants. First per-principal UPR the same day, with each factor’s contribution and the evidence behind it.