Discover, remediate, and monitor permissions in multicloud infrastructures using permissions management APIs (preview)
Microsoft Entra Permissions Management provides comprehensive visibility into permissions assigned to all identities across multiple cloud infrastructures such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The permissions management APIs in Microsoft Graph provide the programmatic way to discover, manage, and monitor these permissions in your multicloud infrastructure.
This article introduces the Permissions Management capabilities that you can manage programmatically through Microsoft Graph.
For more information about Permissions Management, see What's Microsoft Entra Permissions Management.
Key use cases of permissions management APIs
By providing you with comprehensive visibility into permissions assigned to all identities across multiple clouds, permissions management APIs allows you to address three key use cases of Microsoft Entra Permissions Management: discover, remediate, and monitor.
Authorization systems
An authorization system is a platform that contains identities and resources. It exposes permissions that control what resources an identity has access to and what actions they can perform.
Use the authorizationSystem resource type and its related methods to discover the authorization systems that are onboarded to Permissions Management and their details. Currently, Permissions Management supports Microsoft Azure, AWS, and GCP.
The following key API scenarios allow you to retrieve details for authorization systems.
| Description | APIs |
|---|---|
| Retrieve authorization systems | List authorizationSystems |
| Get details for an AWS authorization system | List awsAuthorizationSystems |
| Get details for an Azure authorization system | List azureAuthorizationSystems |
| Get details for a GCP authorization system | List gcpAuthorizationSystems |
Discover the API operations quick reference for AWS authorization systems, Azure authorization systems, and GCP authorization systems.
Authorization system inventory
Every authorization system has a defined set of objects that form the capabilities of the authorization system. For example, identities such as users and service accounts, or actions and resources.
The following key API scenarios allow you to retrieve the inventory for authorization systems.
| Description | APIs |
|---|---|
| List all identities in an authorization system | |
| List identity types in specific authorization systems | |
| Other inventory |
Permissions requests
Identities can request for permissions against actions and resources in an authorization system. The permissions requests capabilities allow callers to request permissions for themselves or on behalf of another identity, and other identities to approve, reject, or cancel the requests.
The following key API scenarios allow you to implement permissions on demand capabilities.
| Scenarios | API |
|---|---|
| Request permissions; grant or reject a request | Create scheduledPermissionsRequest |
| Cancel a permissions request | scheduledPermissionsRequest: cancelAll |
| Track permissions requests and their status | List permissionsRequestChanges |
Permissions analytics
Through the permissions analytics APIs, Permissions Management helps you discover permissions risk in identities and resources for your authorization systems. You can use these findings to automate use cases such as:
- Building dashboards
- Trigger a risk review
- Prioritize remediation
- Generate tickets
The following sample findings are available through the APIs:
| Finding | Sample scenarios API |
|---|---|
| Inactive identities: Identities that haven't used any of their granted permissions in the last 90 days. | |
| Inactive groups: No identity has utilized the permissions assigned via the group over the last 90 days. | |
| Super identities: Administrator-level permissions across the authorization system. These identities can manage all the resources under the authorization system. |
Other findings include:
- Resource-based findings: For example, Azure blob containers, S3 buckets and Storage buckets that are accessible publicly; open network security groups; and identities that can access secret information or utilize security tools
- Overprovisioned users, roles, resources, service principals, and service accounts
- Users with unenforced multifactor authentication in AWS
- Opportunities for privilege escalation
- AWS access key age and usage
Zero Trust
This feature helps organizations to align their identities with the three guiding principles of a Zero Trust architecture:
- Verify explicitly
- Use least privilege
- Assume breach
To find out more about Zero Trust and other ways to align your organization to the guiding principles, see the Zero Trust Guidance Center.
Permissions and privileges
To call the permissions management APIs, the caller doesn't need any Microsoft Graph permissions. However, they must have appropriate privileges in the Microsoft Entra tenant and in the external system.
For more information, see Permissions Management roles and permissions levels
Related content
- What's Microsoft Entra Permissions Management
- Quickstart guide to Microsoft Entra Permissions Management
- Microsoft Entra Permissions Management operations reference
- Microsoft Entra permissions management API operations quick references: