Frequently Asked Questions (FAQs) about Rights Management - Microsoft Entra (2023)

This article answers frequently asked questions (FAQs) about rights management.

What is rights management?

Permission Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that provides comprehensive visibility into the permissions assigned to all identities. For example, over-privileged workloads and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Permission management detects, auto-sizes, and continuously monitors unused and excessive permissions. It deepens Zero Trust security strategies by enforcing the principle of least privilege access.

What are the prerequisites for using rights management?

Rights management supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers need to have an Azure Active Directory (Azure AD) account to use Rights Management.

Can customers use permission management if they have other identities that can access an IaaS platform that is not already in Azure AD (for example, if part of their business has Okta or AWS Identity & Access Management (IAM))?

Yes, customers can detect, mitigate, and monitor the risk of "backdoor" accounts with AWS IAM, GCP on-premises, or from other identity providers like Okta or AWS IAM.

Where can customers access Rights Management?

Customers can access the permissions management interface through the Azure AD extension's link in the Azure portal.

Can non-cloud customers use rights management locally?

No, Rights Management is a managed cloud product.

Can non-Azure customers use permission management?

Yes, non-Azure customers can use our solution. Rights Management is a multi-cloud solution, so even customers without an Azure subscription can benefit from it.

Does permission management work for tenants hosted in the European Union (EU)?

Yes, rights management is currently available for tenants hosted in the European Union (EU).

What value does privilege management provide if I'm already using Azure AD Privileged Identity Management (PIM) for Azure?

Rights management complements Azure AD PIM. Azure AD PIM provides instant access to administrator roles in Azure (and to Microsoft online services and applications using groups), while permissions management allows multi-cloud discovery, remediation, and privileged access monitoring across Azure, AWS, and GCP.

Which public cloud infrastructures does Rights Management support?

Rights Management currently supports three major public clouds: Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

Does rights management support hybrid environments?

Rights management does not currently support mixed environments.

What types of identities does Rights Management support?

Permission management supports user identities (eg, employees, customers, external partners) and workload identities (eg, virtual machines, containers, web applications, serverless functions).

Is rights management provided in the government cloud?

No, rights management is currently not available in the government cloud.

Can rights management be used in sovereign clouds?

No, rights management is currently not available in the sovereign cloud.

How does Rights Management gather insights about rights usage?

Permission Management has a data collector that collects access permissions assigned to various identities, activity logs, and resource metadata. This provides a comprehensive view of the permissions granted to all identities to access resources and details about the use of granted permissions.

How does rights management assess cloud rights risk?

Privilege Management provides granular visibility into all identities and the permissions they grant and use, across cloud infrastructures to discover any action performed by any identity on any resource. This is not limited to user identities, but also workload identities such as virtual machines, access keys, containers and scripts. The dashboard provides an overview of rights profiles to target the highest risk identities and resources.

What is the Permission Creep Index?

The Privilege Creep Index (PCI) is a quantitative measure of risk associated with an identity or role, determined by comparing privileges granted to privileges exercised. It allows users to immediately assess the level of risk associated with the number of unused or overprovisioned permissions across identities and resources. It measures the amount of damage an identity can do based on the permissions that identity has.

How can customers use rights management to remove unused or excessive rights?

Privilege Management allows users to resize excessive permissions and automate least-privilege policies with just a few clicks. The solution continuously analyzes each identity's historical permission usage data and enables customers to adjust that identity's permissions to those used for day-to-day operations only. All unused and otherwise risky permissions can be automatically removed.

How can customers use permission management to grant permission on demand?

For any incident or one-off scenario where an identity needs to perform a specific set of actions on a specific set of resources, the identity can request those permissions on-demand for a limited time through a self-service workflow. Customers can use the built-in workflow engine or their IT service management (ITSM) tool. The user experience is the same for any identity type, identity source (on-premises, enterprise directory, or federated identity) and cloud.

What's the difference between On-Demand Access and Instant Access?

Just-in-time (JIT) access is a method used to enforce the principle of least privilege to ensure that an identity is given the lowest level of privilege to perform the task at hand. On-Demand Permissions is a type of JIT access that allows for temporary elevation of privileges, enabling identities to access resources on a request-by-demand basis.

How can customers monitor the use of permissions through permission management?

Clients can monitor permission usage simply by tracking the evolution of their permission creep index. They can do this in the Analytics tab of the Rights Management Dashboard, where they can see how each identity or resource's PCI evolves over time.

Can customers generate entitlement usage reports?

Yes, Rights Management has several types of system reports available that capture specific data sets. These reports allow clients to:

• Make timely decisions.
• Analyze usage trends and system/user performance.
• Identify high-risk areas.

For information on permission usage reports , seeGenerate and download a rights analysis report.

Integration with ITMS tools such as ServiceNow is on the roadmap for the future.

How to deploy rights management?

Customers with the Global Administrator role must first onboard rights management on their Azure AD tenant, and then onboard their AWS account, GCP project, and Azure subscription. For more details on onboarding, please refer to our product documentation.

How long does it take to deploy rights management?

It depends on each customer and how many AWS accounts, GCP projects and Azure subscriptions they have.

How quickly can I get permission insights after I deploy Privilege Management?

Once the data collection setup is fully operational, customers can access rights usage insights within hours. Our machine learning engine refreshes the Permission Creep Index hourly so clients can start their risk assessment immediately.

Does Rights Management collect and store sensitive personal data?

No, Rights Management does not have access to sensitive personal data.

Where can I find more information on rights management?

You can read our blog and visit our webpage. You can also contact your Microsoft contact to arrange a demo.

What is the data destruction/decommissioning process?

If a customer starts a free 45-day entitlement-managed trial and does not follow up and convert to a paid license within 45 days of the free trial expiring, we will delete all collected data on or before 45 days.

If the customer decides to stop licensing the service, we will also delete all previously collected data within 45 days of the license termination.

We also have the ability to delete, export or modify specific data if a global administrator submits a formal data subject request using the Entra rights management service. This can be initiated by opening a ticket in the Azure PortalNew Support Request - Microsoft Entra Admin Center, or contact your local Microsoft representative.

Do I need a license to use Entra Rights Management?

Yes, starting July 1, 2022, new customers must obtain a 45-day free trial license or a paid license to use the service. You can enable a trial version here:https://aka.ms/TryPermissionsManagementOr you can purchase resource-based licenses directly here:https://aka.ms/BuyPermissionsManagement

How is rights management priced?

Rights management is $125 per resource per year ($10.40 per resource per month). Permissions management requires workload licenses, which include any resources using compute or memory.

Do I need to pay for all resources?

Although rights management supports all resources, Microsoft only requires licenses for certain resources per cloud. To learn more about billing resources, visitView billable resources listed in the authorization system

How do I know how many resources I have?

To see how many resources you have in your multi-cloud infrastructure, look at the Billable Resources tab in Entitlement Management.

What should I do if I am using the public preview of Entra Rights Management?

If you are using the public preview of Entra Rights Management, your current deployment will continue to work until October 1st.

After October 1, you will need to move to a newly released version of the service and enable a 45-day trial or purchase a license to continue using the service.

What if I am using an older version of the CloudKnox service?

We are currently working on a migration plan to help customers using the original CloudKnox service migrate to the new Entra entitlement management service later in 2022.

Can I use Entra Rights Management in the EU?

Yes, this product is compliant.

How do I enable one of the 18 new languages ​​supported in the GA release?

We are now localized into 18 languages. We respect your browser settings, or you can manually enable the language of your choice by adding a query string suffix to your Entra rights management URL:

?lang=xx-XX

where xx-XX is one of the following language parameters available: 'cs-CZ', 'de-DE', 'en-US', 'es-ES', 'fr-FR', 'hu-HU', id- ID', 'it-IT', 'ja-JP', 'co-KR', 'nl-NL', 'pl-PL', 'pt-BR', 'pt-PT', 'ru-RU' , 'sv-SE', 'tr-TR', 'zh-CN' or 'zh-TW'

resource

• Public Preview Announcement Blog
• Rights Management Page
• For more information about Microsoft's privacy and security terms, seecommercial license terms.
• For more information about Microsoft's data processing and security terms when subscribing to a product, seeMicrosoft Products and Services Data Protection Addendum (DPA).
• For more information, seeAzure Data Subject Requests for GDPR and CCPA.

Next step

• For an overview of rights management , seeWhat is rights management?.
• For information on how to enable rights management in your organization , seeEnable rights management in your organization.