How to offboard and transition off of Microsoft Entra Permissions Management

Microsoft Entra Permissions Management (Permissions Management) is retiring on October 01, 2025, with new purchases unavailable starting April 1, 2025. Existing paid customers will continue to have access to Permissions Management between April 1, 2025 - September 30, 2025.

On October 01, 2025, Permissions Management will be automatically offboarded and associated data collection will be deleted. For customers needing to offboard before October 1, 2025, refer to the Offboarding steps section in this guide.

Why is Permissions Management being retired?

Microsoft made the decision to retire Permissions Management as part of a strategic realignment to focus Microsoft's Security investments on core identity categories, using AI for security and securing AI.

Recommended solutions

Since Permissions Management is retiring, Microsoft recommends that customers who have onboarded the product in their environment start planning for transition. Customers who are not onboarded should refrain from onboarding.

To support this transition, Microsoft is partnering with Delinea. Delinea offers a cloud-native, fully Microsoft-compatible Cloud Infrastructure Entitlement Management (CIEM) solution, Privilege Control for Cloud Entitlements (PCCE). PCCE provides functionality comparable to Permissions Management, including continuous discovery of entitlements that allow you to monitor and adjust access rights for both human and machine identities.

We recommend beginning the shift away from Permissions Management as soon as possible, well before September 30th. We're committed to providing extensive support, alongside our partner, Delinea.

Recommended steps before migrating to Delinea

To ensure you continue with the CIEM objectives with our recommended partner, we recommend making a note of the following information from your Permissions Management portal:

• First, go to Microsoft Entra admin center and sign in to Microsoft Entra ID, then click Permissions Management from the navigation blade.

  • Authorization system IDs which are being monitored across Azure, Amazon Web Service (AWS) and Google Cloud Platform (GCP). To find this, launch the Permissions Management portal, select Settings (Gear icon) and select the Authorization Systems tab to view list of Authorization system IDs.
  • Groups and users given admin access with the Permissions Management Administrator role in Entra ID. To find this, launch Entra ID, select Roles and Admins, search for Permissions Management Administrator role, select Assignments.
  • Authorization system-specific access provided to groups through the Permissions Management portal. To find this, launch Permissions Management portal, Select User Management, then click the Groups tab to view all group assignments.
  • Custom reports configured in your environment. To find this, launch the Permissions Management portal, select Reports, navigate to Custom Reports.
  • Alerts configured in your environment. To find this, launch the Permissions Management portal, select Alerts (bell icon), navigate to respective alerts tab.

Offboarding steps

Once onboarded to our recommended partner and/or any other vendor, customers can initiate offboarding. Follow these steps in order:

1. Remove permissions assigned in AWS, Azure, and GCP.
2. Remove the OIDC application for AWS and GCP environments.
3. Stop collecting data for your entire list of accounts / subscriptions/ projects by deleting the associated data collectors: This ensures no new data is collected and you'll no longer have access to any historic data.
4. Disable user sign-in to Cloud Infrastructure Entitlement Management (CIEM) enterprise application

Continue for detailed guidelines for each of these steps.

Remove permissions assigned in AWS, Azure, and GCP

For successful offboarding of your data, remove permissions from your onboarded cloud provider (Azure, AWS, or GCP) and Permissions Management. Any roles and permissions assigned during onboarding should be removed. This ensures your environment is secure with no overprivileged access once your environment is offboarded from Permissions Management.

Refer to the Data Collector configuration from the Permissions Management portal and select the settings (gear icon). Note down the configuration settings to remove roles and permissions assigned in your respective cloud provider.

Remove the OIDC application for AWS and GCP environments

For AWS and GCP, delete the application created in the Microsoft Entra Admin Center tenant where Permissions Management is enabled. This app was used to set up an OIDC (OpenID Connect) connection to your AWS and GCP environments.

To find the Enterprise Application created which was used to set up OIDC connection to your AWS and GCP environments, follow the below steps:

1. Go to Microsoft Entra admin center and sign in to Microsoft Entra ID.
2. Launch the Permissions Management portal.
3. Select Settings (gear icon), then select the Data Collectors tab.
4. On the Data Collectors dashboard, select your authorization system type:
   • AWS for Amazon Web Services.
   • GCP for Google Cloud Platform.
5. Select the ellipses (...) at the end of the row in the table.
6. Select Edit Configuration. The app is located under the Azure App name.
7. Go to Microsoft Entra admin center and sign in to Microsoft Entra ID.
8. Navigate to Identity > Applications > App Registrations.
9. Enter the name of the existing application in the search box, and then select the application from the search results.
10. From the Overview page, select Delete. Read the deletion consequences. Check the box if one appears at the bottom of the pane.
11. Select Delete to confirm that you want to delete the app.

Stop data collection

Stop collecting data for your list of accounts / subscriptions / projects by deleting the associated data collectors.

1. Go to Microsoft Entra admin center and sign in to Microsoft Entra ID.
2. Select Permissions Management and click on Launch portal.
3. Select Settings (the gear icon), then select the Data Collectors tab.
4. On the Data Collectors dashboard, select your authorization system type:
   • AWS for Amazon Web Services.
   • Azure for Microsoft Azure.
   • GCP for Google Cloud Platform.
5. Select the ellipses (...) at the end of the row in the table.
6. Select Delete Configuration. The Permissions Management Onboarding - Summary box displays.
7. Select Delete.
8. Check your email for a one-time password (OTP) code, then enter it in Enter OTP.
9. If you don't receive an OTP, select Resend OTP.
10. The following message displays: Successfully deleted configuration.

Disable user sign-in to the Cloud Infrastructure Entitlement Management (CIEM) enterprise application

Once data collection stops for all AWS accounts, Azure subscriptions, and GCP projects, disable the Cloud Infrastructure Entitlement Management (CIEM) app so that it can't be signed in. This ensures Permissions Management can no longer access your environments (accounts, subscriptions and projects).

To disable the CIEM App for users to sign in:

1. Go to Microsoft Entra admin center and sign in to Microsoft Entra ID.
2. Navigate to Identity > Applications > Enterprise Applications > All applications.
3. Search for Cloud Infrastructure Entitlement Management. If you can’t locate the app, reset the filters.
4. Open Properties.
5. Toggle Enabled for users to sign-in to No.

Next steps

• For more information on the Permissions Management product retirement, visit aka.ms/MEPMretire