How to offboard and transition off of Microsoft Entra Permissions Management

Microsoft Entra Permissions Management (Permissions Management) is retiring on October 01, 2025, with new purchases unavailable starting April 1, 2025. Existing paid customers will continue to have access to Permissions Management between April 1, 2025 - September 30, 2025.

On October 01, 2025, Permissions Management will be automatically offboarded and associated data collection will be deleted. For customers needing to offboard before October 1, 2025, refer to the Offboarding steps section in this guide.

The decision to phase out Microsoft Entra Permissions Management from the Microsoft Security portfolio was made after deep consideration of our innovation portfolio and how we can focus on delivering the best innovations aligned to our differentiating areas and partners with the ecosystem on adjacencies. We remain committed to delivering top-tier solutions across the Microsoft Entra portfolio, which includes Microsoft Entra ID, Microsoft Entra Suite (encompassing ID Protection, ID Governance, Verified ID, Internet Access, and Private Access), Microsoft Entra External ID, Microsoft Entra Workload ID, and more.

Since Permissions Management is retiring, Microsoft recommends that customers who have onboarded the product in their environment start planning for transition. Customers who are not onboarded should refrain from onboarding.

To support this transition, Microsoft is partnering with Delinea. Delinea offers a cloud-native, fully Microsoft-compatible Cloud Infrastructure Entitlement Management (CIEM) solution, Privilege Control for Cloud Entitlements (PCCE). PCCE provides functionality comparable to Permissions Management, including continuous discovery of entitlements that allow you to monitor and adjust access rights for both human and machine identities.

We recommend beginning the shift away from Permissions Management as soon as possible, well before September 30th. We're committed to providing extensive support, alongside our partner, Delinea.

To ensure you continue with the CIEM objectives with our recommended partner, we recommend making a note of the following information from your Permissions Management portal:

• First, go to Microsoft Entra admin center and sign in to Microsoft Entra ID, then click Permissions Management from the navigation blade.

  • Authorization system IDs which are being monitored across Azure, Amazon Web Service (AWS) and Google Cloud Platform (GCP). To find this, launch the Permissions Management portal, select Settings (Gear icon) and select the Authorization Systems tab to view list of Authorization system IDs.
  • Groups and users given admin access with the Permissions Management Administrator role in Entra ID. To find this, launch Entra ID, select Roles and Admins, search for Permissions Management Administrator role, select Assignments.
  • Authorization system-specific access provided to groups through the Permissions Management portal. To find this, launch Permissions Management portal, Select User Management, then click the Groups tab to view all group assignments.
  • Custom reports configured in your environment. To find this, launch the Permissions Management portal, select Reports, navigate to Custom Reports.
  • Alerts configured in your environment. To find this, launch the Permissions Management portal, select Alerts (bell icon), navigate to respective alerts tab.

Once onboarded to our recommended partner and/or any other vendor, customers can initiate offboarding. Follow these steps in order:

1. Remove permissions assigned in AWS, Azure, and GCP.
2. Remove the OIDC application for AWS and GCP environments.
3. Stop collecting data for your entire list of accounts / subscriptions/ projects by deleting the associated data collectors: This ensures no new data is collected and you'll no longer have access to any historic data.
4. Disable user sign-in to Cloud Infrastructure Entitlement Management (CIEM) enterprise application

Continue for detailed guidelines for each of these steps.

For successful offboarding of your data, remove permissions from your onboarded cloud provider (Azure, AWS, or GCP) and Permissions Management. Any roles and permissions assigned during onboarding should be removed. This ensures your environment is secure with no overprivileged access once your environment is offboarded from Permissions Management.

Refer to the Data Collector configuration from the Permissions Management portal and select the settings (gear icon). Note down the configuration settings to remove roles and permissions assigned in your respective cloud provider.

For AWS and GCP, delete the application created in the Microsoft Entra Admin Center tenant where Permissions Management is enabled. This app was used to set up an OIDC (OpenID Connect) connection to your AWS and GCP environments.

To find the Enterprise Application created which was used to set up OIDC connection to your AWS and GCP environments, follow the below steps:

1. Go to Microsoft Entra admin center and sign in to Microsoft Entra ID.
2. Launch the Permissions Management portal.
3. Select Settings (gear icon), then select the Data Collectors tab.
4. On the Data Collectors dashboard, select your authorization system type:
   • AWS for Amazon Web Services.
   • GCP for Google Cloud Platform.
5. Select the ellipses (...) at the end of the row in the table.
6. Select Edit Configuration. The app is located under the Azure App name.
7. Go to Microsoft Entra admin center and sign in to Microsoft Entra ID.
8. Navigate to Entra ID > App registrations.
9. Enter the name of the existing application in the search box, and then select the application from the search results.
10. From the Overview page, select Delete. Read the deletion consequences. Check the box if one appears at the bottom of the pane.
11. Select Delete to confirm that you want to delete the app.

Stop collecting data for your list of accounts / subscriptions / projects by deleting the associated data collectors.

1. Go to Microsoft Entra admin center and sign in to Microsoft Entra ID.
2. Select Permissions Management and click on Launch portal.
3. Select Settings (the gear icon), then select the Data Collectors tab.
4. On the Data Collectors dashboard, select your authorization system type:
   • AWS for Amazon Web Services.
   • Azure for Microsoft Azure.
   • GCP for Google Cloud Platform.
5. Select the ellipses (...) at the end of the row in the table.
6. Select Delete Configuration. The Permissions Management Onboarding - Summary box displays.
7. Select Delete.
8. Check your email for a one-time password (OTP) code, then enter it in Enter OTP.
9. If you don't receive an OTP, select Resend OTP.
10. The following message displays: Successfully deleted configuration.

Once data collection stops for all AWS accounts, Azure subscriptions, and GCP projects, disable the Cloud Infrastructure Entitlement Management (CIEM) app so that it can't be signed in. This ensures Permissions Management can no longer access your environments (accounts, subscriptions and projects).

To disable the CIEM App for users to sign in:

1. Go to Microsoft Entra admin center and sign in to Microsoft Entra ID.
2. Navigate to Entra ID > Enterprise apps > All applications.
3. Search for Cloud Infrastructure Entitlement Management. If you can’t locate the app, reset the filters.
4. Open Properties.
5. Toggle Enabled for users to sign-in to No.

• For more information on the Permissions Management product retirement, visit aka.ms/MEPMretire