* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Infrastructure Entitlement Management](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/)
* Microsoft Entra Permissio...

# Microsoft Entra Permissions Management to Retire: Why the Time for a Vendor-Neutral CIEM Is Now

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fciem-essential-mepm-retired%2F)  
[](https://twitter.com/share?text=Microsoft+Entra+Permissions+Management+to+Retire%3A+Why+the+Time+for+a+Vendor-Neutral+CIEM+Is+Now&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fciem-essential-mepm-retired%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fciem-essential-mepm-retired%2F&title=Microsoft+Entra+Permissions+Management+to+Retire%3A+Why+the+Time+for+a+Vendor-Neutral+CIEM+Is+Now&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/ciem-essential-mepm-retired/&ts=markdown)  
\[\](mailto:?subject=Microsoft Entra Permissions Management to Retire: Why the Time for a Vendor-Neutral CIEM Is Now)  
Link copied  
By [David Trigano](https://www.paloaltonetworks.com/blog/author/david-trigano/?ts=markdown "Posts by David Trigano")  
Aug 15, 2025  
4 minutes  
[Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)  
[Identity Security](https://www.paloaltonetworks.com/blog/cloud-security/category/identity-security/?ts=markdown)

Microsoft's [announcement to retire Microsoft Entra Permissions Management](https://techcommunity.microsoft.com/blog/microsoft-entra-blog/important-change-announcement-microsoft-entra-permissions-management-end-of-sale/4399382)(MEPM) marks a shift for organizations that rely on Azure Entra ID as their primary identity provider. For many Fortune 500 companies, MEPM has been a built-in means to identify excessive permissions, enforce least privilege and secure both human and machine identities.

Consider a Fortune 500 financial services company running most identity management on Microsoft Entra ID with workloads spread across Azure, AWS and GCP. Developers often spin up new workloads with temporary permissions yet these are rarely rolled back. Machine identities created for a single migration project might still have full read/write access to production datastores months later, remaining invisible because they're not tracked in a unified permissions inventory.

With MEPM leaving the scene, complete, vendor-neutral identity visibility is no longer optional. It's urgent.

## **The Impact of the Retirement**

Microsoft MEPM will officially retire and not be supported as of October 1, 2025. While native Azure IAM capabilities will remain, organizations will lose the cross-cloud, unified visibility that MEPM offers.

|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Who's Impacted**     | Organizations currently relying on MEPM for CIEM capabilities, particularly those standardizing on Microsoft Entra ID.                                                         |
| **Who's Not Impacted** | Customers who never used MEPM or already adopted a third-party CIEM solution.                                                                                                  |
| **Filling the Gap**    | Defender for Cloud offers some identity security capabilities but doesn't fully replicate MEPM's cross-cloud, vendor-neutral visibility and effective permissions calculation. |

\*Example:\*A global healthcare provider has been using MEPM to see effective permissions across Azure and to enforce least privilege for employees and automated services. With MEPM gone, they must rely solely on Azure IAM, losing visibility into AWS-based data lakes integrated via trust relationships. This blind spot enables a single overprivileged account to expose millions of patient records.

## **Why a Vendor-Neutral CIEM Is Essential**

Most Fortune 500 companies use Entra ID as their identity provider, but their workloads span multiple clouds. Without a vendor-neutral CIEM, visibility stops at the Azure boundary.

*Example:* A retail giant uses Azure Entra ID for workforce identity but runs core supply chain apps in AWS. Their AI-based inventory systems rely on machine identities calling APIs across multiple clouds. Without cross-cloud visibility, overprivileged AWS service accounts go undetected, allowing attackers to pivot from AWS into Azure, a tactic increasingly seen in multicloud breaches.

MEPM's retirement means organizations must adopt a vendor-neutral CIEM to maintain a **complete, accurate and continuous** picture of permissions across all clouds.

## **How Cortex Cloud Identity Security Fills the Gap**

Cortex Cloud Identity Security, part of the [code-to-cloud-to-SOC platform,](https://www.paloaltonetworks.com/cortex/cloud) provides full CIEM functionality across Azure, AWS and GCP.

The solution delivers:

* **Effective permissions calculation** to cover both human and nonhuman identities
* **Cross-cloud visibility** to eliminate blind spots, even beyond Entra ID
* **Security insights** to identify overprivileged accounts and risky trust relationships
* **Compliance enforcement** to ensure least-privileged access across all identities
* **Governance for machine identities** to track API keys, service accounts and workloads

By providing a single source of truth for permissions across your entire cloud estate, Cortex Cloud ensures that organizations impacted by MEPM's retirement can continue to operate securely without losing critical functionality.
![Cortex Cloud Identity Security (CIEM)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/08/word-image-343282-1.png)
Figure 1: Cortex Cloud Identity Security (CIEM)

## **Why Choose Cortex Cloud Now**

* **Proven at scale:** Trusted by enterprises worldwide, including those running complex multicloud and hybrid environments.
* **Integrated security intelligence:** Correlates identity risk with data security (DSPM), cloud posture (CSPM) and AI security (AI-SPM) for context-rich prioritization.
* **Future-ready:** Provides the governance foundation to secure tomorrow's cloud ecosystems as identity sprawl grows with AI agents, microservices and third-party integrations.

## **Take the Next Step**

Don't let MEPM's retirement leave your cloud environments exposed.  
[Schedule a demo today](https://www.paloaltonetworks.com/cortex/cloud/demo) to see how Cortex Cloud Identity Security can help you maintain visibility, reduce risk and enforce least privilege across your multicloud identity landscape.

*** ** * ** ***

## Related Blogs

### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [AI-SPM](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-spm/?ts=markdown), [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [DSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/dspm/?ts=markdown), [Identity Security](https://www.paloaltonetworks.com/blog/cloud-security/category/identity-security/?ts=markdown)

[#### Is AI a New Challenge for Cloud Security? Yes and No.](https://www2.paloaltonetworks.com/blog/cloud-security/ai-security-gap-cloud-models-agents/)

### [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem-2/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [IAM](https://www.paloaltonetworks.com/blog/cloud-security/category/iam-2/?ts=markdown), [Identity Security](https://www.paloaltonetworks.com/blog/cloud-security/category/identity-security/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Turning Kubernetes Last Access to Kubernetes Least Access Using KIEMPossible](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-identity-security-kiempossible/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### Strengthen Your CIEM Strategy with a New Dashboard to Guide Security Teams](https://www2.paloaltonetworks.com/blog/cloud-security/ciem-strategy/)

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown)

[#### An Inside Look into ASPM: Five Findings from New Industry Research](https://www2.paloaltonetworks.com/blog/cloud-security/aspm-research-omdia/)

### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)

[#### Modernizing Security on AWS: From Firewall Ops to Security Intent](https://www2.paloaltonetworks.com/blog/network-security/modernizing-security-on-aws-from-firewall-ops-to-security-intent/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Software Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/software-firewalls/?ts=markdown)

[#### Turn Your Multicloud Security into a Business Enabler](https://www2.paloaltonetworks.com/blog/network-security/turn-your-multicloud-security-into-a-business-enabler/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language