Microsoft Defender for Cloud Adds Native CIEM Across AWS, Azure, and GCP

Microsoft Defender for Cloud integrated native Cloud Infrastructure Entitlement Management (CIEM) across AWS, Azure, and GCP effective February 2, 2026. The integration brings identity and access governance capabilities directly into Defender's security posture management platform, eliminating the need for separate CIEM products for organizations operating in multicloud environments.

What Changed

The most significant change is how inactive identities are detected. Previous CIEM implementations in Defender relied on sign-in activity to determine whether an identity was active. The new approach evaluates unused role assignments — identifying identities that have permissions they are not actually using, regardless of whether the identity has recently signed in. This is a more precise measure of excess privilege, because an identity can sign in regularly while using only a fraction of its assigned permissions.

The lookback window for inactive identity analysis has been extended from 45 to 90 days, providing a longer observation period that reduces false positives from seasonal or periodic activity patterns. An identity that is used quarterly for compliance reporting, for example, would not be flagged as inactive under a 90-day lookback but might be under a 45-day window.

The Permissions Creep Index (PCI) metric, which previously provided a numerical score representing the gap between assigned and used permissions, has been deprecated in favor of the activity-based CIEM logic. The PCI was useful as a summary metric but could obscure the specific permissions that were over-provisioned. The new approach surfaces individual unused role assignments directly, providing actionable remediation guidance rather than abstract scores.

Multicloud Coverage

The CIEM capabilities now cover all three major cloud platforms — Azure, AWS, and GCP — in a unified interface within the Microsoft Defender portal. Cloud security teams can view identity posture, unused permissions, and remediation recommendations across all three clouds in a single dashboard, rather than switching between cloud-specific tools. This consolidation is particularly valuable for organizations where identity governance has been managed separately for each cloud, leading to inconsistent policies and blind spots.

Market Context

CIEM has been a standalone product category dominated by specialized vendors like CrowdStrike (via the Preempt acquisition), Ermetic (acquired by Tenable), and CloudKnox (acquired by Microsoft in 2021). Native integration into Defender for Cloud, which is included in Defender for Cloud's existing licensing, removes a significant procurement and integration barrier for organizations that already use Microsoft's security platform.

The least-privilege principle — giving identities only the permissions they actually need — is widely understood as a security best practice but rarely enforced consistently across multicloud environments. The operational difficulty of auditing permissions across three cloud platforms with different identity models and permission structures has historically made least-privilege enforcement a manual, error-prone process. Native CIEM that spans all three clouds automates the most labor-intensive part of this process: identifying where excess permissions exist and recommending specific remediations.