Not a user yet?
Log in Register for free Suggest a product
Update

Upcoming change to CIEM recommendation logic

Defender for CloudDefender for Cloud
Microsoft

December 2025

Upcoming change to CIEM recommendation logic
As part of the ongoing deprecation of the Microsoft Entra Permissions Management functionality, Microsoft Defender for Cloud is updating its Cloud Infrastructure Entitlement Management (CIEM) recommendation logic across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

The updated model evaluates inactive users and roles based on unused role assignments rather than sign-in activity and uses a 90-day (previously 45) lookback window. Identities created within the past 90 days are not evaluated as inactive. Coverage for AWS has also been refined so that CIEM recommendations apply only to AWS Service Principals with reliably evaluated permissions, and serverless and compute resources are no longer included, which may result in changes to recommendation counts.

Cloud-specific requirements

  • AWS: CIEM evaluations for SAML and SSO identities require AWS CloudTrail Logs (Preview) to be enabled in the Defender CSPM plan.
  • GCP: CIEM evaluations require Cloud Logging ingestion (Preview) to be enabled in the Defender CSPM plan.
    The Permissions Creep Index (PCI) metric is being deprecated as part of this update and will no longer appear in the Defender for Cloud recommendations page. This update provides clearer guidance, improved accuracy, reduced noise, and updated CIEM recommendations for both users and roles across multicloud environments.

General availability of the Endor Labs integration

Defender for Cloud's integration with Endor labs is now generally available.

Defender for Cloud's integration with Endor Labs enhances vulnerability analysis by using reachability-based Software Composition Analysis (SCA), which shows exploitable vulnerabilities from code to runtime.

Cloud posture management adds serverless protection for Azure and AWS (Preview)

Defender for Cloud extends the capabilities of the Defender Cloud Security Posture Management (CSPM) plan to serverless workloads in Azure and Amazon Web Service (AWS) (Preview) in both the Azure portal and the Defender portal.

Currently, the available features vary by portal. The following table shows which features are available in each portal:

This release introduces automatic discovery and security posture assessment for:

  • Azure Functions
  • Azure Web Apps
  • AWS Lambda functions
    Security teams can view all serverless resources in a centralized inventory and identify misconfigurations, vulnerabilities, and insecure dependencies.
More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Microsoft updates

More from the Apps & Software section

Was the content helpful to you?

Advertisement Advertise here?
Banner Logitech