I suggest adding this appendix to Introduction to PAM:
Appendix PAM with PIM
The BoK is a product and vendor independent source of information and the authors will not endorse any technology, product or vendor. With this principles we do acknowledge the fact that some products have become ubiquous and in our IAM practice one of the standard product we encounter is Entra ID, previously called Azure AD. This component is an Identity and Access Management solution running on the Azure cloud platform and used for managing digital identities and authorizations in cloud environments, using modern federation protocols like OAuth and OpenID connect.
Since EntraID is such a key access control component, Microsoft added extensive authorization profiles to secure access to the EntraID and Azure adminisgtrative functions. The capability is called Privileged Identity Management, PIM.
One could argue that PIM is a PAM solution. Most prominent features are the Just-in-Time access and approval workflows for the accessing the different access roles available in Entra ID.
We will not discuss the topic of choosing between PIm and a dedicated PAM solution where applicable.
When an organization is working mostly on Azure, implementing PIM is almost a no-brainer, provided that the organization has the compatible licenses (currently Premium P2, 365 E5 or EMS (E5).
When other platforms and on-premises systems have to be managed, adding a dedicated PAM solutions next to PIM or instead of PIM makes sense. One could, for instance, store the Global Admin account credentials in the PAM vault and make that available only after ticket validation in an ITSM solution.
I suggest adding this appendix to Introduction to PAM:
Appendix PAM with PIM
The BoK is a product and vendor independent source of information and the authors will not endorse any technology, product or vendor. With this principles we do acknowledge the fact that some products have become ubiquous and in our IAM practice one of the standard product we encounter is Entra ID, previously called Azure AD. This component is an Identity and Access Management solution running on the Azure cloud platform and used for managing digital identities and authorizations in cloud environments, using modern federation protocols like OAuth and OpenID connect. Since EntraID is such a key access control component, Microsoft added extensive authorization profiles to secure access to the EntraID and Azure adminisgtrative functions. The capability is called Privileged Identity Management, PIM. One could argue that PIM is a PAM solution. Most prominent features are the Just-in-Time access and approval workflows for the accessing the different access roles available in Entra ID. We will not discuss the topic of choosing between PIm and a dedicated PAM solution where applicable. When an organization is working mostly on Azure, implementing PIM is almost a no-brainer, provided that the organization has the compatible licenses (currently Premium P2, 365 E5 or EMS (E5). When other platforms and on-premises systems have to be managed, adding a dedicated PAM solutions next to PIM or instead of PIM makes sense. One could, for instance, store the Global Admin account credentials in the PAM vault and make that available only after ticket validation in an ITSM solution.
=====