question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked BojanZivkovic-7448 commented

Enabling optional PAM feature

Hi, I have forest which in the future will become managed forest when ESAE or its successor approach is implemented. Can I now enable PAM feature which can help me a lot by allowing time limited group membership without affecting future architecture where JIT will be implemented by MIM/PAM? Asking this because having been enabled, PAM feature can not be disabled.

microsoft-identity-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered BojanZivkovic-7448 commented

Hi,

Since you it is more related to the MIM deployment , I can't give you more professional advice .
I would suggest you open a new thread with the tag Microsoft-Identity-Management.

Following link for your reference:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

Best Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I changed a tag.

0 Votes 0 ·
Tom-Houston avatar image
0 Votes"
Tom-Houston answered BojanZivkovic-7448 commented

Hey @BojanZivkovic-7448,

Yes you can enable the PAM feature in your Bastion forest without impacting a future MIM/PAM deployment. You may want to consider Microsoft's updated privileged user access strategy before making a substantial investment in the ESAE.

Hope this helps


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey Tom, as I said forest I want to enable AD PAM feature in, will be managed forest in ESAE - not Bastion (Red) forest.

0 Votes 0 ·

Hey @BojanZivkovic-7448,

I can't think of a reason you couldn't use PAM in the Corp forest, but maybe check the support position first with your Microsoft representative. I have personally only ever deployed PAM in the Bastion forest environment, but Microsoft has recently withdrawn this forest architecture from their mainstream recommendations.

Hope this helps

0 Votes 0 ·

Thanks, I know PAM is always deployed in the Bastion forest but as component of MIM, not as optional AD feature.

0 Votes 0 ·