IGA Glossary

Privileged Access Management(PAM)

Privileged access management (PAM) is the set of practices and tools used to control, monitor, and secure access to critical systems through elevated or administrative accounts. It ensures that privileged credentials are properly managed and that high-risk access is limited to authorized users for only as long as they need it.

What is privileged access management?

Every organization has accounts with elevated permissions. These are the accounts that can install software, modify security settings, access sensitive data, create or delete other user accounts, and make changes that affect the entire environment. In Entra ID, this includes Global Administrators, Exchange Administrators, Security Administrators, and other admin roles.

Privileged access management is about controlling these powerful accounts. It answers questions like: Who has admin access? Do they actually need it? How long have they had it? What are they doing with it? And how do we limit the damage if one of these accounts is compromised?

The stakes are high. A compromised regular user account is a problem. A compromised admin account is a crisis. Attackers specifically target privileged accounts because they provide the broadest access and the most control over an environment.

Why is PAM important?

The majority of serious data breaches involve some form of privileged credential misuse. Attackers know that getting hold of an admin account is the fastest path to achieving their goals — whether that is stealing data, deploying ransomware, or maintaining persistent access.

The common problems with how organizations manage privileged access: too many admins (admin access handed out liberally because it is the quickest way to solve an access problem), permanent standing access (privileges granted once and never revisited), shared accounts where multiple people know the same password (making it impossible to trace actions to a specific person), and no monitoring of privileged actions.

How does PAM work in practice?

PAM combines several practices and controls.

Privilege discovery and inventory. The first step is understanding which accounts have elevated access across your environment. You cannot manage what you do not know about. This means auditing admin role assignments in Entra ID, local admin accounts on endpoints, and admin access to applications and databases.

Just-in-time access. Instead of giving users permanent admin privileges, you grant elevated access only when needed and only for a limited time. A user requests admin access, provides a justification, and receives elevated privileges for a defined window (say, two hours). When the window expires, the access is automatically revoked.

Approval workflows. Sensitive privilege escalations require approval from a manager or security team before access is granted. This adds a human checkpoint to the process.

Session monitoring and recording. Some PAM solutions record privileged sessions so that actions taken with elevated access can be reviewed after the fact. This is particularly important for compliance and incident investigation.

Credential vaulting. Service accounts, API keys, and other non-human credentials are stored in a secure vault rather than in configuration files or scripts. Access to these credentials is logged and controlled.

Privileged Identity Management in Entra ID

Microsoft's native PAM tool for Entra ID is Privileged Identity Management (PIM). It is available with Entra ID P2 licenses and covers the core PAM use cases within the Microsoft ecosystem.

PIM lets you make admin role assignments "eligible" rather than "active" — users do not have the role by default and must activate it when needed, providing a justification and optionally getting approval. You can set time limits so that activated roles automatically expire. You can require MFA for activation. You can receive notifications when privileged roles are activated. And you can run access reviews of who holds eligible and active privileged roles.

PIM is a solid tool for managing Entra ID admin roles and Azure resource roles. However, it only covers the Microsoft ecosystem. If you have privileged accounts in other systems — third-party SaaS apps, on-premises servers, databases — you need additional tooling or processes.

How many Global Admins should you have?

This is one of the most practical PAM questions IT managers ask. Microsoft recommends having no more than five Global Administrators in your Entra ID tenant, and ideally only two to four.

Global Admin is the most powerful role in Entra ID. It can do everything: manage users, change settings, access all data, and even modify other admin role assignments. The fewer people who have it, the smaller your attack surface.

For most tasks, you should use more specific admin roles instead. Entra ID has dozens of built-in roles with limited scope — User Administrator for managing user accounts, Exchange Administrator for managing email settings, Security Administrator for managing security features, Helpdesk Administrator for resetting passwords. Assigning the most specific role possible follows the principle of least privilege and reduces the risk associated with any single compromised account.

PAM and identity governance

PAM and identity governance are closely related but address different aspects of access management.

Identity governance manages access for all users across all applications. It handles the lifecycle: onboarding, role changes, offboarding, and regular access reviews.

PAM focuses specifically on elevated, high-risk access. It adds extra controls — approval workflows, time limits, session monitoring — that would be impractical to apply to every user's everyday access.

The two work best together. Governance ensures that the right people are eligible for privileged roles. PAM ensures that those eligible users can only use their privileges through controlled, auditable processes.

Adcyma's governance platform connects to your Entra ID tenant and provides visibility into who holds privileged roles, helps manage the lifecycle of admin accounts alongside regular accounts, and supports access reviews that include privileged role assignments. This gives IT teams a complete picture of access across their organization, from standard user permissions to the most sensitive admin roles.

Where should you start with PAM?

Audit your admin accounts first. List every user with an admin role in Entra ID. Most organizations are surprised by how many there are. Then reduce Global Admins — move users to more specific roles where possible, aiming for the Microsoft recommendation of two to four Global Admins. Enable PIM if you have P2 licenses, converting permanent role assignments to eligible assignments that require activation. Require MFA for admin actions at minimum. And review privileged access regularly by including admin roles in your quarterly access reviews.

These steps do not require a dedicated PAM product. They use capabilities already available in Entra ID and establish the foundation for stronger privileged access controls as your organization matures.

See how Adcyma handles this:

Explore Governance

Put these concepts into practice

Adcyma makes identity governance simple for companies using Microsoft Entra ID. See how these terms translate into actual features.

Start Free Trial