Evaluating PAM, PIM, and JIT Solutions for On-Premises Active Directory and Local Domains

Question

Hello, I have a need to evaluate PAM, PIM, and JIT solutions to integrate with on-premises Active Directory. The aim is to assign an additional level of control over administrative identities that have permissions to create, delete, or modify on the PKI and beyond. To perform specific administrative activities in AD, Certification Authority, and Templates, a solution is required that can automate the temporary assignment of users to a specific group. It should ensure that these permissions are automatically revoked after a defined time. Thanks in advance, Alessio.

Answer 1

Hello, Have a look at this article: https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services You could extend and apply the concept to CA and templates. As for automation that is a separate issue, each admin manages their own processes but I am sure you can automate something using PowerShell. Regards, Marius - https://mariusene.com/

Answer 2

I know this question is a year old. But, this is possible now with some limitations. I'm doing this for a client now. Check out this blog to see how to do it. https://www.linkedin.com/pulse/using-entra-pim-specific-users-access-rdp-on-premises-paulo-silva-4gede/