Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.

Why This Matters

When highly privileged roles like Global Administrator are provisioned outside of a privileged access management (PAM) system, you lose the ability to audit, approve, and time-limit those elevated permissions. This increases the risk of standing admin access that attackers can exploit or misuse without oversight. A PAM system enforces just-in-time access and proper approval workflows for critical roles.

What Aether365 Checks

Aether365 validates that all user provisioning into highly privileged roles within Microsoft Entra ID occurs through a PAM system such as Microsoft Privileged Identity Management (PIM). This check appears in the Aether365 dashboard under the entra-id category as CISA.MS.AAD.7.5.