Microsoftthanks LegoVader for confirming where 3rd party PAM would fit.
Actually, I was just toying with the idea what Alexmags1337 brought forth. That is excellent. So let me elaborate it and help you help me.
So what you are saying is, we create one Entra-group and then writeback that group under the built-in "Domain Admins" group as child-group. (member of)
Now with the help of Governance entitlement packages of Entra, an eligible user will be added to this written-back group
The group will be written back to AD and now this user can use his PAW (which again will be the modern PAW as explained in this blog by protecting the Tier 0 logon flow via an https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-deployment and https://azure.microsoft.com/en-us/products/virtual-desktop/
So this way we can utilize the Entra solution to realize just-in-time PIM for AD
Did I interpret you correctly ?
