What PAM controls
PAM exists because privileged accounts — Global Administrators, domain admins, root accounts, service accounts with broad permissions — are the highest-impact compromise targets. A PAM platform vaults credentials (they're checked out for a session, not held by humans), enforces just-in-time elevation (an account is only privileged for the minutes it needs to be), records sessions (full keystroke and screen capture of privileged work), and separates duties (the person approving access is not the person using it).
Entra PIM versus enterprise PAM
Microsoft Entra PIM covers the cloud slice: Entra roles, Azure resource roles, M365 admin roles. It's just-in-time and time-bound. It's not a credential vault — the user's identity is still theirs; what changes is the role assignment lifetime. Enterprise PAMs (CyberArk, BeyondTrust, Delinea) cover the harder ground: domain admin accounts, Linux root, network device credentials, service-account secrets, third-party SaaS shared admin accounts. AU mid-market on Microsoft 365 typically starts with Entra PIM for the M365 stack and adds an enterprise PAM when the on-premises or infrastructure scope grows.