There are a few components that make PAM work, which are as follows:
Active Directory management forest: A management forest is used to manage the existing forest(s) via one-way trust. Customers who already have a secured management forest, sometimes called a "red" forest, can use this management forest for PAM. If you only have a single forest, you need to create a new management forest.
PAM Client: This is a PowerShell cmdlet or custom solution that uses the PAM REST API, such as the open source PAM API portal we will discuss later.
MIM service: This is used as the PAM request and approval pipeline.
MIM database: This holds MIM resources (objects), attributes, and requests.
PAM services: These are the PAM REST API, PAM component service, and PAM monitoring service.
PAM REST API: This is only used by a custom PAM client and provides a mechanism for PAM interactions such as roles, requests, request approvals, and session operations.