We can summarize the end user interaction in four steps, as follows:
After PAM is deployed, a user in one of the corporate forests (for us TFC), will request the role activation (some sort of elevation) of a secondary account that resides in a managed domain. If the request is performed via the PowerShell cmdlet, then a call is made directly to the MIM service, whereas if a custom PAM client is used, then the call is made to the REST API first, which interacts with the MIM service.
If the role request requires approval, then we will wait for approval. In Windows 2012 R2 deployments, once approved or autoapproved, the MIM service account (in the management forest) adds the end user's secondary account (in the management forest) to a shadow group (in the management forest). The SID of the sourced TFC group will be in the shadow group's SID History. Note that we did not change the membership of any TFC groups; however, you will see the shadow group membership change.
The person...