![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 37%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ2%3C/text%3E%3C/svg%3E)
20,223 questions
Hi,
Thanks for posting on our forum!
After my research, it is my pleasure to let me firstly clarify a couple of factors in your question, so that you can solve the confusion by yourself. PAM /MIM should belongs to a feature called the shadow principal and this feature, from my perspective, can be included both in Bastion forest and Red forest. In both forests, PAM /MIM can be used in a custom architecture for isolated environments where Internet access is not available, where this configuration is required by regulation, or in high impact isolated environments like offline research laboratories and disconnected operational technology or supervisory control and data acquisition environments. So you can see, it is PAM /MIM that Red forest contains.
When it comes to Bastion Forest vs Red forest (ESAE), they can be used interchangeably, and the former is the latter's updated version. The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red forest, admin forest, or hardened forest) is an approach to provide a secure environment for Windows Server Active Directory (AD) administrators. However, Microsoft’s recommendation to use this architectural pattern has been replaced by the modern privileged access strategy and rapid modernization plan (RAMP) guidance as the default recommended approach for securing privileged users. And bastion forest is a kind of the modern privileged access strategy. If you already have ESAE, there is no urgency to retire or replace an ESAE implementation if it's being operated as designed and intended. Microsoft also recommends organizations with ESAE / hardened forests adopt the modern privileged access strategy using the rapid modernization plan (RAMP) guidance. If you do not have ESAE, we recommend you to directly use Bastion forest, to adopt the modern privileged access strategy .
Here are some articles that can help you better understand the development of our secruity strategy for AD accounts:
Understanding Microsoft’s New Privileged Access Management Strategy
https://www.semperis.com/blog/good-riddance-red-forest-understanding-microsofts-new-privileged-access-management-strategy/
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Planning a bastion environment
https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
ESAE Retirement
https://learn.microsoft.com/en-us/security/compass/esae-retirement
ESAE series part 3 – Privileged access management & the shadow principal feature
https://www.teal-consulting.de/en/2018/08/14/esae-series-part-3-privileged-access-management-and-the-shadow-principal-feature/
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Thanks for your support! Besides, would you please help me Accept Answer. An accepted blog can be put on top of our forum, so that people who have a similar issue can get access to their solution more quickly.
BR,
Joan
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 53%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)