From time to time (Every other day) , I get asked why and what does it mean for me , Well below is a high level of the what , how , why. Start with the videos on the topic and then move to the reference links. 

Cyber Security Reference Architecture : https://channel9.msdn.com/Blogs/Taste-of-Premier/ToP1808 or https://www.youtube.com/watch?v=AeMalNggPZU

Privileged Access Why : https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access

How can the Privileged Access be managed

• Third Party Tools
• User account Control(UAC) https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
• Active Directory Delegation https://technet.microsoft.com/en-us/library/2007.02.activedirectory.aspx
• PowerShell Constrained Endpoints/ Just Enough Admin(JEA) https://docs.microsoft.com/en-us/powershell/jea/overview
• Windows Server 2016 Privileged Access Managment (PAM) https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

Why PAM

• Add Protection to privileged Accounts
• Re-establish Control over Active Directory
• Insight into how admin accounts are used

Security Advantages

• Pass-the-Hash
• Pass-the-Ticket
• Spear phishing

How does this work

• Shadow Security principals
• Time-limited group membership
• PAM cross-forest trust
• PAM workflow (MIM)

What about Azure? Microsoft has you covered we call it PIM

Azure AD Privileged Identity Management helps your organization

Videos on PIM :

https://channel9.msdn.com/Blogs/Azure/Windows-Azure-Multi-Factor-Authentication?ocid=player

https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Azure-AD-Privileged-Identity-Management

What it can do for you in Azure

• See which users are assigned privileged roles to manage Azure resources (Preview), as well as which users are assigned administrative roles in Azure AD
• Enable on-demand, “just in time” administrative access to Microsoft Online Services like Office 365 and Intune, and to Azure resources (Preview) of subscriptions, resource groups, and individual resources such as Virtual Machines
• See a history of administrator activation, including what changes administrators made to Azure resources (Preview)
• Get alerts about changes in administrator assignments
• Require approval to activate Azure AD privileged admin roles (Preview)
• Review membership of administrative roles and require users to provide a justification for continued membership

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/active-directory-securing-privileged-access

Cheers

David @TheMIMGuy