Frequently Asked Questions

Find answers to common questions about PAM-Pro's architecture, deployment limits, and compliance boundaries.

What accounts can PAM-Pro vault?

PAM-Pro can vault the password of any account that exists in Microsoft Entra ID - including Global Administrator accounts, service accounts, break-glass accounts, and any other privileged identity. It is entirely up to the customer to decide which accounts they vault within their customer-specific Azure Key Vault.

Huntoso does not hold or have persistent access to your keys - the customer has their own Key Vault but it sits in the provider tenant. Key Vaults that sit in the customer tenant are an add-on feature coming soon.

The cryptographic boundary depends on your tier:

  • Standard SaaS / On-Premise: FIPS 140-2 Level 1 - software-protected keys in Azure Key Vault (Standard tier).
  • HSM Add-on: FIPS 140-3 Level 3 - hardware-protected keys in Azure Key Vault (Premium / Managed HSM tier) with full tamper-resistance and physical key isolation.

What if Entra ID experiences an outage?

Every aspect of PAM-Pro is built on Entra ID modern authentication mechanisms. Be it the SSO authentication for your user into the SaaS web platform, the password rotation mechanism from Huntoso compute nodes to your customer-specific (HSM) backed Key Vault, or the workload identity federation authentication mechanism that resets passwords in your customer tenant. When Entra ID experiences an outage, the product will also experience disruption. The depth and breadth of this Microsoft Service provider outage scopes the effect of the PAM-Pro outage.

What happens when a Just-In-Time session expires?

At TTL expiration, the automation engine immediately fires a revocation workflow. The target user is removed from the privileged Entra ID group and all active authentication tokens are invalidated across Microsoft 365 services. The event is logged to the WORM audit trail with a tamper-evident hash.

Do we need Entra ID P2 licenses?

No. Standard P1 covers all core PAM-Pro functionality including JIT access, rotation, and audit logging. However, the Risk-Based Credential Rotation feature and Identity Protection signal integration require Entra ID P2 (or Microsoft 365 E5 / Business Premium). Environments without P2 will bypass risk analytics but retain full governance capability.

Is PAM-Pro available in EU data regions?

No. PAM-Pro is currently deployed in United States Azure regions only. EU data residency is not available at this time.

© 2026 Huntoso LLC. All rights reserved.

Contact Support