Enable MFA for Azure AD Privileged roles

At least based on my experience, if the admin does not have MFA in Place the PIM Will force it when authenticating to the PIM tool.

Secondly to Protect the credentials there are few points to thingk.

- credential to use

- federated or non federated credential

- while Basic idea in cloud is to connect from any device the question is how you would like to limit it using conditional Access policies that does not cover your whole Network. No - instead the admin account can only sign in from specific Network segment or device in internal Network witch opens new Security risks. What if the admin surf and turf same time in that session and got malware as and example and it start to spread inside the "admin Workstation segement" polluting the devices on that segment. This opens a new question what are the solution to admin cloud services if we dont want to do it from any of our Network while also the admin Network is used to manage internal services in our production. Should we create second admin Network with terminal server or utilize azure RDP / Azure Citrix services or traditional VM's in Azure what can be one example. Deploy Secure Windows 10 VM to Azure for admin purpose, do all hardening what is needed, then create conditional Access policy to it to Protect the login with these admin credentials only from this PC's and if not enough you can deploy your own Firewall services in azure you go out to the any cloud services. 

Just some lessons learned and thoughts what have been done during years.