Historically, we could assign an employee to an administrative role through the Azure portal or through Windows PowerShell and that employee would be a permanent administrator; their elevated access would remain active in the assigned role. Azure AD PIM introduced the concept of permanent and eligible administrators in Azure AD and Azure. Permanent administrators have persistent elevated role connections; whereas, eligible administrators have privileged access only when they need it. The eligible administrator role is inactive until the employee needs access, then they complete an activation process and become an active administrator for a set amount of time.
For example, leverage Just-in-Time access to "Assign" an Administrator access to the CLI to run commands against the cluster during the allotted timeframe.
For more information please refer to the document below to enable Just-in-Time access for your administrators.
Use Azure AD in Azure Kubernetes Service - Azure Kubernetes Service | Microsoft Docs