The new Microsoft Graph APIs should allow for the creation of Azure AD roles that are scoped to AU's to be created in a way that is PIM eligible via API or script. It appears this is possible through the GUI and old APIs, but is not yet present in the new ones.