Remember that those are all recommendations/best practices, Microsoft cannot possibly account for all the different variations in which each of these controls can be satisfied across thousands of customers. I have similar "issues" with this and other controls (CA are the worst), but it's not all about the score. Review the recommendations, take any actions if necessary, benefit from the increased security and ignore the few missing points.

At least based on my experience, if the admin does not have MFA in Place the PIM Will force it when authenticating to the PIM tool.

Secondly to Protect the credentials there are few points to thingk.

- credential to use

- federated or non federated credential

- while Basic idea in cloud is to connect from any device the question is how you would like to limit it using conditional Access policies that does not cover your whole Network. No - instead the admin account can only sign in from specific Network segment or device in internal Network witch opens new Security risks. What if the admin surf and turf same time in that session and got malware as and example and it start to spread inside the "admin Workstation segement" polluting the devices on that segment. This opens a new question what are the solution to admin cloud services if we dont want to do it from any of our Network while also the admin Network is used to manage internal services in our production. Should we create second admin Network with terminal server or utilize azure RDP / Azure Citrix services or traditional VM's in Azure what can be one example. Deploy Secure Windows 10 VM to Azure for admin purpose, do all hardening what is needed, then create conditional Access policy to it to Protect the login with these admin credentials only from this PC's and if not enough you can deploy your own Firewall services in azure you go out to the any cloud services. 

Just some lessons learned and thoughts what have been done during years.