Azure Privileged Identity Management
Why would you install and configure Azure PIM? Well, the answer is straightforward; it makes the security better within Azure. So what is PIM? It is a solution to allow only access to a privileged role within Azure only when needed, so instead of having constant Global Administrator access, you must request it each time you need to do administrative tasks. Now since Global Admin is the highest admin role there is, it would be best to push the roles that are only required, so if a user needs to change something related to SharePoint, then the user must request access to the SharePoint administrator role. Since the role is assigned to the user-specified by the user, then the user's default time is allowed to be active within the role is 8 hours; after that, the role is automatically removed.
As you can see in this screenshot, I have accessed the group through Azure Active Directory, “roles and administrators.” From there, you can click on Eligible assignment.
From there, you can select the member you want to allow as eligible access.
But before you continue, you must select “Eligible” within settings if it is not already established. You can also choose if the user should have permanently eligible access or if the assignments start from a specific date to a particular date.
If you want managers or some other employees to approve the membership before it can be assigned, then you can click on the settings.
Here we have different options that you can configure to enhance the experience of role assignment. You can configure maximum duration, so the default is 8 hours; you can then set it to 4 hours, and after the 4 hours, the user will be removed from the role automatically.
You can also set notifications within the role, so you can send messages to specific members every time role has been assigned.
This was only meant to be a short article, but by this, you now know how to enhance your security within Microsoft 365 roles.