Overview
With Azure Active Directory (Azure AD), a Global administrator can make permanent Azure AD admin role assignments. These role assignments can be created using the Azure portal or using PowerShell commands.
The Azure AD Privileged Identity Management (PIM) service also allows Privileged Role Administrators to make permanent admin role assignments. Additionally, Privileged Role Administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they’re done.
Make a user eligible for a role
Sign in to the Azure portal.
If you haven’t started PIM in the Azure portal yet, go to
Enabling Azure AD Privileged Identity Management (PIM)
Click Azure AD roles.
Click Roles or Members, then Click Add member to open Add managed members.
Click Select a role, click a role you want to manage, and then click Select.
Click Select members, select the users you want to assign to the role, and then click Select.
In Add managed members, click OK to add the user to the role.
In the list of roles, click the role you just assigned to see the list of members.
When the role is assigned, the user you selected will appear in the members list as Eligible for the role.
Now that the user is eligible for the role, let them know that they can activate it.
Eligible administrators are asked to register for Azure Multi-Factor Authentication (MFA) during activation.
Abou Conde's Blog 