I met many customers in consulting roles and workshops, mostly ask questions about differences between PIM, PAM, PAW.
Enforce multi-factor authentication (MFA) for all administrative accounts.
Implement Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to apply just-in-time privileged access to Azure AD and Azure resources. You can also discover who has access and review privileged access.
Implement privileged access management in Office 365 to manage granular access control over privileged admin tasks in Office 365.
Configure and use Privileged Access Workstations (PAW) to administer services. Do not use the same workstations for browsing the Internet and checking email not related to your administrative account.
Ensure accounts that are synchronized from on-premises are not assigned admin roles for cloud services. This helps prevent an attacker from leveraging on-premises accounts to gain administrative access to cloud services.
Ensure service accounts are not assigned admin roles. These accounts are often not monitored and set with passwords that do not expire. Start by ensuring the AADConnect and ADFS services accounts are not Global Admins by default.
Remove licenses from admin accounts. Unless there is a specific use case to assign licenses to specific admin accounts, remove licenses from these accounts.
May vary functionalities as per (Includes E3 & E5 SKUs for AADP, EMS or Microsoft 365)
if you like to go deeper then click on the link below,
feel free to add or give valuable feedback and more recommendations.