Enable PIM for a specific device only
If a user requests a PIM activation, approvers should have the ability to restrict privileged access from the device the access was requested from.
Consider a scenario where an attacker is able to convince an administrator to escalate their privileges for a some (fake) legitimate reason (e.g. I need a new site collection in SharePoint Online). If we assume the attacker has compromised the administrator's identity, they would then be able to take on the administrator's privileges from a remote location.
If the administrator's elevated privileges were restricted to a specific device, the attack would fail.
Wesley Trust commented
Yes, it would be good to integrate this with Conditional Access, however, you cannot target the PIM Cloud App, nor a specific role activation right now.
Jian An Lim commented
i would say use conditional access. If every user has sign up for MFA or domain-joined device or intune managed device, then they need to able to sign in anywhere with those conditions. It eliminate any attack externally. Unless the user just press MFA when it prompt without even thinking.