Great content, as per your usual 🙂 I'd add that you can use role-assignable groups to help protect against the last issue discussed about using PIM for groups.

Really helpful! We have planned to implement PIM next week! 🎉

Configured the Group to be activated by using an Authentication Context. Therefor I've created an Authentication Context in Entra, Conditional Access policy pointed to that Authentication Context, PIM group and force to use 2FA. The result is that while activating the group no 2FA is enforced..

Valid point about the Emergency Access accounts and excluding them not only from CA policies but also making them permanent GA, but why would you make "other administrators" the approvers for privilege roles? In my mind I would make department or team managers the approvers, if you need to elevate to GA, your team lead (who might not be technical themselves) would still want justification and maybe a change number to approve your request but do they need to hold an admin role themselves? or have I missed something?