Every organization should use Microsoft 365’s great user security (IAM) feature called Privileged Identity Management (PIM)
With a small amount of effort and a Microsoft Azure Active Directory (AAD) paid license you can remove all permanent administrators from your Microsoft 365 Cloud. Pretty nice, but we find its seldom used out there in the world. Possibly due to price but more realistically because folks do not understand it well yet.
PIM puts all security roles under management where users get a short term privilege escalation upon approval. Just enough to do their job for things like adding a new user. The request is logged and an email notice is sent.
Call PIM Just-in-time privileged access if you want an easy way to think about it.
The PIM process of getting a request can be setup to require a different user to approve (recommend). PIM can also be set to auto approve using via MFA. The MFA approach is the most convenient that is not always the most secure, but if that is what it takes to get going its much better than doing nothing.
There is a bit of an annoyance when first using PIM. When you do need to perform an admin task, how ever once you see the gains this small issue is well worth dealing with.
As you work with PIM more you will find an extensive set of things you can configure. More on that later but for now its easy to get started with the basics.