There are plenty of articles and YouTube videos on this. But if your org has MFA enabled, good luck! You can start here:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/powershell-for-azure-ad-roles
You will not be able to make it work. And you will realize until you stumble upon this paragraph:
If you require multi-factor authentication for role activation, there is currently no way for PowerShell to challenge the user when they activate their role. Instead, users will need to trigger the MFA challenge when they connect to Azure AD by following this blog post from one of our engineers. If you are developing an app for PIM, one possible implementation is to challenge users and reconnect them to the module after they receive a “MfaRule” error.
So frustrating!!
However, the same post refers to a blog post by Anuj. I was surprised that Microsoft has referred to a 3rd party post from it’s own documentation! And it actually worked. Here is a little tweaked version of Anuj’s PowerShell:

function ActivatePIM{
# Get token for MS Graph by prompting for MFA, this is something I didn't understand completely, 
#but it didn't give the usual MFA experience, but it returned object as $MsResponse
$MsResponse = Get-MSALToken -Scopes @("https://graph.microsoft.com/.default") `
-ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" `
-RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" `
-Interactive -ExtraQueryParameters @{claims='{"access_token" : {"amr": { "values": ["mfa"] }}}'}     

# Get token for AAD Graph, this also worked at first attempt
$AadResponse = Get-MSALToken -Scopes @("https://graph.windows.net/.default") `
-ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" `
-RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common"

#The following also worked at first attempt
Connect-AzureAD -AadAccessToken $AadResponse.AccessToken `
-MsAccessToken $MsResponse.AccessToken -AccountId: $myCloudUser -tenantId: $TenantID

# Call cmdlet which requires MFA, this seems to return the tenant Id
$resource = Get-AzureADMSPrivilegedResource -ProviderId AadRoles

$roleDefinition = Get-AzureADMSPrivilegedRoleDefinition `
-ProviderId AadRoles -ResourceId $resource.Id `
-Filter "DisplayName eq $RoleToActivate"

# The following will not work unless Connect-AzureAD worked successfully
$subject = Get-AzureADUser -Filter "userPrincipalName eq '$myCloudUser'"


$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
#Adding 8 hours, but change as you need
$schedule.EndDateTime = (Get-Date).AddHours(8).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")


Open-AzureADMSPrivilegedRoleAssignmentRequest `
-ProviderId AadRoles -Schedule $schedule -ResourceId $resource.Id `
-RoleDefinitionId $roleDefinition.Id -SubjectId $subject.ObjectId `
-AssignmentState "Active" -Type "UserAdd" -Reason "Admin tasks"

}

<#
The following is really a one time need. May be needed if you working on a new jump box
Don't run it every time
if(!(Get-Module | Where-Object {$_.Name -eq 'PowerShellGet' -and $_.Version -ge '2.2.4.1'})) { Install-Module PowerShellGet -Force }

This installs one time  
if(!(Get-Package msal.ps)) { Install-Package msal.ps }   
#> 

$myCloudUser = Read-Host "Provide your user Id: "


$TenantID = Read-Host "Provide your tenant Id: " #You can double check this from Azure AD, 

$RoleToActivate = Read-Host "Provide your role to activate: " #Example: 'SharePoint Administrator'
                                                              # Super important, single quotes around
                                                              # the role name

ActivatePIM