Looking for best practice ideas to secure an elevated account used in scripts. MFA really isn't an option.
You should never store credentials in plain text directly in scripts/config files. You should always use Azure AD apps / Service Principals.
MFA is the best practice, period. You can bypass the MFA requirement by whitelisting the IP address or using an AAD Joined device, while at the same time making sure that all external attempts will fail.
You can also use Azure Key Vault as your password repository, if you don't want to use MFA.
8 people are following this question.