Hello @Charles Root , A clean solution to achieve your goal would be to setup Azure Pipelines (a part of Azure DevOps) and use Service Connection to connect to their Azure subscription to deploy your required infrastructure and code. Azure pipeline has inbuilt tasks for everything you need (e.g. Web App deploy, SQL publish etc.). Regarding security aspects, the service connection would need one time setup in your Azure DevOps instance using a service principal from their tenant. Or you can do it in the other way i.e. connect to your source control from their Azure DevOps instance using a Service Connection if they want to keep the control at their side.
For any assistance in Azure DevOps, you can reach our Developer Community since it is not yet supported in Microsoft Q&A platform here.