Today, we are happy to announce the Public Preview of a Modern Auth unattended scripting option for use with Exchange Online PowerShell V2. This feature provides customers the ability to run non-inte...
Updated Jul 30, 2020
Version 6.0
Blog Post
JeremyTBradshaw I will let Microsoft reply all the details about how is it safer or not during the transaction, but for storing the password in clear this problematic is real for any kind of passwords. If the user store it in clear, it would have stored a normal login / password in clear also.
On our side we store those passwords in a Keypass with limited access, and when required to use them we write the scripts / programs to accept only a SecureString as string version of that password, and if possible with a C# Program, we use a separate DLL and force user to pass a SecureString to not be tempted to convert the password as clear himself in the code.
I guess this is an eternal question on how to secure a password for a script or program, and the answer is mostly about how to actually encrypt it and really limit who / what can decrypt it to the minimum required (e.g. when we deploy in PROD, only super admins have the service account password that will run the program and be used to encrypt then decrypt the password).