More security around using Custom Script Extensions and Session Host Configuration

We are currently implementing and testing the new Session Host Configuration and Session Host Management features.

We rely on Custom Script Extensions to implement some functionality immediately to the newly deployed Session Hosts instead of waiting for GPOs or other to take effect. We don't add these changes to the golden images.

Currently the Custom Script Extensions functionality definable in the Session Host Configuration only allows to define a script URL.

CSE URL in the Session Host Configuration as seen from the Azure Portal.

What is the intended mechanism of authentication for this solution? Currently it seems that its only possible to use an anonymous access level Blob. Defining a token within the script URL is not great due to the fact that the URL is viewable in plain text via the Azure Portal. Neither of those will satisfy.

CSE configuration by the Session Host Configuration during deployment.

Key vault references are used when defining credentials for domain join and local admin accounts for the Session Hosts. Would it be possible to have key vault references for CSE Storage Account Name/Key or SAS token or the possibility to define a Managed Identity instead.

These can be defined when deploying the CSEs manually.

Available methods of CSE for authentication

Please guide me as to what the best solution would be to this topic.

Many thanks in advance.