TL;DR

Terraform supports using Entra ID authentication to Azure Storage Accounts, and you can easily enable it.

TL;DR

Use different managed identities with different levels of permissions for your workflows. Limit damage if someone gets access, and prevent unintended consequences.

TL:DR; Both the AzureRM provider and the Remote Backend (if applicable) require authentication. I recommend using Environment variables/Azure AD or OpenID Connect where possible in pipelines. Azure CLI should be used locally. Avoid plaintext secrets, and never commit any secrets to version control!

Authentication to Azure from GitHub has required that you stored sensitive, time constrained secrets in GitHub. I am of course talking about the ClientSecret you get from creating an Azure AD App Registration.