In the past, I have successfully implemented the use of Office 365 Service Principals in Script Activities that are managing objects in tenants. Typically, this involves placing a certificate on the AR server and registering this certificate on the Service Principal in the tenant. This is pretty much identical to the way the AR service itself works with tenants.
The current best practices from Msft would tend to guide us towards using Managed Identities instead of service principals.
So far I haven't had any luck leveraging these from Script Activities nor from Scheduled Task scripts run by the Admin service. The script fails to authenticate with the tenant. I believe this is because the Powershell runtime instantiated by the Admin service doesn't pass the AR host's computer identity to the tenant.
I am curious if anyone has gotten this approach to work from "inside" of Active Roles as I have described above?