SSIS and SQL Agent – running jobs using proxy vs using MSA

We have multiple servers, each with its own SQL Server instance.

We have external companies that develop applications for us. This companies deploy SSIS packages and run them via SQL Agent.

I’m wondering how our setup should look like security vise.

Scenario 1

  • SQL Agent Service account – Local Virtual Account
  • SSIS login – personal domain login for each employee
  • Job owner – personal domain account of whoever created it
  • Step run as – domain proxy account

It seems quite "normal" scenario, but I’m not sure if it is still relevant. Microsoft changed some things concerning security and introduced Virtual and Managed Service Accounts couple years back. Yet many resources found online still do not mention them and it seems like they treat default service account the old way. So maybe it is now acceptable to use default SQL Service account to run the jobs? Like in scenario 2.

Scenario 2

  • SQL Agent Service account – Local Virtual Account
  • SSIS login – personal domain login for each employee
  • Job owner – personal domain account of whoever created it
  • Step run as – SQL Agent Service account

This uses Virtual Account to run the jobs, but Microsoft documentation mention that in case we need to access remote resources we should use MSA instead. And it is the case for us.

*When resources external to the SQL Server computer are needed, Microsoft recommends using a Managed Service Account (MSA), configured with the minimum privileges necessary. ** When installed on a Domain Controller, a virtual account as the service account isn’t supported.

Scenario 3

  • SQL Agent Service account – Managed Service Account (MSA)
  • SSIS login – personal domain login for each employee
  • Job owner – personal domain account of whoever created it
  • Step run as – SQL Agent Service account (MSA)

There is also a question about who should own the job. There is a possibility of creating generic SSIS login that would be used by everyone to deploy packages and this login would own all the jobs steps.

Scenario 4

  • SQL Agent Service account – Managed Service Account (MSA)
  • SSIS login – generic domain login for working with SSIS
  • Job owner – SSIS domain login
  • Step run as – SQL Agent Service account (MSA)

Which scenario would you recommend? Or maybe there is a different preferable scenario?