Option 1) Customer can use DPA. A DPA should work, as long as their functional account is a local database account. This has been tested on 2.5.922 and a DPAv4. The test system, check password, and change password were all successful.
Option 2) Custom platform using a jump box. Code up a jump box that would talk to the SQL Server instances.