Microsoft Lifecycle Services (LCS) is Microsoft’s tool that allows new D365 environments to be created. A generic service account requires creating in Azure Active Directory (AAD) before any environments can be deployed.
Created the desired service account in AAD, for example email@example.com. Add this user into LCS as a Project Owner.
To deploy any environment the user logged into LCS must be the service account above. When a new environment is deployed using this process the admin account of the whole instance is set to be the service account. When databases are promoted to other environments that you have or refreshed from another environment the service account (admin) will be the only user who has access to that instance. The admin account can then log into the instance and enable other user(s).
It’s vital that this process is adhered to and the same service account is used to deploy ALL environments.