At a previous job I had several developers that had passwords for SQL authenticated accounts for systems that would give them more access than they needed when they had Windows accounts that would give them enough to troubleshoot issues. Our trick was to write a login trigger that would block any SQL Authentication accounts that were logged in with SSMS. Many a developer fell pry to our logon trigger and because of the severity of the message did not quite understand why. This made my troubleshooting life easy because I didn’t have to figure out if a developer ran something to fix something or if something legitimate was broke. Of course I made sure to not block my sa account just in case I needed it.
CREATE TRIGGER Developer_No_Logins_W_SQLAuth ON ALL SERVER FOR LOGON AS BEGIN IF EXISTS ( SELECT * FROM sys.dm_exec_sessions AS es WHERE es.login_name = ORIGINAL_LOGIN() AND es.program_name LIKE 'Microsoft SQL Server Management Studio%' AND es.nt_user_name IS NULL AND es.login_name <> 'sa' ) ROLLBACK; END;