Securing a service account for each tenant

I have a requirement to create a service account in each tenant for use with automated tasks from external systems. However, I don’t want users within the tenant to have any control over this account yet still be able to maintain their own users.
Is there a way to have the service account set apart from the standard user accounts so that it cannot be tampered with?