https://developer.hashicorp.com/vault/docs/secrets/azure#static-roles
"Once the secret rotates, Vault generates a new client secret for the application and revokes the previous secret."
Not all systems are directly bound to the Vault and/or read actual secret on their start up/deployment. Revocation performed during secret rotation immediately breaks the application still using the old secret.
An option like 'let expire' or 'do not revoke old secret' would prevent this and would let the latest secret to be present in Vault for the time when application would finally pick it up. The only side effect would be in secrets leftovers on the Azure side to be cleaned-up by the user himself.
I believe such a thing is not possible in current implementation.
https://developer.hashicorp.com/vault/docs/secrets/azure#static-roles
"Once the secret rotates, Vault generates a new client secret for the application and revokes the previous secret."
Not all systems are directly bound to the Vault and/or read actual secret on their start up/deployment. Revocation performed during secret rotation immediately breaks the application still using the old secret.
An option like 'let expire' or 'do not revoke old secret' would prevent this and would let the latest secret to be present in Vault for the time when application would finally pick it up. The only side effect would be in secrets leftovers on the Azure side to be cleaned-up by the user himself.
I believe such a thing is not possible in current implementation.