The Vault secrets engine does not permanently delete the service principals/apps from AzureAD when leases expire. Instead, the objects are placed in a "recycle bin," and they count toward the limit of AzureAD objects in a tenant (that limit ranges from 50k to 500k objects). So after 50k-500k leases, Vault hits the limit of objects in an Azure AD and causes all create operations on the tenant to fail.
The Azure Vault secrets engine should at least provide the option to permanently delete items upon expiration of leases.
austingebauer
commented
2 years ago
The Vault secrets engine does not permanently delete the service principals/apps from AzureAD when leases expire. Instead, the objects are placed in a "recycle bin," and they count toward the limit of AzureAD objects in a tenant (that limit ranges from 50k to 500k objects). So after 50k-500k leases, Vault hits the limit of objects in an Azure AD and causes all create operations on the tenant to fail.
The Azure Vault secrets engine should at least provide the option to permanently delete items upon expiration of leases.