Azure secrets engine, dynamic SPs and Azure AD roles

I am attempting to configure an Azure secrets engine to issue dynamic credentials that will allow some TF code to CRUD Azure AD groups.

I want to create a Vault role that will issue credentials that are part of the Azure AD “Groups administrator” role.

Having read through the engine docs and the engine API docs, I couldn’t find anything that really deals with Azure AD roles. Azure roles and Azure AD groups ARE documented.

I can see two paths forward to achieving my aim here.

  1. Create a new Azure AD group which has the Groups administrator role assigned to it.
  2. Create a static SP which has the Groups administrator role assigned to it.

So, looking for some confirmation and advice that ive understood this correctly.

  • The Azure engine doesnt appear to support Azure role assignments to dynamic credentials. Is this correct?
    • If this IS correct, ill raise an issue in the Vault GH asking for the doco to be clarified about this because its not abundantly clear.
  • Of my two paths forward, is there one that is more sensible than the other? This is a request for opinions so please do feel free to elaborate on the WHY you feel this way.