Hashicorp Vault Azure Secret Engine - Client Secret rotation

You may say that this question should be asked in the Azure community not Hashicorp, but I am asking to find the best practices from this community’s point of view.
According to the instruction (https://developer.hashicorp.com/vault/docs/secrets/azure), we should create a service principal in the HC vault to enable the Azure secret engine in the HC vault and also generate a client Secret. The client’s secret is expired in a maximum of 2 years. Therefore, there should be a solution to rotate/renew the secret.
Now there are two questions: Is it possible to configure Azure Secret Engine without client secret and then use a certificate? What is the best way to renew the client’s secret automatically if not?

Thanks for your support,