How are you designing your Azure Secrets Engine(s)

We are currently migrating from OSS Vault to Vault Enterpri se and are starting with our Azure Secrets engine that we use for deployments via Terraform Enterprise. We are redesigning our Azure Secrets engine entirely upon the move and wanted to see how other customers are setting up their Azure Secrets engines and associated policies/roles

We have ~100 Azure subscriptions in a single Tenant and are looking to adopt the following design in Vault:

Azure Secrets Engine
Name: azure/tfe/<sub_id>
Roles: <sub_id>-<role [o/c]>
TTL/Max TTL: 60 minutes

Assigned to Secrets Engine Role (<sub_id>-<role [o/c]>)
s/azure/tfe/<sub_id>/r: generate creds for all roles in sub_id secrets engine, read config
of its secrets engine, lookup own token

Each subscription would be setup with its own Secrets engine (as recommended by Hashi) following the pattern above. The role (we only have the need for 1 role right now) is setup for Dynamic Service principles.

Are others using this same pattern? Is anyone using Static Service Principles? 1 Secrets engine for all subscriptions? Any other design options we may be overlooking?