Vault managing user access to specific high-value roles in Azure

I’m having issues duplicating a functionality I could perform in AWS at a previous company.

The Scenario:

There are occasions when an Admin needs permissions only available to the “global administrator” role in Azure. Rather than granting permanent access, I’d like to allow the admin to log into vault and read a secret that results in the creation of a temporary account with the permissions that can be used to perform the task.

In AWS I could do this fairly simply with the AWS secrets engine and have it create an IAM_User and attach a policy and go.

However with the Azure Secrets Engine, it looks like it only allows Vault to create a Service principal, of which I’m not certain is functionally similar? I get a client_id and client_secret back … but do they function as user/name passwords for interactive access if needed like the IAM_User does in AWS?

Any insight here would be helpful.