Key Vaults have a number of features regarding certificates, as well as the capability to automatically rotate certificates contained - as well as supporting self-signed certificates.

Given this, it would be good if an integration existed (which could be utilised) to anchor an AAD application to a certificate which existed in a linked KeyVault. This would provide avenues to automatically manage the lifecycle of certificates (utilising the underlying service), associated with an application, without requiring the engineering overhead of creating/maintaining code which could do the same.

Such a feature would enable you to setup a service principal for an environment (e.g. for CI/CD), then utilise an Azure DevOps task which retrieves the certificate - which in turn can be used to bootstrap ARM deployments, etc - without needing to re-invent the wheel.