From 91446e129ebed9fe5df5c674a027066b24a2b0f5 Mon Sep 17 00:00:00 2001
From: Raymond Ho <raymonstah@gmail.com>
Date: Wed, 15 Feb 2023 13:07:42 -0800
Subject: [PATCH] Add rotate root docs for azure secrets (#19187)

---
 changelog/19187.txt                    |  3 +++
 website/content/docs/secrets/azure.mdx | 14 ++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 changelog/19187.txt

diff --git a/changelog/19187.txt b/changelog/19187.txt
new file mode 100644
index 000000000..c04234a1b
--- /dev/null
+++ b/changelog/19187.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+website/docs: Add rotate root documentation for azure secrets engine
+```
diff --git a/website/content/docs/secrets/azure.mdx b/website/content/docs/secrets/azure.mdx
index b972c3b2e..c8d2fc0dd 100644
--- a/website/content/docs/secrets/azure.mdx
+++ b/website/content/docs/secrets/azure.mdx
@@ -103,6 +103,20 @@ This endpoint generates a renewable set of credentials. The application can logi
 using the `client_id`/`client_secret` and will have access provided by configured service
 principal or the Azure roles set in the "my-role" configuration.
 
+## Root Credential Rotation
+
+If the mount is configured with credentials directly, the credential's key may be
+rotated to a Vault-generated value that is not accessible by the operator.
+This will ensure that only Vault is able to access the "root" user that Vault uses to
+manipulate dynamic & static credentials.
+
+```shell-session
+vault write -f azure/rotate-root
+```
+
+For more details on this operation, please see the
+[Root Credential Rotation](/vault/api-docs/secret/azure#rotate-root) API docs.
+
 ## Roles
 
 Vault roles let you configure either an existing service principal or a set of Azure roles, along with