Hi Sean,
There are two ways to handle secret scopes:
- databricks-backed scopes: scope is related to a workspace. You will have to handle the update of the secrets.
- Azure Key Vault-backed scopes: scope is related to a Key Vault. It means than you configure the access to KV using a scope and then you will be able to access the secrets stored in the KV (if you configured properly the access first).
The security best practices is to use an Azure Key Vault-backed scopes. If there is some rotation policies activate, it will be handle.
Nevertheless, if you need to access to a storage account (in case of ADLS), it is better if you can use an access connector rather than using the access key, for example.
I hope it is clearer now 🙂