diff --git a/changelog/17045.txt b/changelog/17045.txt
new file mode 100644
index 0000000000..600641dbe0
--- /dev/null
+++ b/changelog/17045.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/azure: Adds option to permanently delete AzureAD objects created by Vault.
+```
diff --git a/website/content/api-docs/secret/azure.mdx b/website/content/api-docs/secret/azure.mdx
index 7c00102d57..3cee9179b8 100644
--- a/website/content/api-docs/secret/azure.mdx
+++ b/website/content/api-docs/secret/azure.mdx
@@ -241,6 +241,8 @@ information about roles.
   Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
 - `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
   suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+- `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
+  created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
 
 ### Sample Payload
 
diff --git a/website/content/docs/secrets/azure.mdx b/website/content/docs/secrets/azure.mdx
index 332afc480f..f766d999c2 100644
--- a/website/content/docs/secrets/azure.mdx
+++ b/website/content/docs/secrets/azure.mdx
@@ -183,6 +183,25 @@ $ cat az_groups.json
 ]
 ```
 
+### Permanently Delete Azure Objects
+If dynamic service principals are used, the option to permanently delete the applications and service principals created by Vault may be configured on the Vault role.
+When this option is enabled and a lease is expired or revoked, the application and service principal associated with the lease will be [permanently deleted](https://docs.microsoft.com/en-us/graph/api/directory-deleteditems-delete) from the Azure Active Directory.
+As a result, these objects will not count toward the [quota](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#active-directory-limits) of total resources in an Azure tenant. When this option is not enabled
+and a lease is expired or revoked, the application and service principal associated with the lease will be deleted, but not permanently. These objects will be available to restore for 30 days from deletion. 
+
+Example of role configuration:
+
+```shell-session
+$ vault write azure/roles/my-role permanently_delete=true ttl=1h azure_roles=-<<EOF
+    [
+        {
+            "role_name": "Contributor",
+            "scope":  "/subscriptions/<uuid>/resourceGroups/Website"
+        }
+    ]
+EOF
+```
+
 ## Authentication
 
 The Azure secrets backend must have sufficient permissions to read Azure role information and manage