diff --git a/changelog/19187.txt b/changelog/19187.txt
new file mode 100644
index 000000000000..c04234a1bb9b
--- /dev/null
+++ b/changelog/19187.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+website/docs: Add rotate root documentation for azure secrets engine
+```
diff --git a/website/content/docs/secrets/azure.mdx b/website/content/docs/secrets/azure.mdx
index b972c3b2ea5c..c8d2fc0dd892 100644
--- a/website/content/docs/secrets/azure.mdx
+++ b/website/content/docs/secrets/azure.mdx
@@ -103,6 +103,20 @@ This endpoint generates a renewable set of credentials. The application can logi
 using the `client_id`/`client_secret` and will have access provided by configured service
 principal or the Azure roles set in the "my-role" configuration.
 
+## Root Credential Rotation
+
+If the mount is configured with credentials directly, the credential's key may be
+rotated to a Vault-generated value that is not accessible by the operator.
+This will ensure that only Vault is able to access the "root" user that Vault uses to
+manipulate dynamic & static credentials.
+
+```shell-session
+vault write -f azure/rotate-root
+```
+
+For more details on this operation, please see the
+[Root Credential Rotation](/vault/api-docs/secret/azure#rotate-root) API docs.
+
 ## Roles
 
 Vault roles let you configure either an existing service principal or a set of Azure roles, along with