You can add any email address as a contact for certificate renewal. So this can be the address of either a single user or the address tied to a distribution group. Azure itself is unaware of anything other than the email address. See the documentation on Add-AzKeyvaultCertificateContact for details on how to add the contact.
As long as you dont specify a specific certificate version in your app references to keyvault, Azure FrontDoor, App Gateway and App Service will detect any version updates and rotate within 24 hours. So as long as you renew more than 24 hours before expiry, no changes would be needed.