@JcAubrun Thank you for reaching out to us. As I understand you are looking for a Azure Certificate as a Service which can act like Root CA ( something like a on-premise certificate authority ), researched on this unfortunately we don't have any such service which can provide the functionality which you are looking for.
As Jimmy mentioned above you use Azure AD certificate-based authentication (CBA) which allows users to authenticate directly with X.509 certificates against Azure Active Directory (Azure AD) for applications and browser sign-in.
Reference: Azure AD certificate-based authentication
Also you can share product suggestions on the Entra (Azure AD) forum which is monitored closely by our product group team.
Let me know if you have any further questions, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.