@Wool Sock The best way to manage Kerberos Keys generated via Key Vault would be to use Azure Event Grid.
Please refer this document for more details- https://learn.microsoft.com/en-us/azure/key-vault/general/event-grid-overview
"Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in key vault has changed. A status change is defined as a secret that is about to expire (30 days before expiration), a secret that has expired, or a secret that has a new version available. Notifications for all three secret types (key, certificate, and secret) are supported."
Does this help? Please let me know if you have any further questions. Thank you!