Hello @Jamie W ,
Thanks for reaching out to Microsoft Q&A Platform. As of today every service principal update will require a reboot of each worker nodes. When we update the AKS cluster with the new SP credentials at first it will update the Master Node with new client_secret. Then it will go to each node and will update the config /etc/kubernetes/azure.json with the new secret. You can also manually login to each node and update those attributes but not a best practice because the Master Node will still use the old password which might lead to other consequences like any scale up will come up old SP credentials.
azure.json config file looks like below
Considering your customer scenario , probably you can renew the service principal for the extended period of time (for example 10 years ) and do the update only once.
az ad sp credential reset --name $SPID --years 10
Kindly let us know if you have additional questions.
Regards,
Shiva.