When setting Azure AD app registration for using OAUTH 2 authentication, you need to create a client secret.
A client secret has an expiration date that now (from the Azure Portal) can be set to 24 months as maximum:
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as license keys, credentials, API keys, certificates and so on.
Starting form Dynamics 365 Business Central 2020 Wave 2 (version 17) you can start using Azure Key Vault service for storing your secrets and then retrieving them from AL code in a very easy way.