I’m clueless about Azure, I’ve tested GCP and AWS.
Certificate is something for the broker to provide, mos tool merely acts as an intermediary to make your task easier. In the Google case, mos tool will ask for the keys and certificate; in the case of Amazon, mos tool generates the private key locally and asks AWS to sign it and to get its certificate.
Depending on how mos tool and Azure handle this, new devices may just work automagically or an update to mos tool would have to take place.
However, since your keys have to be signed by the new authority, you won’t be able to keep your old keys and will need to generate new ones, that is, you’ll probably have to run the device setup again on those devices you have already running.
If Azure provides a way for you to perform this action on its console or equivalent, you can just get your keys and certificates from them and just replace those in your device flash.
If Azure keeps the current procedure and provides the new information, mos tool won’t need to be updated.
However, as I said, I don’t use Azure so I might be missing something important, take these as my 2 cents.