There are certain clients that still require a full certificate chain as they may return certificate errors. Certain web servers like IIS can build the chain while others may.
I had a customer reach out requesting how to query all certificates across all subs and figure out when they are expiring. Using Azure Resource Graph I came up.
I’m far from a PKI expert so I won’t be going into much detail as a lot of information around certificates can be found through a web search. I.