How do you add IOT Central credentials to a device (device id, scope id) - do you even need to do this?
In the following video a plugin and play device is just powered on, and then it is visible in IOT Central. https://www.youtube.com/watch?v=rzTw1_AuxdQ
I don't understand how this works, as if no IOT Central specific credentials are added, wouldn't this device be available to everyone in their IOT central environments?
As this isn't the case, I presume these to be added to the device (somehow?)
You can find a summary of the options for connecting a device to IoT Central here.
This article illustrates the process with a specific device.
The recommendation for a production environment is to use X.509 certificates - you install a root or intermediate certificate into IoT Central and then configure your devices with leaf certificates generated from the root or intermediate cert.
You can also use SAS keys - you can use a group key to generate multiple device keys than you can use in a connection string.
As Matthijs mentioned, Plug and Play means that a device can be automatically associated with a device template so that a device can start sending data that IoT Central understands as soon as it connects.