diff --git a/dnsapi.md b/dnsapi.md
index 52b92b1..7caebd7 100644
--- a/dnsapi.md
+++ b/dnsapi.md
@@ -766,6 +766,18 @@ acme.sh --issue --dns dns_azure -d example.com -d www.example.com
 
 `AZUREDNS_SUBSCRIPTIONID`, `AZUREDNS_TENANTID`,`AZUREDNS_APPID` and `AZUREDNS_CLIENTSECRET` settings will be saved in `~/.acme.sh/account.conf` and will be reused when needed.
 
+Alternatively, you can use **Managed Identity** assigned to a resource instead of a service prinvcipal.
+
+You have to assign a managed identity to your resource, usually a VM, as described [here](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview).
+This identity requires [DNS Zone Contributor role](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#dns-zone-contributor).
+
+Before running acme.sh following variables need to bo set:
+`export AZUREDNS_SUBSCRIPTIONID="12345678-9abc-def0-1234-567890abcdef"`
+`export AZUREDNS_MANAGEDIDENTITY=true`
+
+Issuing certificates using managed identity clears previously set settings: `AZUREDNS_TENANTID`, `AZUREDNS_APPID`, `AZUREDNS_CLIENTSECRET`.
+`AZUREDNS_SUBSCRIPTIONID` and `AZUREDNS_MANAGEDIDENTITY` will be saved in ~/.acme.sh/account.conf for future use.
+
 ## 38. Use selectel.com(selectel.ru) domain API to automatically issue cert
 
 First you need to login to your account to get your API key from: https://my.selectel.ru/profile/apikeys.