From 82bc5b57a6bff527a09e70eb6a1e23733d4e15b4 Mon Sep 17 00:00:00 2001
From: techknowlogick <matti@mdranta.net>
Date: Mon, 31 Mar 2025 10:42:50 -0400
Subject: [PATCH] Add note about acme.sh and azure function managed identities

---
 dnsapi.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dnsapi.md b/dnsapi.md
index 8a35773..1b197d2 100644
--- a/dnsapi.md
+++ b/dnsapi.md
@@ -1041,6 +1041,8 @@ Before running acme.sh following variables need to be set:
 Issuing certificates using managed identity clears previously set settings: `AZUREDNS_TENANTID`, `AZUREDNS_APPID`, `AZUREDNS_CLIENTSECRET`.
 `AZUREDNS_SUBSCRIPTIONID` and `AZUREDNS_MANAGEDIDENTITY` will be saved in ~/.acme.sh/account.conf for future use.
 
+Azure App Service and App Functions have an [alternative process](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) to fetch managed identities. When running acme.sh in either, they will use the `IDENTITY_ENDPOINT` and `IDENTITY_HEADER` environment variables that are injected into the service to fetch the managed identity token.
+
 ### Use provided Bearer token
 If you want to use Entra Workload ID in a GitHub Action or similar CI/CD scenarios, you have to use a provided Bearer token.