diff --git a/pkg/azure/blob.go b/pkg/azure/blob.go
index 95f4788ea..df39247ea 100644
--- a/pkg/azure/blob.go
+++ b/pkg/azure/blob.go
@@ -115,10 +115,15 @@ func NewClient(obj *sourcev1.Bucket, secret *corev1.Secret) (c *BlobClient, err
 	// Compose token chain based on environment.
 	// This functions as a replacement for azidentity.NewDefaultAzureCredential
 	// to not shell out.
-	if token, err = chainCredentialWithSecret(secret); err != nil {
+	token, err = chainCredentialWithSecret(secret)
+	if err != nil {
 		err = fmt.Errorf("failed to create environment credential chain: %w", err)
 		return nil, err
 	}
+	if token != nil {
+		c.ServiceClient, err = azblob.NewServiceClient(obj.Spec.Endpoint, token, nil)
+		return
+	}
 
 	// Fallback to simple client.
 	c.ServiceClient, err = azblob.NewServiceClientWithNoCredential(obj.Spec.Endpoint, nil)
@@ -353,6 +358,8 @@ func sharedCredentialFromSecret(endpoint string, secret *corev1.Secret) (*azblob
 // azidentity.ChainedTokenCredential if at least one of the following tokens was
 // successfully created:
 // - azidentity.EnvironmentCredential
+// - azidentity.ManagedIdentityCredential with Client ID from AZURE_CLIENT_ID
+//   environment variable, if found.
 // - azidentity.ManagedIdentityCredential
 // If a Secret with an `authorityHost` is provided, this is set on the
 // azidentity.EnvironmentCredentialOptions. It may return nil.
@@ -369,6 +376,13 @@ func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, e
 	if token, _ := azidentity.NewEnvironmentCredential(credOpts); token != nil {
 		creds = append(creds, token)
 	}
+	if clientID := os.Getenv("AZURE_CLIENT_ID"); clientID != "" {
+		if token, _ := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
+			ID: azidentity.ClientID(clientID),
+		}); token != nil {
+			creds = append(creds, token)
+		}
+	}
 	if token, _ := azidentity.NewManagedIdentityCredential(nil); token != nil {
 		creds = append(creds, token)
 	}