diff --git a/cloud-provider.sh b/cloud-provider.sh
index fd218fe2..52b8331f 100755
--- a/cloud-provider.sh
+++ b/cloud-provider.sh
@@ -18,6 +18,7 @@ set_azure_config() {
   local az_subnet_name=$(cat "$AZURE_CLOUD_CONFIG_PATH" | jq -r .subnetName)
   local az_vnet_name=$(cat "$AZURE_CLOUD_CONFIG_PATH" | jq -r .vnetName)
   local az_vm_type=$(cat "$AZURE_CLOUD_CONFIG_PATH" | jq -r .vmType)
+  local az_managed_identity_extension=$(cat "$AZURE_CLOUD_CONFIG_PATH" | jq -r .useManagedIdentityExtension)
 
   local az_vm_resources_group=$(curl  -s -H Metadata:true "${AZURE_META_URL}/resourceGroupName?api-version=${AZURE_META_API_VERSION}&format=text")
   local az_vm_name=$(curl -s -H Metadata:true "${AZURE_META_URL}/name?api-version=${AZURE_META_API_VERSION}&format=text")
@@ -32,8 +33,12 @@ set_azure_config() {
   az cloud set --name ${azure_cloud}
 
   # login to Azure
-  az login --service-principal -u ${azure_client_id} -p ${azure_client_secret} --tenant ${azure_tenant_id} 2>&1 > /dev/null
-
+  if [ "${az_managed_identity_extension}" = "true" ] && [ "${azure_client_secret}" = "" ]; then
+    echo "using MSI for az login"
+    az login --identity 2>&1 > /dev/null
+  else
+    az login --service-principal -u ${azure_client_id} -p ${azure_client_secret} --tenant ${azure_tenant_id} 2>&1 > /dev/null
+  fi
   # set subscription to be the current active subscription
   az account set --subscription ${az_subscription_id}
 
diff --git a/windows/cloud-provider.psm1 b/windows/cloud-provider.psm1
index 2d5e21e3..eac36e99 100644
--- a/windows/cloud-provider.psm1
+++ b/windows/cloud-provider.psm1
@@ -31,6 +31,7 @@ function Complete-AzureCloudConfig
         $azureClientId = $azCloudConfig.aadClientId
         $azureClientSecret = $azCloudConfig.aadClientSecret
         $azureTenantId = $azCloudConfig.tenantId
+        $useManagedIdentityExtension = $azCloudConfig.useManagedIdentityExtension
 
         # verification
         if (-not $azureClientId) {
@@ -68,7 +69,11 @@ function Complete-AzureCloudConfig
         # NOTE: the escaping syntax around the secret is to ensure the azure-cli doesn't interpret the contents of the secret as a command.
         # See this issue for more information:
         # https://github.com/Azure/azure-cli/issues/8070
-        $errMsg = az login --service-principal -u $azureClientId -p "`"$azureClientSecret`"" --tenant $azureTenantId
+        $az_login_args='--service-principal -u $azureClientId -p "`"$azureClientSecret`"" --tenant $azureTenantId'
+        if (($useManagedIdentityExtension -eq "true") -and -not	 $azureClientSecret) {
+          $az_login_args='--identity'
+        }
+        $errMsg = az login $az_login_args
         if (-not $?) {
             Log-Fatal "Failed to login '$azureCloud' cloud: $errMsg"
         }