diff --git a/azure/credential_cache.go b/azure/credential_cache.go
index e47f5323edb..c392454958a 100644
--- a/azure/credential_cache.go
+++ b/azure/credential_cache.go
@@ -104,12 +104,16 @@ func (c *credentialCache) GetOrStoreClientCert(tenantID, clientID string, cert,
 }
 
 func (c *credentialCache) GetOrStoreManagedIdentity(opts *azidentity.ManagedIdentityCredentialOptions) (azcore.TokenCredential, error) {
+	var clientID string
+	if opts.ID != nil {
+		clientID = opts.ID.String()
+	}
 	return c.getOrStore(
 		credentialCacheKey{
 			authorityHost:  opts.Cloud.ActiveDirectoryAuthorityHost,
 			credentialType: CredentialTypeManagedIdentity,
 			// tenantID not used for managed identity
-			clientID: opts.ID.String(),
+			clientID: clientID,
 		},
 		func() (azcore.TokenCredential, error) {
 			return c.credFactory.newManagedIdentityCredential(opts)
diff --git a/azure/scope/identity.go b/azure/scope/identity.go
index 55d5c9ff8ef..a8cc1689bbc 100644
--- a/azure/scope/identity.go
+++ b/azure/scope/identity.go
@@ -154,7 +154,9 @@ func (p *AzureCredentialsProvider) GetTokenCredential(ctx context.Context, resou
 			ClientOptions: azcore.ClientOptions{
 				TracingProvider: tracingProvider,
 			},
-			ID: azidentity.ClientID(p.Identity.Spec.ClientID),
+		}
+		if p.Identity.Spec.ClientID != "" {
+			options.ID = azidentity.ClientID(p.Identity.Spec.ClientID)
 		}
 		cred, authErr = p.cache.GetOrStoreManagedIdentity(&options)
 
diff --git a/azure/scope/identity_test.go b/azure/scope/identity_test.go
index 669fe204e82..70d50e647cf 100644
--- a/azure/scope/identity_test.go
+++ b/azure/scope/identity_test.go
@@ -420,6 +420,28 @@ func TestGetTokenCredential(t *testing.T) {
 				}))
 			},
 		},
+		{
+			name: "system-assigned identity",
+			cluster: &infrav1.AzureCluster{
+				Spec: infrav1.AzureClusterSpec{
+					AzureClusterClassSpec: infrav1.AzureClusterClassSpec{
+						IdentityRef: &corev1.ObjectReference{
+							Kind: infrav1.AzureClusterIdentityKind,
+						},
+					},
+				},
+			},
+			identity: &infrav1.AzureClusterIdentity{
+				Spec: infrav1.AzureClusterIdentitySpec{
+					Type: infrav1.UserAssignedMSI,
+				},
+			},
+			cacheExpect: func(cache *mock_azure.MockCredentialCache) {
+				cache.EXPECT().GetOrStoreManagedIdentity(gomock.Cond(func(opts *azidentity.ManagedIdentityCredentialOptions) bool {
+					return opts.ID == nil
+				}))
+			},
+		},
 		{
 			name: "UserAssignedIdentityCredential",
 			cluster: &infrav1.AzureCluster{