diff --git a/azure/CHANGELOG.md b/azure/CHANGELOG.md
index e5c7d6d..e30a7fd 100644
--- a/azure/CHANGELOG.md
+++ b/azure/CHANGELOG.md
@@ -6,7 +6,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-Fix docker container build
+- Add `client-id` option for workload identity authentication
+- Fix docker container build
 
 ## 1.2.0 - 2024-11-28
 
diff --git a/azure/README.adoc b/azure/README.adoc
index 46f39f1..e0693d6 100644
--- a/azure/README.adoc
+++ b/azure/README.adoc
@@ -102,7 +102,11 @@ contexts:
 
 |tenant-id
 |string
-|configure a fixed tenant
+|configure a fixed tenant for Azure CLI and workload identity authentication
+
+|client-id
+|string
+|configure a fixed client id for workload identity authentication
 
 |verbose
 |boolean
diff --git a/azure/main.go b/azure/main.go
index 0bd61f1..5421058 100644
--- a/azure/main.go
+++ b/azure/main.go
@@ -58,6 +58,11 @@ func (t *tokenProvider) Init(options map[string]any, brokers []string) (err erro
 		tenantID = ""
 	}
 
+	clientID, ok := options["client-id"].(string)
+	if ok {
+		_ = os.Setenv("AZURE_CLIENT_ID", clientID)
+	}
+
 	t.tokenAudience = fmt.Sprintf("%s://%s/.default", eventhubURL.Scheme, eventhubURL.Hostname())
 
 	credential, err := azidentity.NewDefaultAzureCredential(&azidentity.DefaultAzureCredentialOptions{