diff --git a/content/en/docs/configuration/acme/dns01/azuredns.md b/content/en/docs/configuration/acme/dns01/azuredns.md
index e495bc49df2..9c3b1425084 100644
--- a/content/en/docs/configuration/acme/dns01/azuredns.md
+++ b/content/en/docs/configuration/acme/dns01/azuredns.md
@@ -79,7 +79,7 @@ kind: AzureIdentity
 metadata:
   annotations:
     # recommended to use namespaced identites https://azure.github.io/aad-pod-identity/docs/configure/match_pods_in_namespace/
-    aadpodidentity.k8s.io/Behavior: namespaced 
+    aadpodidentity.k8s.io/Behavior: namespaced
   name: certman-identity
   namespace: cert-manager # change to your preferred namespace
 spec:
@@ -136,13 +136,12 @@ spec:
 
 ## Managed Identity Using AKS Kubelet Identity
 
-When creating an AKS cluster in Azure there is the option to use a managed identity that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the cert-manager pods to authenticate to Azure Active Directory. 
+When creating an AKS cluster in Azure there is the option to use a managed identity that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the cert-manager pods to authenticate to Azure Active Directory.
 
 There are some caveats with this approach, these mainly being:
 
-- You will need to ensure only 1 managed identity is assigned to the node pool. This is due to cert-manager not currently being able to select the identity to use
 - Any permissions granted to this identity will also be accessible to all containers running inside the Kubernetes cluster.
-- Using AKS extensions like `Kube Dashboard` will not work with this method as this creates an additional identity that is assigned to the node pools.
+- Using AKS extensions like `Kube Dashboard`, `Virtual Node`, or `HTTP Application Routing` (see full list [here](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#summary-of-managed-identities)) will create additional identities that are assigned to your node pools. If your node pools have more than one identity assigned, you will need to specify either `clientID` or `resourceID` to select the correct one.
 
 To set this up, firstly you will need to retrieve the identity that the kubelet is using by querying the AKS cluster. This can then be used to create the appropriate permissions in the DNS zone.
 
@@ -156,7 +155,7 @@ ZONE_ID=$(az network dns zone show --name $ZONE_NAME --resource-group $ZONE_GROU
 
 # Create role assignment
 az role assignment create --role "DNS Zone Contributor" --assignee $PRINCIPAL_ID --scope $ZONE_ID
-``` 
+```
 
 - Example terraform:
 ```terraform
@@ -174,13 +173,22 @@ resource "azurerm_kubernetes_cluster" "cluster" {
 
 resource "azurerm_role_assignment" "dns_contributor" {
   scope                            = var.dns_zone_id
-  role_definition_name             = "DNS Zone Contributor"  
-  principal_id                     = azurerm_kubernetes_cluster.cluster.kubelet_identity[0].object_id 
+  role_definition_name             = "DNS Zone Contributor"
+  principal_id                     = azurerm_kubernetes_cluster.cluster.kubelet_identity[0].object_id
   skip_service_principal_aad_check = true # Allows skipping propagation of identity to ensure assignment succeeds.
 }
 ```
 
-Then when creating the cert-manager issuer we only need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS Zone. Example below:
+Then when creating the cert-manager issuer we need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS Zone.
+
+We also need to specify `managedIdentity.clientID` or `managedIdentity.resourceID` if multiple managed identities are assigned to the node pools.
+
+The value for `managedIdentity.clientID` can be fetched by running this command:
+```bash
+az aks show -n $CLUSTERNAME -g $CLUSTER_GROUP --query "identityProfile.kubeletidentity.clientId" -o tsv
+```
+
+Example below:
 ```yaml
 apiVersion: cert-manager.io/v1
 kind: Issuer
@@ -197,6 +205,12 @@ spec:
           hostedZoneName: AZURE_DNS_ZONE
           # Azure Cloud Environment, default to AzurePublicCloud
           environment: AzurePublicCloud
+          # optional, only required if node pools have more than 1 managed identity assigned
+          managedIdentity:
+            # client id of the node pool managed identity (can not be set at the same time as resourceID)
+            clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID
+            # resource id of the managed identity (can not be set at the same time as clientID)
+            # resourceID: YOUR_MANAGED_IDENTITY_RESOURCE_ID
 ```
 
 ## Service Principal