diff --git a/apis/keda/v1alpha1/triggerauthentication_types.go b/apis/keda/v1alpha1/triggerauthentication_types.go
index 26dcfe8f9ad..24f4ea44c02 100644
--- a/apis/keda/v1alpha1/triggerauthentication_types.go
+++ b/apis/keda/v1alpha1/triggerauthentication_types.go
@@ -181,9 +181,10 @@ type VaultSecret struct {
 
 // AzureKeyVault is used to authenticate using Azure Key Vault
 type AzureKeyVault struct {
-	VaultURI    string                    `json:"vaultUri"`
+	VaultURI string                `json:"vaultUri"`
+	Secrets  []AzureKeyVaultSecret `json:"secrets"`
+	// +optional
 	Credentials *AzureKeyVaultCredentials `json:"credentials"`
-	Secrets     []AzureKeyVaultSecret     `json:"secrets"`
 	// +optional
 	Cloud *AzureKeyVaultCloudInfo `json:"cloud"`
 }
diff --git a/apis/keda/v1alpha1/zz_generated.deepcopy.go b/apis/keda/v1alpha1/zz_generated.deepcopy.go
index fc63e23d1f9..a7d7732de17 100644
--- a/apis/keda/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/keda/v1alpha1/zz_generated.deepcopy.go
@@ -95,16 +95,16 @@ func (in *AuthSecretTargetRef) DeepCopy() *AuthSecretTargetRef {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AzureKeyVault) DeepCopyInto(out *AzureKeyVault) {
 	*out = *in
-	if in.Credentials != nil {
-		in, out := &in.Credentials, &out.Credentials
-		*out = new(AzureKeyVaultCredentials)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.Secrets != nil {
 		in, out := &in.Secrets, &out.Secrets
 		*out = make([]AzureKeyVaultSecret, len(*in))
 		copy(*out, *in)
 	}
+	if in.Credentials != nil {
+		in, out := &in.Credentials, &out.Credentials
+		*out = new(AzureKeyVaultCredentials)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.Cloud != nil {
 		in, out := &in.Cloud, &out.Cloud
 		*out = new(AzureKeyVaultCloudInfo)
diff --git a/config/crd/bases/keda.sh_clustertriggerauthentications.yaml b/config/crd/bases/keda.sh_clustertriggerauthentications.yaml
index a07a808c67b..0aed26b43a7 100644
--- a/config/crd/bases/keda.sh_clustertriggerauthentications.yaml
+++ b/config/crd/bases/keda.sh_clustertriggerauthentications.yaml
@@ -116,7 +116,6 @@ spec:
                   vaultUri:
                     type: string
                 required:
-                - credentials
                 - secrets
                 - vaultUri
                 type: object
diff --git a/config/crd/bases/keda.sh_triggerauthentications.yaml b/config/crd/bases/keda.sh_triggerauthentications.yaml
index a8ad47f2279..f54cbd72e69 100644
--- a/config/crd/bases/keda.sh_triggerauthentications.yaml
+++ b/config/crd/bases/keda.sh_triggerauthentications.yaml
@@ -115,7 +115,6 @@ spec:
                   vaultUri:
                     type: string
                 required:
-                - credentials
                 - secrets
                 - vaultUri
                 type: object
diff --git a/pkg/scaling/resolver/azure_keyvault_handler.go b/pkg/scaling/resolver/azure_keyvault_handler.go
index 68784728091..fb82b626c4d 100644
--- a/pkg/scaling/resolver/azure_keyvault_handler.go
+++ b/pkg/scaling/resolver/azure_keyvault_handler.go
@@ -34,32 +34,28 @@ import (
 type AzureKeyVaultHandler struct {
 	vault          *kedav1alpha1.AzureKeyVault
 	keyvaultClient *keyvault.BaseClient
+	podIdentity    kedav1alpha1.PodIdentityProvider
 }
 
-func NewAzureKeyVaultHandler(v *kedav1alpha1.AzureKeyVault) *AzureKeyVaultHandler {
+func NewAzureKeyVaultHandler(v *kedav1alpha1.AzureKeyVault, podIdentity kedav1alpha1.PodIdentityProvider) *AzureKeyVaultHandler {
 	return &AzureKeyVaultHandler{
-		vault: v,
+		vault:       v,
+		podIdentity: podIdentity,
 	}
 }
 
 func (vh *AzureKeyVaultHandler) Initialize(ctx context.Context, client client.Client, logger logr.Logger, triggerNamespace string) error {
-	clientID := vh.vault.Credentials.ClientID
-	tenantID := vh.vault.Credentials.TenantID
-
-	clientSecretName := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Name
-	clientSecretKey := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Key
-	clientSecret := resolveAuthSecret(ctx, client, logger, clientSecretName, triggerNamespace, clientSecretKey)
-
-	clientCredentialsConfig := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
-
 	keyvaultResourceURL, activeDirectoryEndpoint, err := vh.getPropertiesForCloud()
 	if err != nil {
 		return err
 	}
-	clientCredentialsConfig.Resource = keyvaultResourceURL
-	clientCredentialsConfig.AADEndpoint = activeDirectoryEndpoint
 
-	authorizer, err := clientCredentialsConfig.Authorizer()
+	authConfig := vh.getAuthConfig(ctx, client, logger, triggerNamespace, keyvaultResourceURL, activeDirectoryEndpoint)
+	if err != nil {
+		return err
+	}
+
+	authorizer, err := authConfig.Authorizer()
 	if err != nil {
 		return err
 	}
@@ -105,3 +101,31 @@ func (vh *AzureKeyVaultHandler) getPropertiesForCloud() (string, string, error)
 
 	return env.ResourceIdentifiers.KeyVault, env.ActiveDirectoryEndpoint, nil
 }
+
+func (vh *AzureKeyVaultHandler) getAuthConfig(ctx context.Context, client client.Client, logger logr.Logger,
+	triggerNamespace, keyVaultResourceURL, activeDirectoryEndpoint string) auth.AuthorizerConfig {
+	switch vh.podIdentity {
+	case "", kedav1alpha1.PodIdentityProviderNone:
+		clientID := vh.vault.Credentials.ClientID
+		tenantID := vh.vault.Credentials.TenantID
+
+		clientSecretName := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Name
+		clientSecretKey := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Key
+		clientSecret := resolveAuthSecret(ctx, client, logger, clientSecretName, triggerNamespace, clientSecretKey)
+
+		config := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
+		config.Resource = keyVaultResourceURL
+		config.AADEndpoint = activeDirectoryEndpoint
+
+		return config
+	case kedav1alpha1.PodIdentityProviderAzure:
+		config := auth.NewMSIConfig()
+		config.Resource = keyVaultResourceURL
+
+		return config
+	case kedav1alpha1.PodIdentityProviderAzureWorkload:
+		return azure.NewAzureADWorkloadIdentityConfig(ctx, keyVaultResourceURL)
+	}
+
+	return nil
+}
diff --git a/pkg/scaling/resolver/azure_keyvault_handler_test.go b/pkg/scaling/resolver/azure_keyvault_handler_test.go
index 4a6740f567d..2f0e1e1bc6a 100644
--- a/pkg/scaling/resolver/azure_keyvault_handler_test.go
+++ b/pkg/scaling/resolver/azure_keyvault_handler_test.go
@@ -110,7 +110,7 @@ var testDataset = []testData{
 
 func TestGetPropertiesForCloud(t *testing.T) {
 	for _, testData := range testDataset {
-		vh := NewAzureKeyVaultHandler(&testData.vault)
+		vh := NewAzureKeyVaultHandler(&testData.vault, kedav1alpha1.PodIdentityProviderNone)
 
 		kvResourceURL, adEndpoint, err := vh.getPropertiesForCloud()
 
diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go
index a0015a117a1..d93a7c24280 100644
--- a/pkg/scaling/resolver/scale_resolvers.go
+++ b/pkg/scaling/resolver/scale_resolvers.go
@@ -211,7 +211,7 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge
 				}
 			}
 			if triggerAuthSpec.AzureKeyVault != nil && len(triggerAuthSpec.AzureKeyVault.Secrets) > 0 {
-				vaultHandler := NewAzureKeyVaultHandler(triggerAuthSpec.AzureKeyVault)
+				vaultHandler := NewAzureKeyVaultHandler(triggerAuthSpec.AzureKeyVault, podIdentity)
 				err := vaultHandler.Initialize(ctx, client, logger, triggerNamespace)
 				if err != nil {
 					logger.Error(err, "Error authenticating to Azure Key Vault", "triggerAuthRef.Name", triggerAuthRef.Name)