diff --git a/internal/backend/azure/azure.go b/internal/backend/azure/azure.go
index 46be33357..92f64243b 100644
--- a/internal/backend/azure/azure.go
+++ b/internal/backend/azure/azure.go
@@ -101,23 +101,21 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
 		if err != nil {
 			return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
 		}
-	} else if cfg.ForceCliCredential {
-		debug.Log(" - using AzureCLICredential")
-
-		cred, err := azidentity.NewAzureCLICredential(nil)
-		if err != nil {
-			return nil, errors.Wrap(err, "NewAzureCLICredential")
-		}
-
-		client, err = azContainer.NewClient(url, cred, opts)
-		if err != nil {
-			return nil, errors.Wrap(err, "NewClient")
-		}
 	} else {
-		debug.Log(" - using DefaultAzureCredential")
-		cred, err := azidentity.NewDefaultAzureCredential(nil)
-		if err != nil {
-			return nil, errors.Wrap(err, "NewDefaultAzureCredential")
+		var cred azcore.TokenCredential
+
+		if cfg.ForceCliCredential {
+			debug.Log(" - using AzureCLICredential")
+			cred, err = azidentity.NewAzureCLICredential(nil)
+			if err != nil {
+				return nil, errors.Wrap(err, "NewAzureCLICredential")
+			}
+		} else {
+			debug.Log(" - using DefaultAzureCredential")
+			cred, err = azidentity.NewDefaultAzureCredential(nil)
+			if err != nil {
+				return nil, errors.Wrap(err, "NewDefaultAzureCredential")
+			}
 		}
 
 		client, err = azContainer.NewClient(url, cred, opts)