Managed Identity

You can configure BOSH to use Azure Managed Identities to avoid hard coding specific Azure credentials. Azure Managed Identities are similar to AWS instance profiles.
You first have to create an Azure Managed Identity, and give the proper roles/permissions required by BOSH (i.e. create/delete VM, create/delete/attach disks).

Next is updating your bosh manifest and add the propery default_managed_identity and also no longer using the client_id, client_secret and tenant_id, like in this example:

      credentials_source: managed_identity
        type: UserAssigned
        user_assigned_identity_name: my-managed-identity
      default_security_group: ((default_security_group))
      environment: AzureCloud
      resource_group_name: ((resource_group_name))
      ssh_public_key: ((ssh.public_key))
      ssh_user: vcap
      storage_account_name: ((storage_account_name))
      subscription_id: ((subscription_id))
      use_managed_disks: true

There is also an azure/use-managed-identity.yml operator file that you can use to make these changes.

Once deployed and your BOSH director VM has been recreated, it should have a "User Managed" identity with the name you specified on the user_assigned_identity_name property (see example above).
You can check this by going to Azure Portal => Virtual Machines => select BOSH director VM => Identities