diff --git a/azurerm/internal/services/apimanagement/api_management_backend_resource.go b/azurerm/internal/services/apimanagement/api_management_backend_resource.go
index 964944969baa..9e095dfed892 100644
--- a/azurerm/internal/services/apimanagement/api_management_backend_resource.go
+++ b/azurerm/internal/services/apimanagement/api_management_backend_resource.go
@@ -159,9 +159,17 @@ func resourceApiManagementBackend() *pluginsdk.Resource {
 				Optional: true,
 				Elem: &pluginsdk.Resource{
 					Schema: map[string]*pluginsdk.Schema{
+						"client_certificate_id": {
+							Type:         pluginsdk.TypeString,
+							Optional:     true,
+							Computed:     true,
+							ValidateFunc: validate.CertificateID,
+						},
+
 						"client_certificate_thumbprint": {
 							Type:         pluginsdk.TypeString,
-							Required:     true,
+							Optional:     true,
+							Computed:     true,
 							ValidateFunc: validation.StringIsNotEmpty,
 						},
 						"management_endpoints": {
@@ -469,14 +477,25 @@ func expandApiManagementBackendServiceFabricCluster(input []interface{}) (error,
 		return nil, nil
 	}
 	v := input[0].(map[string]interface{})
-	clientCertificatethumbprint := v["client_certificate_thumbprint"].(string)
 	managementEndpoints := v["management_endpoints"].(*pluginsdk.Set).List()
 	maxPartitionResolutionRetries := int32(v["max_partition_resolution_retries"].(int))
 	properties := apimanagement.BackendServiceFabricClusterProperties{
-		ClientCertificatethumbprint:   utils.String(clientCertificatethumbprint),
 		ManagementEndpoints:           utils.ExpandStringSlice(managementEndpoints),
 		MaxPartitionResolutionRetries: utils.Int32(maxPartitionResolutionRetries),
 	}
+
+	if v2, ok := v["client_certificate_thumbprint"].(string); ok && v2 != "" {
+		properties.ClientCertificatethumbprint = utils.String(v2)
+	}
+
+	if v2, ok := v["client_certificate_id"].(string); ok && v2 != "" {
+		properties.ClientCertificateID = utils.String(v2)
+	}
+
+	if properties.ClientCertificateID == nil && properties.ClientCertificatethumbprint == nil {
+		return fmt.Errorf("at least one of `client_certificate_thumbprint` and `client_certificate_id` must be set"), nil
+	}
+
 	serverCertificateThumbprintsUnset := true
 	serverX509NamesUnset := true
 	if serverCertificateThumbprints := v["server_certificate_thumbprints"]; serverCertificateThumbprints != nil {
@@ -589,6 +608,11 @@ func flattenApiManagementBackendServiceFabricCluster(input *apimanagement.Backen
 	if clientCertificatethumbprint := input.ClientCertificatethumbprint; clientCertificatethumbprint != nil {
 		result["client_certificate_thumbprint"] = *clientCertificatethumbprint
 	}
+
+	if input.ClientCertificateID != nil {
+		result["client_certificate_id"] = *input.ClientCertificateID
+	}
+
 	if managementEndpoints := input.ManagementEndpoints; managementEndpoints != nil {
 		result["management_endpoints"] = *managementEndpoints
 	}
diff --git a/azurerm/internal/services/apimanagement/api_management_backend_resource_test.go b/azurerm/internal/services/apimanagement/api_management_backend_resource_test.go
index fcc1fe306239..ddfc27af180c 100644
--- a/azurerm/internal/services/apimanagement/api_management_backend_resource_test.go
+++ b/azurerm/internal/services/apimanagement/api_management_backend_resource_test.go
@@ -144,6 +144,21 @@ func TestAccApiManagementBackend_serviceFabric(t *testing.T) {
 	})
 }
 
+func TestAccApiManagementBackend_serviceFabricClientCertificateId(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_api_management_backend", "test")
+	r := ApiManagementAuthorizationBackendResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.serviceFabricClientCertificateId(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccApiManagementBackend_disappears(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_api_management_backend", "test")
 	r := ApiManagementAuthorizationBackendResource{}
@@ -333,6 +348,39 @@ resource "azurerm_api_management_backend" "test" {
 `, r.template(data, "sf"), data.RandomInteger)
 }
 
+func (r ApiManagementAuthorizationBackendResource) serviceFabricClientCertificateId(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_api_management_certificate" "test" {
+  name                = "example-cert"
+  api_management_name = azurerm_api_management.test.name
+  resource_group_name = azurerm_resource_group.test.name
+  data                = filebase64("testdata/keyvaultcert.pfx")
+  password            = ""
+}
+
+resource "azurerm_api_management_backend" "test" {
+  name                = "acctestapi-%d"
+  resource_group_name = azurerm_resource_group.test.name
+  api_management_name = azurerm_api_management.test.name
+  protocol            = "http"
+  url                 = "fabric:/mytestapp/acctest"
+  service_fabric_cluster {
+    client_certificate_id = azurerm_api_management_certificate.test.id
+    management_endpoints = [
+      "https://acctestsf.com",
+    ]
+    max_partition_resolution_retries = 5
+    server_certificate_thumbprints = [
+      azurerm_api_management_certificate.test.thumbprint,
+      azurerm_api_management_certificate.test.thumbprint,
+    ]
+  }
+}
+`, r.template(data, "sf"), data.RandomInteger)
+}
+
 func (r ApiManagementAuthorizationBackendResource) requiresImport(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s
@@ -364,7 +412,7 @@ resource "azurerm_api_management" "test" {
   resource_group_name = azurerm_resource_group.test.name
   publisher_name      = "pub1"
   publisher_email     = "pub1@email.com"
-  sku_name            = "Developer_1"
+  sku_name            = "Consumption_0"
 }
 `, data.RandomInteger, testName, data.Locations.Primary, data.RandomInteger, testName)
 }
diff --git a/website/docs/r/api_management_backend.html.markdown b/website/docs/r/api_management_backend.html.markdown
index a361e5e7a6a2..da3edd459bfe 100644
--- a/website/docs/r/api_management_backend.html.markdown
+++ b/website/docs/r/api_management_backend.html.markdown
@@ -101,8 +101,12 @@ A `proxy` block supports the following:
 
 A `service_fabric_cluster` block supports the following:
 
-* `client_certificate_thumbprint` - (Required) The client certificate thumbprint for the management endpoint.
+* `client_certificate_thumbprint` - (Optional) The client certificate thumbprint for the management endpoint.
 
+* `client_certificate_id` - (Optional) The client certificate resource id for the management endpoint.
+
+> **Note:** At least one of `client_certificate_thumbprint`, and `client_certificate_id` must be set.
+>
 * `management_endpoints` - (Required) A list of cluster management endpoints.
 
 * `max_partition_resolution_retries` - (Required) The maximum number of retries when attempting resolve the partition.