There are two types of Managed Service Identities: System Assigned and User Assigned.
As a result, your code can use either a system assigned or user assigned identity, to request access tokens for services that support Azure AD authentication. All while Azure takes care of rolling the credentials used by the service instance.
Here's an example of how System Assigned Identities work with Azure Virtual Machines:
Your code running on the VM can request a token from two endpoints that are only accessible from within the VM:
Call is made to Azure AD requesting an access token as specified in step #5, using the client ID and certificate configured in step #3. Azure AD returns a JSON Web Token (JWT) access token.
Using the same diagram, here's an example of how a user-assigned works with Azure Virtual Machines.
Your code running on the VM can request a token from two endpoints that are only accessible from within the VM:
Azure Instance Metadata Service (IMDS) identity endpoint: http://169.254.169.254/metadata/identity/oauth2/token (recommended)
VM extension endpoint: http://localhost:50342/oauth2/token (to be deprecated)