Azure RM backend: using both CLI and service principal?

I’m introducing Terraform to an enterprise that uses Azure.

From this doc, I see the great advice:

We recommend using either a Service Principal or Managed Service Identity when running Terraform non-interactively (such as when running Terraform in a CI server) - and authenticating using the Azure CLI when running Terraform locally.

My question is – what is the best way to format the backend block in this case? Do I need two configuration files, each with a different back-end block? Is this best done using config variables that I override from CI?

I’m less familiar with this piece and I want to make sure I don’t lead them astray, as my goal is definitely get some infrastructure defined and collaborated on and then moved into a CI pipeline ASAP.

Any advice on how to functionally set up the quote provided above would be helpful; I’d be willing to contribute a doc back as well.