$caaRecords = New-Object System.Collections.ArrayList
$caaRecords.Add((New-azDnsRecordConfig -CaaFlag "0" -CaaTag "iodef" -CaaValue "mailto:admin@example.com"))
$caaRecords.Add((New-azDnsRecordConfig -CaaFlag "0" -CaaTag "issue" -CaaValue "letsencrypt.org"))
#for wildcard uncomment next line
#$caaRecords.Add((New-azDnsRecordConfig -CaaFlag "0" -CaaTag "issuewild" -CaaValue "letsencrypt.org"))

New-AzDnsRecordSet -Name "@" -RecordType CAA -ZoneName zone.com -ResourceGroupName rgName -Ttl 3600 -DnsRecords $caaRecords

$dns = Get-AzDnsRecordSet -Name "@" -RecordType CAA -ZoneName zone.com -ResourceGroupName rgName
Add-AzDnsRecordConfig -RecordSet $dns -CaaFlags 0 -CaaTag 'issue' -CaaValue 'digicert.com'
Set-AzDnsRecordSet -RecordSet $dns

{
    "Name": "DNS TXT Contributor",
    "Id": "",
    "IsCustom": true,
    "Description": "Can manage DNS TXT records only.",
    "Actions": [
        "Microsoft.Network/dnsZones/TXT/*",
        "Microsoft.Network/dnsZones/read"
    ],
    "NotActions": [],
    "AssignableScopes": [
        "scopes_go_here" // I like to put all dns zones in the same rg and allow this role only to that RG and assign that role
    ]
}

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    dns01:
      providers:
      - azuredns:
          clientID: xxx
          clientSecretSecretRef:
            key: CLIENT_SECRET
            name: azuredns-config
          hostedZoneName: dns_zone_name
          resourceGroupName: resource_group_name
          subscriptionID: yyy
          tenantID: zzz
        name: azure
    email: cert@domain.com
    http01: {}
    privateKeySecretRef:
      key: ""
      name: letsencrypt-production
    server: https://acme-v02.api.letsencrypt.org/directory