diff --git a/bindata/cloud-network-config-controller/managed/controller.yaml b/bindata/cloud-network-config-controller/managed/controller.yaml
index 127edc048f..96daa675db 100644
--- a/bindata/cloud-network-config-controller/managed/controller.yaml
+++ b/bindata/cloud-network-config-controller/managed/controller.yaml
@@ -92,8 +92,6 @@ spec:
             value: "{{.KubernetesServicePort}}"
           - name: KUBERNETES_SERVICE_HOST
             value: "{{.KubernetesServiceHost}}"
-          - name: AZURE_MSI_AUTHENTICATION
-            value: "{{.AzureMSIAuthentication}}"
       containers:
       # hosted-cluster-token creates a token with a custom path(/var/run/secrets/hosted_cluster/token)
       # The token path is included in the kubeconfig used by cncc containers to talk to the hosted clusters API server
@@ -184,6 +182,14 @@ spec:
 {{ if .NO_PROXY }}
         - name: "NO_PROXY"
           value: "{{ .NO_PROXY}}"
+{{ end }}
+{{- if not (eq .AzureManagedClientID "")}}
+        - name: "ARO_HCP_MI_CLIENT_ID"
+          value: "{{ .AzureManagedClientID }}"
+        - name: "ARO_HCP_TENANT_ID"
+          value: "{{ .AzureManagedTenantID }}"
+        - name: "ARO_HCP_CLIENT_CERTIFICATE_PATH"
+          value: "{{ .AzureManagedCertPath}}"
 {{ end }}
         resources:
           requests:
@@ -203,6 +209,11 @@ spec:
         - name: cloud-token
           mountPath: /var/run/secrets/openshift/serviceaccount
           readOnly: true
+{{- if not (eq .AzureManagedClientID "")}}
+        - name: cncc-cert
+          mountPath: {{.AzureManagedCertDirectory}}
+          readOnly: true
+{{- end }}
         terminationMessagePolicy: FallbackToLogsOnError
       tolerations:
     {{- if .HCPTolerations }}
@@ -244,3 +255,11 @@ spec:
       - name: kube-cloud-config
         configMap:
           name: cloud-network-config-controller-kube-cloud-config
+{{- if not (eq .AzureManagedClientID "")}}
+      - name: cncc-cert
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: {{.AzureManagedSecretProviderClass}}
+{{- end }}
diff --git a/pkg/network/cloud_network.go b/pkg/network/cloud_network.go
index e8e53165cf..4be390ae29 100644
--- a/pkg/network/cloud_network.go
+++ b/pkg/network/cloud_network.go
@@ -20,6 +20,8 @@ import (
 	uns "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
+const azureCertPath = "/var/run/secrets/azure"
+
 // renderCloudNetworkConfigController renders the cloud network config controller
 func renderCloudNetworkConfigController(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.BootstrapResult, manifestDir string) ([]*uns.Unstructured, error) {
 	cloudBootstrapResult := bootstrapResult.Infra
@@ -102,7 +104,11 @@ func renderCloudNetworkConfigController(conf *operv1.NetworkSpec, bootstrapResul
 		data.Data["HTTP_PROXY"] = os.Getenv("MGMT_HTTP_PROXY")
 		data.Data["HTTPS_PROXY"] = os.Getenv("MGMT_HTTPS_PROXY")
 		data.Data["NO_PROXY"] = os.Getenv("MGMT_NO_PROXY")
-		data.Data["AzureMSIAuthentication"] = os.Getenv("AZURE_MSI_AUTHENTICATION")
+		data.Data["AzureManagedClientID"] = os.Getenv("ARO_HCP_MI_CLIENT_ID")
+		data.Data["AzureManagedTenantID"] = os.Getenv("ARO_HCP_TENANT_ID")
+		data.Data["AzureManagedCertDirectory"] = azureCertPath
+		data.Data["AzureManagedCertPath"] = filepath.Join(azureCertPath, os.Getenv("ARO_HCP_CLIENT_CERTIFICATE_NAME"))
+		data.Data["AzureManagedSecretProviderClass"] = os.Getenv("ARO_HCP_SECRET_PROVIDER_CLASS")
 		caOverride.ObjectMeta = metav1.ObjectMeta{
 			Namespace:   hcpCfg.Namespace,
 			Name:        "cloud-network-config-controller-kube-cloud-config",