diff --git a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go
index aab94d80ff5..16e1d9315a3 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go
+++ b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go
@@ -8,19 +8,18 @@ import (
 	"strconv"
 	"text/template"
 
-	"github.com/openshift/hypershift/support/proxy"
-	"github.com/openshift/hypershift/support/rhobsmonitoring"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/blang/semver"
-	routev1 "github.com/openshift/api/route/v1"
 	hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
 	"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/common"
 	"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/imageprovider"
 	"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/kas"
 	"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/manifests"
+	"github.com/openshift/hypershift/support/azureutil"
 	"github.com/openshift/hypershift/support/config"
+	"github.com/openshift/hypershift/support/proxy"
+	"github.com/openshift/hypershift/support/rhobsmonitoring"
 	"github.com/openshift/hypershift/support/util"
+
+	routev1 "github.com/openshift/api/route/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -29,6 +28,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/blang/semver"
 )
 
 const (
@@ -113,6 +115,9 @@ type Params struct {
 	DeploymentConfig        config.DeploymentConfig
 	IsPrivate               bool
 	DefaultIngressDomain    string
+	AzureClientID           string
+	AzureTenantID           string
+	AzureCertificateName    string
 }
 
 func init() {
@@ -161,6 +166,11 @@ func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProv
 		CAConfigMapKey:          caConfigMapKey,
 	}
 
+	if azureutil.IsAroHCP() {
+		p.AzureClientID = hcp.Spec.Platform.Azure.ManagedIdentities.ControlPlane.Network.ClientID
+		p.AzureCertificateName = hcp.Spec.Platform.Azure.ManagedIdentities.ControlPlane.Network.CertificateName
+	}
+
 	p.DeploymentConfig.AdditionalLabels = map[string]string{
 		config.NeedManagementKASAccessLabel: "true",
 	}
@@ -608,6 +618,29 @@ if [[ -n $sc ]]; then kubectl --kubeconfig $kc delete --ignore-not-found validat
 		{Name: "ca-bundle", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: manifests.RootCASecret("").Name, DefaultMode: ptr.To[int32](0640)}}},
 	}
 
+	// For ARO HCP deployments, we pass the env variable for the SecretProviderClass for the Secrets Store CSI driver
+	// to use on the CNCC deployment.
+	if azureutil.IsAroHCP() {
+		dep.Spec.Template.Spec.Containers[0].Env = append(dep.Spec.Template.Spec.Containers[0].Env,
+			corev1.EnvVar{
+				Name:  config.ManagedAzureClientIdEnvVarKey,
+				Value: params.AzureClientID,
+			},
+			corev1.EnvVar{
+				Name:  config.ManagedAzureTenantIdEnvVarKey,
+				Value: params.AzureTenantID,
+			},
+			corev1.EnvVar{
+				Name:  config.ManagedAzureCertificateNameEnvVarKey,
+				Value: params.AzureCertificateName,
+			},
+			corev1.EnvVar{
+				Name:  config.ManagedAzureSecretProviderClassEnvVarKey,
+				Value: config.ManagedAzureNetworkSecretStoreProviderClassName,
+			},
+		)
+	}
+
 	params.DeploymentConfig.ApplyTo(dep)
 	util.AvailabilityProber(kas.InClusterKASReadyURL(platformType), params.AvailabilityProberImage, &dep.Spec.Template.Spec, func(o *util.AvailabilityProberOpts) {
 		o.KubeconfigVolumeName = "hosted-etc-kube"
diff --git a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
index 0768786a490..1e7e15337e6 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
+++ b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
@@ -3619,6 +3619,24 @@ func (r *HostedControlPlaneReconciler) reconcileClusterVersionOperator(ctx conte
 func (r *HostedControlPlaneReconciler) reconcileClusterNetworkOperator(ctx context.Context, hcp *hyperv1.HostedControlPlane, releaseImageProvider, userReleaseImageProvider *imageprovider.SimpleReleaseImageProvider, hasRouteCap bool, createOrUpdate upsert.CreateOrUpdateFN) error {
 	p := cno.NewParams(hcp, userReleaseImageProvider.Version(), releaseImageProvider, userReleaseImageProvider, r.SetDefaultSecurityContext, r.DefaultIngressDomain)
 
+	// Create SecretProviderClass when deploying on ARO HCP
+	if hyperazureutil.IsAroHCP() {
+		cnccSecretProviderClass := manifests.ManagedAzureSecretProviderClass(config.ManagedAzureNetworkSecretStoreProviderClassName, hcp.Namespace)
+		if _, err := createOrUpdate(ctx, r, cnccSecretProviderClass, func() error {
+			secretproviderclass.ReconcileManagedAzureSecretProviderClass(cnccSecretProviderClass, hcp, hcp.Spec.Platform.Azure.ManagedIdentities.ControlPlane.Network.CertificateName)
+			return nil
+		}); err != nil {
+			return fmt.Errorf("failed to reconcile ingressoperator secret provider class: %w", err)
+		}
+
+		credentialsSecret := manifests.AzureCredentialInformation(hcp.Namespace)
+		if err := r.Client.Get(ctx, client.ObjectKeyFromObject(credentialsSecret), credentialsSecret); err != nil {
+			return fmt.Errorf("failed to get Azure credentials secret: %w", err)
+		}
+
+		p.AzureTenantID = string(credentialsSecret.Data["AZURE_TENANT_ID"])
+	}
+
 	sa := manifests.ClusterNetworkOperatorServiceAccount(hcp.Namespace)
 	if _, err := createOrUpdate(ctx, r.Client, sa, func() error {
 		return cno.ReconcileServiceAccount(sa, p.OwnerRef)
diff --git a/support/config/constants.go b/support/config/constants.go
index 7ab94e87e00..011288e5455 100644
--- a/support/config/constants.go
+++ b/support/config/constants.go
@@ -61,13 +61,15 @@ const (
 	// management cluster's resource group in Azure.
 	AROHCPKeyVaultManagedIdentityClientID = "ARO_HCP_KEY_VAULT_USER_CLIENT_ID"
 
-	ManagedAzureClientIdEnvVarKey        = "ARO_HCP_MI_CLIENT_ID"
-	ManagedAzureTenantIdEnvVarKey        = "ARO_HCP_TENANT_ID"
-	ManagedAzureCertificatePathEnvVarKey = "ARO_HCP_CLIENT_CERTIFICATE_PATH"
-	ManagedAzureCertificateMountPath     = "/mnt/certs"
-	ManagedAzureCertificatePath          = "/mnt/certs/"
-	ManagedAzureSecretsStoreCSIDriver    = "secrets-store.csi.k8s.io"
-	ManagedAzureSecretProviderClass      = "secretProviderClass"
+	ManagedAzureClientIdEnvVarKey            = "ARO_HCP_MI_CLIENT_ID"
+	ManagedAzureTenantIdEnvVarKey            = "ARO_HCP_TENANT_ID"
+	ManagedAzureCertificatePathEnvVarKey     = "ARO_HCP_CLIENT_CERTIFICATE_PATH"
+	ManagedAzureCertificateNameEnvVarKey     = "ARO_HCP_CLIENT_CERTIFICATE_NAME"
+	ManagedAzureSecretProviderClassEnvVarKey = "ARO_HCP_SECRET_PROVIDER_CLASS"
+	ManagedAzureCertificateMountPath         = "/mnt/certs"
+	ManagedAzureCertificatePath              = "/mnt/certs/"
+	ManagedAzureSecretsStoreCSIDriver        = "secrets-store.csi.k8s.io"
+	ManagedAzureSecretProviderClass          = "secretProviderClass"
 
 	ManagedAzureCPOSecretProviderClassName                = "managed-azure-cpo"
 	ManagedAzureCPOSecretStoreVolumeName                  = "cpo-cert"