diff --git a/pkg/cluster/clustermsi.go b/pkg/cluster/clustermsi.go
index 1a60fdc5de4..3e2e3bf1bea 100644
--- a/pkg/cluster/clustermsi.go
+++ b/pkg/cluster/clustermsi.go
@@ -11,7 +11,6 @@ import (
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
 	"github.com/Azure/msi-dataplane/pkg/dataplane"
 	"github.com/Azure/msi-dataplane/pkg/store"
 
@@ -116,13 +115,8 @@ func (m *manager) initializeClusterMsiClients(ctx context.Context) error {
 		return err
 	}
 
-	// Note that we are assuming that all of the platform MIs are in the same subscription.
-	pwiResourceId, err := arm.ParseResourceID(m.doc.OpenShiftCluster.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[0].ResourceID)
-	if err != nil {
-		return err
-	}
-
-	subId := pwiResourceId.SubscriptionID
+	// Note that we are assuming that all of the platform MIs are in the same subscription as the ARO resource.
+	subId := m.subscriptionDoc.ID
 	clientOptions := m.env.Environment().ArmClientOptions()
 	clusterMsiFederatedIdentityCredentials, err := armmsi.NewFederatedIdentityCredentialsClient(subId, azureCred, clientOptions)
 	if err != nil {
diff --git a/pkg/cluster/clustermsi_test.go b/pkg/cluster/clustermsi_test.go
index 8c925317774..ed1956ffcd1 100644
--- a/pkg/cluster/clustermsi_test.go
+++ b/pkg/cluster/clustermsi_test.go
@@ -287,9 +287,6 @@ func TestClusterMsiSecretName(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			controller := gomock.NewController(t)
-			defer controller.Finish()
-
 			m := manager{
 				log: logrus.NewEntry(logrus.StandardLogger()),
 				doc: tt.doc,
diff --git a/pkg/util/azureclient/azuresdk/armmsi/generate.go b/pkg/util/azureclient/azuresdk/armmsi/generate.go
new file mode 100644
index 00000000000..4ba6f260aa6
--- /dev/null
+++ b/pkg/util/azureclient/azuresdk/armmsi/generate.go
@@ -0,0 +1,9 @@
+package armmsi
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+// Use source mode to prevent some issues related to generics being present in the interface.
+//go:generate rm -rf ../../../../../pkg/util/mocks/azureclient/azuresdk/$GOPACKAGE
+//go:generate mockgen -source ./federated_identity_credentials.go -destination=../../../mocks/azureclient/azuresdk/$GOPACKAGE/$GOPACKAGE.go github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/$GOPACKAGE FederatedIdentityCredentialsClient
+//go:generate goimports -local=github.com/Azure/ARO-RP -e -w ../../../mocks/azureclient/azuresdk/$GOPACKAGE/$GOPACKAGE.go
diff --git a/pkg/util/azureclient/azuresdk/azsecrets/generate.go b/pkg/util/azureclient/azuresdk/azsecrets/generate.go
new file mode 100644
index 00000000000..72b60371b25
--- /dev/null
+++ b/pkg/util/azureclient/azuresdk/azsecrets/generate.go
@@ -0,0 +1,9 @@
+package azsecrets
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+// Use source mode to prevent some issues related to generics being present in the interface.
+//go:generate rm -rf ../../../../../pkg/util/mocks/azureclient/azuresdk/$GOPACKAGE
+//go:generate mockgen -source ./client.go -destination=../../../mocks/azureclient/azuresdk/$GOPACKAGE/$GOPACKAGE.go github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/$GOPACKAGE Client
+//go:generate goimports -local=github.com/Azure/ARO-RP -e -w ../../../mocks/azureclient/azuresdk/$GOPACKAGE/$GOPACKAGE.go
diff --git a/pkg/util/mocks/azureclient/azuresdk/armmsi/armmsi.go b/pkg/util/mocks/azureclient/azuresdk/armmsi/armmsi.go
new file mode 100644
index 00000000000..d4f88240b0d
--- /dev/null
+++ b/pkg/util/mocks/azureclient/azuresdk/armmsi/armmsi.go
@@ -0,0 +1,101 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: ./federated_identity_credentials.go
+//
+// Generated by this command:
+//
+//	mockgen -source ./federated_identity_credentials.go -destination=../../../mocks/azureclient/azuresdk/armmsi/armmsi.go github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/armmsi FederatedIdentityCredentialsClient
+//
+
+// Package mock_armmsi is a generated GoMock package.
+package mock_armmsi
+
+import (
+	context "context"
+	reflect "reflect"
+
+	runtime "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	armmsi "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi"
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockFederatedIdentityCredentialsClient is a mock of FederatedIdentityCredentialsClient interface.
+type MockFederatedIdentityCredentialsClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockFederatedIdentityCredentialsClientMockRecorder
+}
+
+// MockFederatedIdentityCredentialsClientMockRecorder is the mock recorder for MockFederatedIdentityCredentialsClient.
+type MockFederatedIdentityCredentialsClientMockRecorder struct {
+	mock *MockFederatedIdentityCredentialsClient
+}
+
+// NewMockFederatedIdentityCredentialsClient creates a new mock instance.
+func NewMockFederatedIdentityCredentialsClient(ctrl *gomock.Controller) *MockFederatedIdentityCredentialsClient {
+	mock := &MockFederatedIdentityCredentialsClient{ctrl: ctrl}
+	mock.recorder = &MockFederatedIdentityCredentialsClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockFederatedIdentityCredentialsClient) EXPECT() *MockFederatedIdentityCredentialsClientMockRecorder {
+	return m.recorder
+}
+
+// CreateOrUpdate mocks base method.
+func (m *MockFederatedIdentityCredentialsClient) CreateOrUpdate(ctx context.Context, resourceGroupName, resourceName, federatedIdentityCredentialResourceName string, parameters armmsi.FederatedIdentityCredential, options *armmsi.FederatedIdentityCredentialsClientCreateOrUpdateOptions) (armmsi.FederatedIdentityCredentialsClientCreateOrUpdateResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateOrUpdate", ctx, resourceGroupName, resourceName, federatedIdentityCredentialResourceName, parameters, options)
+	ret0, _ := ret[0].(armmsi.FederatedIdentityCredentialsClientCreateOrUpdateResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CreateOrUpdate indicates an expected call of CreateOrUpdate.
+func (mr *MockFederatedIdentityCredentialsClientMockRecorder) CreateOrUpdate(ctx, resourceGroupName, resourceName, federatedIdentityCredentialResourceName, parameters, options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateOrUpdate", reflect.TypeOf((*MockFederatedIdentityCredentialsClient)(nil).CreateOrUpdate), ctx, resourceGroupName, resourceName, federatedIdentityCredentialResourceName, parameters, options)
+}
+
+// Delete mocks base method.
+func (m *MockFederatedIdentityCredentialsClient) Delete(ctx context.Context, resourceGroupName, resourceName, federatedIdentityCredentialResourceName string, options *armmsi.FederatedIdentityCredentialsClientDeleteOptions) (armmsi.FederatedIdentityCredentialsClientDeleteResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Delete", ctx, resourceGroupName, resourceName, federatedIdentityCredentialResourceName, options)
+	ret0, _ := ret[0].(armmsi.FederatedIdentityCredentialsClientDeleteResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Delete indicates an expected call of Delete.
+func (mr *MockFederatedIdentityCredentialsClientMockRecorder) Delete(ctx, resourceGroupName, resourceName, federatedIdentityCredentialResourceName, options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Delete", reflect.TypeOf((*MockFederatedIdentityCredentialsClient)(nil).Delete), ctx, resourceGroupName, resourceName, federatedIdentityCredentialResourceName, options)
+}
+
+// Get mocks base method.
+func (m *MockFederatedIdentityCredentialsClient) Get(ctx context.Context, resourceGroupName, resourceName, federatedIdentityCredentialResourceName string, options *armmsi.FederatedIdentityCredentialsClientGetOptions) (armmsi.FederatedIdentityCredentialsClientGetResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Get", ctx, resourceGroupName, resourceName, federatedIdentityCredentialResourceName, options)
+	ret0, _ := ret[0].(armmsi.FederatedIdentityCredentialsClientGetResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Get indicates an expected call of Get.
+func (mr *MockFederatedIdentityCredentialsClientMockRecorder) Get(ctx, resourceGroupName, resourceName, federatedIdentityCredentialResourceName, options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockFederatedIdentityCredentialsClient)(nil).Get), ctx, resourceGroupName, resourceName, federatedIdentityCredentialResourceName, options)
+}
+
+// NewListPager mocks base method.
+func (m *MockFederatedIdentityCredentialsClient) NewListPager(resourceGroupName, resourceName string, options *armmsi.FederatedIdentityCredentialsClientListOptions) *runtime.Pager[armmsi.FederatedIdentityCredentialsClientListResponse] {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NewListPager", resourceGroupName, resourceName, options)
+	ret0, _ := ret[0].(*runtime.Pager[armmsi.FederatedIdentityCredentialsClientListResponse])
+	return ret0
+}
+
+// NewListPager indicates an expected call of NewListPager.
+func (mr *MockFederatedIdentityCredentialsClientMockRecorder) NewListPager(resourceGroupName, resourceName, options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewListPager", reflect.TypeOf((*MockFederatedIdentityCredentialsClient)(nil).NewListPager), resourceGroupName, resourceName, options)
+}
diff --git a/pkg/util/mocks/azureclient/azuresdk/azsecrets/azsecrets.go b/pkg/util/mocks/azureclient/azuresdk/azsecrets/azsecrets.go
new file mode 100644
index 00000000000..bc802152790
--- /dev/null
+++ b/pkg/util/mocks/azureclient/azuresdk/azsecrets/azsecrets.go
@@ -0,0 +1,130 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: ./client.go
+//
+// Generated by this command:
+//
+//	mockgen -source ./client.go -destination=../../../mocks/azureclient/azuresdk/azsecrets/azsecrets.go github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azsecrets Client
+//
+
+// Package mock_azsecrets is a generated GoMock package.
+package mock_azsecrets
+
+import (
+	context "context"
+	reflect "reflect"
+
+	runtime "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	azsecrets "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockClient is a mock of Client interface.
+type MockClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockClientMockRecorder
+}
+
+// MockClientMockRecorder is the mock recorder for MockClient.
+type MockClientMockRecorder struct {
+	mock *MockClient
+}
+
+// NewMockClient creates a new mock instance.
+func NewMockClient(ctrl *gomock.Controller) *MockClient {
+	mock := &MockClient{ctrl: ctrl}
+	mock.recorder = &MockClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockClient) EXPECT() *MockClientMockRecorder {
+	return m.recorder
+}
+
+// DeleteSecret mocks base method.
+func (m *MockClient) DeleteSecret(ctx context.Context, name string, options *azsecrets.DeleteSecretOptions) (azsecrets.DeleteSecretResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteSecret", ctx, name, options)
+	ret0, _ := ret[0].(azsecrets.DeleteSecretResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// DeleteSecret indicates an expected call of DeleteSecret.
+func (mr *MockClientMockRecorder) DeleteSecret(ctx, name, options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteSecret", reflect.TypeOf((*MockClient)(nil).DeleteSecret), ctx, name, options)
+}
+
+// GetSecret mocks base method.
+func (m *MockClient) GetSecret(ctx context.Context, name, version string, options *azsecrets.GetSecretOptions) (azsecrets.GetSecretResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetSecret", ctx, name, version, options)
+	ret0, _ := ret[0].(azsecrets.GetSecretResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetSecret indicates an expected call of GetSecret.
+func (mr *MockClientMockRecorder) GetSecret(ctx, name, version, options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSecret", reflect.TypeOf((*MockClient)(nil).GetSecret), ctx, name, version, options)
+}
+
+// NewListDeletedSecretPropertiesPager mocks base method.
+func (m *MockClient) NewListDeletedSecretPropertiesPager(options *azsecrets.ListDeletedSecretPropertiesOptions) *runtime.Pager[azsecrets.ListDeletedSecretPropertiesResponse] {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NewListDeletedSecretPropertiesPager", options)
+	ret0, _ := ret[0].(*runtime.Pager[azsecrets.ListDeletedSecretPropertiesResponse])
+	return ret0
+}
+
+// NewListDeletedSecretPropertiesPager indicates an expected call of NewListDeletedSecretPropertiesPager.
+func (mr *MockClientMockRecorder) NewListDeletedSecretPropertiesPager(options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewListDeletedSecretPropertiesPager", reflect.TypeOf((*MockClient)(nil).NewListDeletedSecretPropertiesPager), options)
+}
+
+// NewListSecretPropertiesPager mocks base method.
+func (m *MockClient) NewListSecretPropertiesPager(options *azsecrets.ListSecretPropertiesOptions) *runtime.Pager[azsecrets.ListSecretPropertiesResponse] {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NewListSecretPropertiesPager", options)
+	ret0, _ := ret[0].(*runtime.Pager[azsecrets.ListSecretPropertiesResponse])
+	return ret0
+}
+
+// NewListSecretPropertiesPager indicates an expected call of NewListSecretPropertiesPager.
+func (mr *MockClientMockRecorder) NewListSecretPropertiesPager(options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewListSecretPropertiesPager", reflect.TypeOf((*MockClient)(nil).NewListSecretPropertiesPager), options)
+}
+
+// PurgeDeletedSecret mocks base method.
+func (m *MockClient) PurgeDeletedSecret(ctx context.Context, name string, options *azsecrets.PurgeDeletedSecretOptions) (azsecrets.PurgeDeletedSecretResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "PurgeDeletedSecret", ctx, name, options)
+	ret0, _ := ret[0].(azsecrets.PurgeDeletedSecretResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// PurgeDeletedSecret indicates an expected call of PurgeDeletedSecret.
+func (mr *MockClientMockRecorder) PurgeDeletedSecret(ctx, name, options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PurgeDeletedSecret", reflect.TypeOf((*MockClient)(nil).PurgeDeletedSecret), ctx, name, options)
+}
+
+// SetSecret mocks base method.
+func (m *MockClient) SetSecret(ctx context.Context, name string, parameters azsecrets.SetSecretParameters, options *azsecrets.SetSecretOptions) (azsecrets.SetSecretResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetSecret", ctx, name, parameters, options)
+	ret0, _ := ret[0].(azsecrets.SetSecretResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SetSecret indicates an expected call of SetSecret.
+func (mr *MockClientMockRecorder) SetSecret(ctx, name, parameters, options any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetSecret", reflect.TypeOf((*MockClient)(nil).SetSecret), ctx, name, parameters, options)
+}