diff --git a/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml b/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
index 630b6135..968eae41 100644
--- a/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
@@ -49,8 +49,8 @@ kube_oidc_auth: true
 kube_oidc_url: https://login.microsoftonline.com/cf151ee8-5c2c-4fe7-a1c4-809ba43c9f24/v2.0
 kube_oidc_client_id: 7cd1df19-24ea-46d7-acd3-5336283139e0
 ## Optional settings for OIDC
-kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.crt"
-kube_oidc_username_claim: sub
+# kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.crt"
+kube_oidc_username_claim: upn
 kube_oidc_username_prefix: 'mathmast:'
 kube_oidc_groups_claim: roles
 kube_oidc_groups_prefix: 'mathmast:'
diff --git a/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml b/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml
new file mode 100644
index 00000000..15b1201a
--- /dev/null
+++ b/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml
@@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: microsoft-entra-id-selfsigned
+  namespace: freeleaps-controls-system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: microsoft-entra-id-selfsigned
+  namespace: freeleaps-controls-system
+spec:
+  dnsNames:
+  - login.microsoftonline.com
+  - 4.155.160.32
+  secretName: microsoft-entra-id-selfsigned
+  issuerRef:
+    name: microsoft-entra-id-selfsigned
+    kind: Issuer
+    group: cert-manager.io
\ No newline at end of file