openshift · rna-afk · Feb 24, 2026 · jinyunma · Mar 6, 2026
diff --git a/pkg/asset/installconfig/azure/client.go b/pkg/asset/installconfig/azure/client.go
@@ -318,6 +318,9 @@ func (c *Client) GetVirtualMachineSku(ctx context.Context, name, region string)
 
 // GetDiskEncryptionSet retrieves the specified disk encryption set.
 func (c *Client) GetDiskEncryptionSet(ctx context.Context, subscriptionID, groupName, diskEncryptionSetName string) (*azenc.DiskEncryptionSet, error) {
+	if c.ssn.Credentials.SubscriptionID != subscriptionID {
+		return nil, fmt.Errorf("different subscription from resource group subscription. Azure does not support cross subscription encryption sets")
+	}
 	client := azenc.NewDiskEncryptionSetsClientWithBaseURI(c.ssn.Environment.ResourceManagerEndpoint, subscriptionID)
 	client.Authorizer = c.ssn.Authorizer
 	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
@@ -327,7 +330,6 @@ func (c *Client) GetDiskEncryptionSet(ctx context.Context, subscriptionID, group
 	if err != nil {
 		return nil, fmt.Errorf("failed to get disk encryption set: %w", err)
 	}
-
 	return &diskEncryptionSet, nil
 }
 

diff --git a/pkg/asset/installconfig/installconfig.go b/pkg/asset/installconfig/installconfig.go
@@ -165,6 +165,18 @@ func (a *InstallConfig) finishGCP() error {
 	return nil
 }
 
+// finishAzure set defaults for Azure platform.
+func (a *InstallConfig) finishAzure() error {
+	if a.Config.Azure.DefaultMachinePlatform.OSDisk.SubscriptionID == "" {
+		session, err := a.Azure.Session()
+		if err != nil {
+			return err
+		}
+		a.Config.Azure.DefaultMachinePlatform.OSDisk.SubscriptionID = session.Credentials.SubscriptionID
+	}
+	return nil
+}
+
 // finishAWS set defaults for AWS Platform before the config validation.
 func (a *InstallConfig) finishAWS() error {
 	// Set the Default Edge Compute pool when the subnets in AWS Local Zones are defined,
@@ -194,6 +206,9 @@ func (a *InstallConfig) finish(ctx context.Context, filename string) error {
 	}
 	if a.Config.Azure != nil {
 		a.Azure = icazure.NewMetadata(a.Config.Azure, a.Config.ControlPlane, &a.Config.Compute[0])
+		if err := a.finishAzure(); err != nil {
+			return err
+		}
 	}
 	if a.Config.GCP != nil {
 		if err := a.finishGCP(); err != nil {