diff --git a/controllers/asosecret_controller.go b/controllers/asosecret_controller.go
index f9c5d547a75..6d9b60402de 100644
--- a/controllers/asosecret_controller.go
+++ b/controllers/asosecret_controller.go
@@ -27,6 +27,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/utils/pointer"
 	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
 	"sigs.k8s.io/cluster-api-provider-azure/azure/scope"
 	"sigs.k8s.io/cluster-api-provider-azure/util/aso"
@@ -66,6 +67,7 @@ func (asos *ASOSecretReconciler) SetupWithManager(ctx context.Context, mgr ctrl.
 		WithEventFilter(predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue)).
 		WithEventFilter(predicates.ResourceIsNotExternallyManaged(log)).
 		Named("ASOSecret").
+		Owns(&corev1.Secret{}).
 		Build(asos)
 	if err != nil {
 		return errors.Wrap(err, "error creating controller")
@@ -215,6 +217,9 @@ func (asos *ASOSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      aso.GetASOSecretName(asoSecretOwner.GetName()),
 			Namespace: asoSecretOwner.GetNamespace(),
+			Labels: map[string]string{
+				asoSecretOwner.GetName(): string(infrav1.ResourceLifecycleOwned),
+			},
 		},
 		Data: map[string][]byte{
 			"AZURE_SUBSCRIPTION_ID": []byte(azureClient.SubscriptionID()),
@@ -222,10 +227,15 @@ func (asos *ASOSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	}
 
 	if clusterIdentity != nil {
+		// if the namespace isn't specified then assume it's in the same namespace as the asoSecretOwner
+		namespace := clusterIdentity.Namespace
+		if namespace == "" {
+			namespace = asoSecretOwner.GetNamespace()
+		}
 		identity := &infrav1.AzureClusterIdentity{}
 		key := client.ObjectKey{
 			Name:      clusterIdentity.Name,
-			Namespace: clusterIdentity.Namespace,
+			Namespace: namespace,
 		}
 		if err := asos.Get(ctx, key, identity); err != nil {
 			return reconcile.Result{}, errors.Wrap(err, "failed to retrieve AzureClusterIdentity")
@@ -279,8 +289,11 @@ func (asos *ASOSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		Kind:       gvk.Kind,
 		Name:       asoSecretOwner.GetName(),
 		UID:        asoSecretOwner.GetUID(),
+		Controller: pointer.Bool(true),
 	}
 
+	newASOSecret.OwnerReferences = []metav1.OwnerReference{owner}
+
 	if err := reconcileAzureSecret(ctx, asos.Client, owner, newASOSecret, asoSecretOwner.GetName()); err != nil {
 		asos.Recorder.Eventf(asoSecretOwner, corev1.EventTypeWarning, "Error reconciling ASO secret", err.Error())
 		return ctrl.Result{}, errors.Wrap(err, "failed to reconcile ASO secret")