diff --git a/parts/k8s/cloud-init/artifacts/cse_config.sh b/parts/k8s/cloud-init/artifacts/cse_config.sh
index 0a8c1fe956..7ea59fa500 100755
--- a/parts/k8s/cloud-init/artifacts/cse_config.sh
+++ b/parts/k8s/cloud-init/artifacts/cse_config.sh
@@ -164,10 +164,13 @@ configureK8s() {
       generateAggregatedAPICerts
     fi
   else
-    {{- /* If we are a node vm then we only proceed w/ local azure.json configuration if cloud-init has pre-paved that file */}}
-    wait_for_file 1 1 $azure_json || return
+    {{- /* If we are a node that does not need azure.json (cloud-init tells us), then return immediately */}}
+    wait_for_file 1 1 /opt/azure/needs_azure.json || return
   fi
 
+  touch $azure_json
+  chmod 0600 $azure_json
+  chown root:root $azure_json
   {{/* Perform the required JSON escaping */}}
   local sp_secret=${SERVICE_PRINCIPAL_CLIENT_SECRET//\\/\\\\}
   sp_secret=${SERVICE_PRINCIPAL_CLIENT_SECRET//\"/\\\"}
diff --git a/parts/k8s/cloud-init/nodecustomdata.yml b/parts/k8s/cloud-init/nodecustomdata.yml
index 98bb6a935e..3240167945 100644
--- a/parts/k8s/cloud-init/nodecustomdata.yml
+++ b/parts/k8s/cloud-init/nodecustomdata.yml
@@ -2,8 +2,8 @@
 
 write_files:
 {{- if .RequiresCloudproviderConfig}}
-- path: /etc/kubernetes/azure.json
-  permissions: "0600"
+- path: /opt/azure/needs_azure.json
+  permissions: "0644"
   owner: root
   content: |
     #EOF
diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go
index 16548ac7d6..a2a9be4182 100644
--- a/pkg/engine/templates_generated.go
+++ b/pkg/engine/templates_generated.go
@@ -18487,10 +18487,13 @@ configureK8s() {
       generateAggregatedAPICerts
     fi
   else
-    {{- /* If we are a node vm then we only proceed w/ local azure.json configuration if cloud-init has pre-paved that file */}}
-    wait_for_file 1 1 $azure_json || return
+    {{- /* If we are a node that does not need azure.json (cloud-init tells us), then return immediately */}}
+    wait_for_file 1 1 /opt/azure/needs_azure.json || return
   fi
 
+  touch $azure_json
+  chmod 0600 $azure_json
+  chown root:root $azure_json
   {{/* Perform the required JSON escaping */}}
   local sp_secret=${SERVICE_PRINCIPAL_CLIENT_SECRET//\\/\\\\}
   sp_secret=${SERVICE_PRINCIPAL_CLIENT_SECRET//\"/\\\"}
@@ -22018,8 +22021,8 @@ var _k8sCloudInitNodecustomdataYml = []byte(`#cloud-config
 
 write_files:
 {{- if .RequiresCloudproviderConfig}}
-- path: /etc/kubernetes/azure.json
-  permissions: "0600"
+- path: /opt/azure/needs_azure.json
+  permissions: "0644"
   owner: root
   content: |
     #EOF