diff --git a/.github/actions/constellation_iam_create/action.yml b/.github/actions/constellation_iam_create/action.yml
index eac3d0d76..3bb062dc1 100644
--- a/.github/actions/constellation_iam_create/action.yml
+++ b/.github/actions/constellation_iam_create/action.yml
@@ -27,6 +27,9 @@ inputs:
   #
   # Azure specific inputs
   #
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
   azureRegion:
     description: "Azure region to deploy Constellation in."
     required: false
@@ -77,6 +80,7 @@ runs:
       if: inputs.cloudProvider == 'azure'
       run: |
         constellation iam create azure \
+          --subscriptionID="${{ inputs.azureSubscriptionID }}" \
           --region="${{ inputs.azureRegion }}" \
           --resourceGroup="${{ inputs.namePrefix }}-rg" \
           --servicePrincipal="${{ inputs.namePrefix }}-sp" \
diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml
index bcd315cbd..c2cca982d 100644
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@@ -46,6 +46,9 @@ inputs:
     description: "AWS OpenSearch User to upload the benchmark results."
   awsOpenSearchPwd:
     description: "AWS OpenSearch Password to upload the benchmark results."
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
   azureClusterCreateCredentials:
     description: "Azure credentials authorized to create a Constellation cluster."
     required: true
@@ -249,6 +252,7 @@ runs:
         attestationVariant: ${{ inputs.attestationVariant }}
         namePrefix: ${{ steps.create-prefix.outputs.prefix }}
         awsZone: ${{ inputs.regionZone || 'us-east-2c' }}
+        azureSubscriptionID: ${{ inputs.azureSubscriptionID }}
         azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region  }}
         gcpProjectID: ${{ inputs.gcpProject }}
         gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml
index 55e9ccb1f..ccac30e5c 100644
--- a/.github/workflows/e2e-test-daily.yml
+++ b/.github/workflows/e2e-test-daily.yml
@@ -90,6 +90,7 @@ jobs:
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           kubernetesVersion: ${{ matrix.kubernetesVersion }}
           test: ${{ matrix.test }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
diff --git a/.github/workflows/e2e-test-provider-example.yml b/.github/workflows/e2e-test-provider-example.yml
index 592492f84..6a66c2016 100644
--- a/.github/workflows/e2e-test-provider-example.yml
+++ b/.github/workflows/e2e-test-provider-example.yml
@@ -306,6 +306,19 @@ jobs:
           cat >> _override.tf <<EOF
           locals {
             instance_type = "Standard_DC4es_v5"
+            subscription_id = "$(az account show --query id --output tsv)"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Create Azure SEV-SNP Terraform overrides
+        if: inputs.attestationVariant == 'azure-sev-snp'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          cat >> _override.tf <<EOF
+          locals {
+            subscription_id = "$(az account show --query id --output tsv)"
           }
           EOF
           cat _override.tf
diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml
index 8f8f8a7e4..732ca7ef2 100644
--- a/.github/workflows/e2e-test-release.yml
+++ b/.github/workflows/e2e-test-release.yml
@@ -359,6 +359,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml
index 6ae6382f1..2c1242872 100644
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@@ -357,6 +357,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
index 1694b5ac6..2973b77ff 100644
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -247,6 +247,7 @@ jobs:
           osImage: ${{ needs.find-latest-image.outputs.image }}
           cliVersion: ${{ inputs.cliVersion }}
           isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml
index d2d84020a..840ad3699 100644
--- a/.github/workflows/e2e-upgrade.yml
+++ b/.github/workflows/e2e-upgrade.yml
@@ -220,6 +220,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: "upgrade"
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io
diff --git a/.github/workflows/e2e-windows.yml b/.github/workflows/e2e-windows.yml
index 7aeca9235..2a7e2b4d9 100644
--- a/.github/workflows/e2e-windows.yml
+++ b/.github/workflows/e2e-windows.yml
@@ -84,7 +84,7 @@ jobs:
           $rgName = "e2e-win-${{ github.run_id }}-${{ github.run_attempt }}-$uid"
           "rgName=$($rgName)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
           .\constellation.exe config generate azure -t "workflow=${{ github.run_id }}"
-          .\constellation.exe iam create azure --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
+          .\constellation.exe iam create azure --subscriptionID=${{ secrets.AZURE_SUBSCRIPTION_ID }} --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
 
       - name: Login to Azure (Cluster service principal)
         uses: ./.github/actions/login_azure
diff --git a/cli/internal/cloudcmd/iam.go b/cli/internal/cloudcmd/iam.go
index e5902c842..e73f2854d 100644
--- a/cli/internal/cloudcmd/iam.go
+++ b/cli/internal/cloudcmd/iam.go
@@ -95,6 +95,7 @@ type GCPIAMConfig struct {
 
 // AzureIAMConfig holds the necessary values for Azure IAM configuration.
 type AzureIAMConfig struct {
+	SubscriptionID   string
 	Location         string
 	ServicePrincipal string
 	ResourceGroup    string
@@ -167,6 +168,7 @@ func (c *IAMCreator) createAzure(ctx context.Context, cl tfIAMClient, opts *IAMC
 	defer rollbackOnError(c.out, &retErr, &rollbackerTerraform{client: cl}, opts.TFLogLevel)
 
 	vars := terraform.AzureIAMVariables{
+		SubscriptionID:   opts.Azure.SubscriptionID,
 		Location:         opts.Azure.Location,
 		ResourceGroup:    opts.Azure.ResourceGroup,
 		ServicePrincipal: opts.Azure.ServicePrincipal,
diff --git a/cli/internal/cloudcmd/tfvars.go b/cli/internal/cloudcmd/tfvars.go
index 50df8dbcc..aab752aca 100644
--- a/cli/internal/cloudcmd/tfvars.go
+++ b/cli/internal/cloudcmd/tfvars.go
@@ -147,6 +147,7 @@ func azureTerraformVars(conf *config.Config, imageRef string) (*terraform.AzureC
 		}
 	}
 	vars := &terraform.AzureClusterVariables{
+		SubscriptionID:       conf.Provider.Azure.SubscriptionID,
 		Name:                 conf.Name,
 		NodeGroups:           nodeGroups,
 		Location:             conf.Provider.Azure.Location,
@@ -191,6 +192,7 @@ func azureTerraformVars(conf *config.Config, imageRef string) (*terraform.AzureC
 
 func azureTerraformIAMVars(conf *config.Config, oldVars terraform.AzureIAMVariables) *terraform.AzureIAMVariables {
 	return &terraform.AzureIAMVariables{
+		SubscriptionID:   conf.Provider.Azure.SubscriptionID,
 		Location:         conf.Provider.Azure.Location,
 		ServicePrincipal: oldVars.ServicePrincipal,
 		ResourceGroup:    conf.Provider.Azure.ResourceGroup,
diff --git a/cli/internal/cmd/iamcreateazure.go b/cli/internal/cmd/iamcreateazure.go
index d80bcb654..f13dff82e 100644
--- a/cli/internal/cmd/iamcreateazure.go
+++ b/cli/internal/cmd/iamcreateazure.go
@@ -6,7 +6,9 @@ SPDX-License-Identifier: AGPL-3.0-only
 package cmd
 
 import (
+	"errors"
 	"fmt"
+	"os"
 
 	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
@@ -26,6 +28,8 @@ func newIAMCreateAzureCmd() *cobra.Command {
 		RunE:  runIAMCreateAzure,
 	}
 
+	cmd.Flags().String("subscriptionID", "", "subscription ID of the Azure account (required)")
+	must(cobra.MarkFlagRequired(cmd.Flags(), "subscriptionID"))
 	cmd.Flags().String("resourceGroup", "", "name prefix of the two resource groups your cluster / IAM resources will be created in (required)")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "resourceGroup"))
 	cmd.Flags().String("region", "", "region the resources will be created in, e.g., westus (required)")
@@ -45,6 +49,7 @@ func runIAMCreateAzure(cmd *cobra.Command, _ []string) error {
 
 // azureIAMCreateFlags contains the parsed flags of the iam create azure command.
 type azureIAMCreateFlags struct {
+	subscriptionID   string
 	region           string
 	resourceGroup    string
 	servicePrincipal string
@@ -52,6 +57,14 @@ type azureIAMCreateFlags struct {
 
 func (f *azureIAMCreateFlags) parse(flags *pflag.FlagSet) error {
 	var err error
+	f.subscriptionID, err = flags.GetString("subscriptionID")
+	if err != nil {
+		return fmt.Errorf("getting 'subscriptionID' flag: %w", err)
+	}
+	if f.subscriptionID == "" && os.Getenv("ARM_SUBSCRIPTION_ID") == "" {
+		return errors.New("either flag 'subscriptionID' or environment variable 'ARM_SUBSCRIPTION_ID' must be set")
+	}
+
 	f.region, err = flags.GetString("region")
 	if err != nil {
 		return fmt.Errorf("getting 'region' flag: %w", err)
@@ -75,6 +88,7 @@ type azureIAMCreator struct {
 func (c *azureIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
 	return &cloudcmd.IAMConfigOptions{
 		Azure: cloudcmd.AzureIAMConfig{
+			SubscriptionID:   c.flags.subscriptionID,
 			Location:         c.flags.region,
 			ResourceGroup:    c.flags.resourceGroup,
 			ServicePrincipal: c.flags.servicePrincipal,
@@ -83,6 +97,7 @@ func (c *azureIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
 }
 
 func (c *azureIAMCreator) printConfirmValues(cmd *cobra.Command) {
+	cmd.Printf("Subscription ID:\t%s\n", c.flags.subscriptionID)
 	cmd.Printf("Region:\t\t\t%s\n", c.flags.region)
 	cmd.Printf("Resource Group:\t\t%s\n", c.flags.resourceGroup)
 	cmd.Printf("Service Principal:\t%s\n\n", c.flags.servicePrincipal)
diff --git a/cli/internal/terraform/variables.go b/cli/internal/terraform/variables.go
index 081ae5946..86af569e0 100644
--- a/cli/internal/terraform/variables.go
+++ b/cli/internal/terraform/variables.go
@@ -172,7 +172,7 @@ type GCPNodeGroup struct {
 	DiskType     string `hcl:"disk_type" cty:"disk_type"`
 }
 
-// GCPIAMVariables is user configuration for creating the IAM confioguration with Terraform on GCP.
+// GCPIAMVariables is user configuration for creating the IAM configuration with Terraform on GCP.
 type GCPIAMVariables struct {
 	// Project is the ID of the GCP project to use.
 	Project string `hcl:"project_id" cty:"project_id"`
@@ -193,6 +193,8 @@ func (v *GCPIAMVariables) String() string {
 
 // AzureClusterVariables is user configuration for creating a cluster with Terraform on Azure.
 type AzureClusterVariables struct {
+	// SubscriptionID is the Azure subscription ID to use.
+	SubscriptionID string `hcl:"subscription_id" cty:"subscription_id"`
 	// Name of the cluster.
 	Name string `hcl:"name" cty:"name"`
 	// ImageID is the ID of the Azure image to use.
@@ -254,6 +256,8 @@ type AzureNodeGroup struct {
 
 // AzureIAMVariables is user configuration for creating the IAM configuration with Terraform on Microsoft Azure.
 type AzureIAMVariables struct {
+	// SubscriptionID is the Azure subscription ID to use.
+	SubscriptionID string `hcl:"subscription_id,optional" cty:"subscription_id"` // TODO(v2.18): remove optional tag. This is only required for migration from var files that dont have the value yet.
 	// Location is the Azure location to use. (e.g. westus)
 	Location string `hcl:"location" cty:"location"`
 	// ServicePrincipal is the name of the service principal to use.
diff --git a/cli/internal/terraform/variables_test.go b/cli/internal/terraform/variables_test.go
index 306acd6ae..02567c314 100644
--- a/cli/internal/terraform/variables_test.go
+++ b/cli/internal/terraform/variables_test.go
@@ -180,7 +180,8 @@ service_account_id = "my-service-account"
 
 func TestAzureClusterVariables(t *testing.T) {
 	vars := AzureClusterVariables{
-		Name: "cluster-name",
+		SubscriptionID: "01234567-cdef-0123-4567-89abcdef0123",
+		Name:           "cluster-name",
 		NodeGroups: map[string]AzureNodeGroup{
 			constants.ControlPlaneDefault: {
 				Role:         "ControlPlane",
@@ -207,7 +208,8 @@ func TestAzureClusterVariables(t *testing.T) {
 	}
 
 	// test that the variables are correctly rendered
-	want := `name                   = "cluster-name"
+	want := `subscription_id        = "01234567-cdef-0123-4567-89abcdef0123"
+name                   = "cluster-name"
 image_id               = "image-0123456789abcdef"
 create_maa             = true
 debug                  = true
@@ -241,13 +243,15 @@ additional_tags = null
 
 func TestAzureIAMVariables(t *testing.T) {
 	vars := AzureIAMVariables{
+		SubscriptionID:   "01234567-cdef-0123-4567-89abcdef0123",
 		Location:         "eu-central-1",
 		ServicePrincipal: "my-service-principal",
 		ResourceGroup:    "my-resource-group",
 	}
 
 	// test that the variables are correctly rendered
-	want := `location                 = "eu-central-1"
+	want := `subscription_id       = "01234567-cdef-0123-4567-89abcdef0123"
+location               = "eu-central-1"
 service_principal_name = "my-service-principal"
 resource_group_name    = "my-resource-group"
 `
diff --git a/dev-docs/howto/vpn/on-prem-terraform/main.tf b/dev-docs/howto/vpn/on-prem-terraform/main.tf
index 887f3b510..bbb02aa7f 100644
--- a/dev-docs/howto/vpn/on-prem-terraform/main.tf
+++ b/dev-docs/howto/vpn/on-prem-terraform/main.tf
@@ -13,6 +13,10 @@ terraform {
 
 provider "azurerm" {
   features {}
+  subscription_id = var.subscription_id
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 locals {
@@ -103,7 +107,7 @@ resource "azurerm_route_table" "route_table" {
   name                          = "vpn-routes"
   location                      = azurerm_resource_group.rg.location
   resource_group_name           = azurerm_resource_group.rg.name
-  disable_bgp_route_propagation = false
+  bgp_route_propagation_enabled = false
 
   dynamic "route" {
     for_each = var.remote_ts
diff --git a/dev-docs/howto/vpn/on-prem-terraform/variables.tf b/dev-docs/howto/vpn/on-prem-terraform/variables.tf
index 652916678..86d74ea18 100644
--- a/dev-docs/howto/vpn/on-prem-terraform/variables.tf
+++ b/dev-docs/howto/vpn/on-prem-terraform/variables.tf
@@ -1,3 +1,9 @@
+variable "subscription_id" {
+  type        = string
+  description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id"
+  default     = ""
+}
+
 variable "resource_group_location" {
   type        = string
   default     = "westeurope"
diff --git a/dev-docs/miniconstellation/azure-terraform/main.tf b/dev-docs/miniconstellation/azure-terraform/main.tf
index 24f9bbf61..8609ee7fc 100644
--- a/dev-docs/miniconstellation/azure-terraform/main.tf
+++ b/dev-docs/miniconstellation/azure-terraform/main.tf
@@ -22,6 +22,9 @@ terraform {
 provider "azurerm" {
   use_oidc = true
   features {}
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 provider "tls" {}
diff --git a/docs/docs/getting-started/first-steps.md b/docs/docs/getting-started/first-steps.md
index 9b37efa64..128ac2849 100644
--- a/docs/docs/getting-started/first-steps.md
+++ b/docs/docs/getting-started/first-steps.md
@@ -80,7 +80,7 @@ If you encounter any problem with the following steps, make sure to use the [lat
     <TabItem value="azure" label="Azure">
 
     ```bash
-    constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
+    constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
     ```
 
     This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in.
diff --git a/docs/docs/reference/cli.md b/docs/docs/reference/cli.md
index 6a911034e..fa26803b3 100644
--- a/docs/docs/reference/cli.md
+++ b/docs/docs/reference/cli.md
@@ -655,6 +655,7 @@ constellation iam create azure [flags]
       --region string             region the resources will be created in, e.g., westus (required)
       --resourceGroup string      name prefix of the two resource groups your cluster / IAM resources will be created in (required)
       --servicePrincipal string   name of the service principal that will be created (required)
+      --subscriptionID string     subscription ID of the Azure account (required)
 ```
 
 ### Options inherited from parent commands
diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md
index 120bf8ed7..95f791acd 100644
--- a/docs/docs/workflows/config.md
+++ b/docs/docs/workflows/config.md
@@ -184,7 +184,7 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml`
 You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
 
 ```bash
-constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest
+constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest
 ```
 
 This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`.
diff --git a/e2e/miniconstellation/main.tf b/e2e/miniconstellation/main.tf
index 41d7baa54..f389fa3f8 100644
--- a/e2e/miniconstellation/main.tf
+++ b/e2e/miniconstellation/main.tf
@@ -22,6 +22,9 @@ terraform {
 provider "azurerm" {
   use_oidc = true
   features {}
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 provider "tls" {}
diff --git a/terraform-provider-constellation/examples/full/azure/main.tf b/terraform-provider-constellation/examples/full/azure/main.tf
index 0a2afd44c..f1f567940 100644
--- a/terraform-provider-constellation/examples/full/azure/main.tf
+++ b/terraform-provider-constellation/examples/full/azure/main.tf
@@ -22,6 +22,7 @@ locals {
   control_plane_count  = 3
   worker_count         = 2
   instance_type        = "Standard_DC4as_v5"
+  subscription_id      = "00000000-0000-0000-0000-000000000000"
 
   master_secret      = random_bytes.master_secret.hex
   master_secret_salt = random_bytes.master_secret_salt.hex
@@ -43,6 +44,7 @@ resource "random_bytes" "measurement_salt" {
 module "azure_iam" {
   // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0
   source                 = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/azure"
+  subscription_id        = local.subscription_id
   location               = local.location
   service_principal_name = "${local.name}-sp"
   resource_group_name    = "${local.name}-rg"
@@ -51,6 +53,7 @@ module "azure_iam" {
 module "azure_infrastructure" {
   // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0
   source                 = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/azure"
+  subscription_id        = local.subscription_id
   name                   = local.name
   user_assigned_identity = module.azure_iam.uami_id
   node_groups = {
diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf
index 91a3f8dd7..bb83ba82c 100644
--- a/terraform/infrastructure/azure/main.tf
+++ b/terraform/infrastructure/azure/main.tf
@@ -17,6 +17,10 @@ provider "azurerm" {
       prevent_deletion_if_contains_resources = false
     }
   }
+  subscription_id = var.subscription_id
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 locals {
@@ -266,8 +270,8 @@ module "scale_set_group" {
   marketplace_image         = var.marketplace_image
 
   # We still depend on the backends, since we are not sure if the VMs inside the VMSS have been
-  # "updated" to the new version (note: this is the update in Azure which "refreshes" the NICs and not 
-  # our Constellation update). 
+  # "updated" to the new version (note: this is the update in Azure which "refreshes" the NICs and not
+  # our Constellation update).
   # TODO(@3u13r): Remove this dependency after v2.18.0 has been released.
   depends_on = [module.loadbalancer_backend_worker, azurerm_lb_backend_address_pool.all]
 }
diff --git a/terraform/infrastructure/azure/modules/scale_set/main.tf b/terraform/infrastructure/azure/modules/scale_set/main.tf
index 5482b10a2..058cdee88 100644
--- a/terraform/infrastructure/azure/modules/scale_set/main.tf
+++ b/terraform/infrastructure/azure/modules/scale_set/main.tf
@@ -45,6 +45,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "scale_set" {
   provision_vm_agent              = false
   vtpm_enabled                    = true
   disable_password_authentication = false
+  extension_operations_enabled    = false
   upgrade_mode                    = "Manual"
   secure_boot_enabled             = var.secure_boot
   # specify the image id only if a non-marketplace image is used
diff --git a/terraform/infrastructure/azure/variables.tf b/terraform/infrastructure/azure/variables.tf
index 577cdd4f0..a3ab1fd0b 100644
--- a/terraform/infrastructure/azure/variables.tf
+++ b/terraform/infrastructure/azure/variables.tf
@@ -46,6 +46,12 @@ variable "internal_load_balancer" {
 
 # Azure-specific variables
 
+variable "subscription_id" {
+  type        = string
+  description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id"
+  default     = ""
+}
+
 variable "location" {
   type        = string
   description = "Azure location to deploy the cluster in."
diff --git a/terraform/infrastructure/iam/azure/main.tf b/terraform/infrastructure/iam/azure/main.tf
index 592012975..0518e795e 100644
--- a/terraform/infrastructure/iam/azure/main.tf
+++ b/terraform/infrastructure/iam/azure/main.tf
@@ -18,6 +18,10 @@ provider "azurerm" {
       prevent_deletion_if_contains_resources = false
     }
   }
+  subscription_id = var.subscription_id
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 # Configure Azure active directory provider
diff --git a/terraform/infrastructure/iam/azure/variables.tf b/terraform/infrastructure/iam/azure/variables.tf
index 4a63ba609..28c75e840 100644
--- a/terraform/infrastructure/iam/azure/variables.tf
+++ b/terraform/infrastructure/iam/azure/variables.tf
@@ -1,3 +1,9 @@
+variable "subscription_id" {
+  type        = string
+  description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id"
+  default     = ""
+}
+
 variable "resource_group_name" {
   type        = string
   description = "Name for the resource group the cluster should reside in."