diff --git a/config/common/common.go b/config/common/common.go
index 9839b3afd..da0fa9673 100644
--- a/config/common/common.go
+++ b/config/common/common.go
@@ -25,6 +25,8 @@ import (
 	tjconfig "github.com/upbound/upjet/pkg/config"
 
 	"github.com/upbound/provider-azure/apis/rconfig"
+
+	"github.com/crossplane/crossplane-runtime/pkg/fieldpath"
 )
 
 const (
@@ -149,3 +151,10 @@ func addReference(references tjconfig.References, referenceKind, referenceName,
 		}
 	}
 }
+
+// GetField returns the value of field as a string in a map[string]interface{},
+//
+//	fails properly otherwise.
+func GetField(from map[string]interface{}, path string) (string, error) {
+	return fieldpath.Pave(from).GetString(path)
+}
diff --git a/config/containerservice/config.go b/config/containerservice/config.go
index b7ed5994c..fb8dfbf3d 100644
--- a/config/containerservice/config.go
+++ b/config/containerservice/config.go
@@ -17,10 +17,14 @@ limitations under the License.
 package containerservice
 
 import (
+	"encoding/base64"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/pkg/errors"
 	"github.com/upbound/upjet/pkg/config"
 
 	"github.com/upbound/provider-azure/apis/rconfig"
+	"github.com/upbound/provider-azure/config/common"
 )
 
 // Configure configures kubernetes group
@@ -52,9 +56,37 @@ func Configure(p *config.Provider) {
 				"oms_agent"},
 		}
 		r.Sensitive.AdditionalConnectionDetailsFn = func(attr map[string]interface{}) (map[string][]byte, error) {
+			caData, err := common.GetField(attr, "kube_config[0].cluster_ca_certificate")
+			if err != nil {
+				return nil, err
+			}
+			caDataBytes, err := base64.StdEncoding.DecodeString(caData)
+			if err != nil {
+				return nil, errors.Wrapf(err, "cannot serialize cluster ca data")
+			}
+			clientCertData, err := common.GetField(attr, "kube_config[0].client_certificate")
+			if err != nil {
+				return nil, err
+			}
+			clientCertDataBytes, err := base64.StdEncoding.DecodeString(clientCertData)
+			if err != nil {
+				return nil, errors.Wrapf(err, "cannot serialize cluster client cert data")
+			}
+			clientKeyData, err := common.GetField(attr, "kube_config[0].client_key")
+			if err != nil {
+				return nil, err
+			}
+			clientKeyDataBytes, err := base64.StdEncoding.DecodeString(clientKeyData)
+			if err != nil {
+				return nil, errors.Wrapf(err, "cannot serialize cluster client key data")
+			}
+
 			if kc, ok := attr["kube_config_raw"].(string); ok {
 				return map[string][]byte{
-					"kubeconfig": []byte(kc),
+					"kubeconfig":                      []byte(kc),
+					"kubeconfig.clustercacertificate": caDataBytes,
+					"kubeconfig.clientcertificate":    clientCertDataBytes,
+					"kubeconfig.clientkey":            clientKeyDataBytes,
 				}, nil
 			}
 			return nil, nil