diff --git a/deploy/README.md b/deploy/README.md
index be66290d..731d07d7 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -14,6 +14,7 @@ The production configuration (azure.atat.code.mil, currently) is reflected in th
 - AUTH_DOMAIN: The host domain for the authentication endpoint for the environment.
 - KV_MI_ID: the fully qualified id (path) of the managed identity for the key vault (instructions on retrieving this are down in section on [Setting up FlexVol](#configuring-the-identity)). Example: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/RESOURCE_GROUP_NAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MANAGED_IDENTITY_NAME
 - KV_MI_CLIENT_ID: The client id of the managed identity for the key vault. This is a GUID.
+- TENANT_ID: The id of the active directory tenant in which the cluster and it's associated users exist. This is a GUID.
 
 We use envsubst to substitute values for these variables. There is a wrapper script (script/k8s_config) that will output the compiled configuration, using a combination of kustomize and envsubst.
 
diff --git a/deploy/azure/azure.yml b/deploy/azure/azure.yml
index 0f0033c5..ddbbfe18 100644
--- a/deploy/azure/azure.yml
+++ b/deploy/azure/azure.yml
@@ -149,7 +149,7 @@ spec:
               keyvaultobjectnames: "dhparam4096"
               keyvaultobjectaliases: "dhparam.pem"
               keyvaultobjecttypes: secret
-              tenantid: "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3"
+              tenantid: $TENANT_ID
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
diff --git a/script/k8s_config b/script/k8s_config
index ee3c9878..b489c942 100755
--- a/script/k8s_config
+++ b/script/k8s_config
@@ -13,6 +13,7 @@ SETTINGS=(
   AUTH_DOMAIN
   KV_MI_ID
   KV_MI_CLIENT_ID
+  TENANT_ID
 )
 
 # Loop all expected settings. Track ones that are missing and build