diff --git a/.gitignore b/.gitignore
index 6e756f7d60a..2bbccc6f7f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -95,3 +95,4 @@ azure_identity_id
 azure_wi_back_compat
 openid-configuration.json
 aks-mgmt.config
+.service-account-issuer.env
diff --git a/Makefile b/Makefile
index 6635c667dd1..f2a51c5cc26 100644
--- a/Makefile
+++ b/Makefile
@@ -407,7 +407,13 @@ create-management-cluster: $(KUSTOMIZE) $(ENVSUBST) $(KUBECTL) $(KIND) ## Create
 .PHONY: create-workload-cluster
 create-workload-cluster: $(ENVSUBST) $(KUBECTL) ## Create a workload cluster.
 	# Create workload Cluster.
-	@if [ -z "${AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY}" ]; then \
+	# Source SERVICE_ACCOUNT_ISSUER from kind-with-registry.sh if available,
+	# so the workload cluster template gets the correct OIDC issuer URL.
+	@if [ -f "$(ROOT_DIR)/.service-account-issuer.env" ]; then \
+		. "$(ROOT_DIR)/.service-account-issuer.env"; \
+		export SERVICE_ACCOUNT_ISSUER; \
+	fi; \
+	if [ -z "${AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY}" ]; then \
 		export AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY=$(shell cat $(AZURE_IDENTITY_ID_FILEPATH)); \
 	fi; \
 	if [ -f "$(TEMPLATES_DIR)/$(CLUSTER_TEMPLATE)" ]; then \
diff --git a/scripts/kind-with-registry.sh b/scripts/kind-with-registry.sh
index 32c438f699c..9aeb48f76b4 100755
--- a/scripts/kind-with-registry.sh
+++ b/scripts/kind-with-registry.sh
@@ -202,6 +202,13 @@ EOF
       --audiences "api://AzureADTokenExchange" \
       --subject "system:serviceaccount:capz-system:azureserviceoperator-default" --output none --only-show-errors
   fi
+
+  # Persist SERVICE_ACCOUNT_ISSUER so that downstream make targets
+  # (e.g., create-workload-cluster) running in separate shell contexts
+  # can pick it up via the .service-account-issuer.env file.
+  if [ -n "${SERVICE_ACCOUNT_ISSUER}" ]; then
+    echo "SERVICE_ACCOUNT_ISSUER=${SERVICE_ACCOUNT_ISSUER}" > "${REPO_ROOT}/.service-account-issuer.env"
+  fi
 }
 
 function upload_to_blob() {