diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go
index cd1e8299..9080bcc2 100644
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@@ -78,7 +78,7 @@ type Azure struct {
 	Type                   string   `json:"type"`
 	Name                   string   `json:"name"`
 	TenantID               string   `json:"tenantId"`
-	Subscriptions          []string `json:"subscriptions"`
+	ResourceGroups         []string `json:"resourceGroups"`
 	Audience               string   `json:"audience,omitempty"`
 	DisableCustomSANs      bool     `json:"disableCustomSANs"`
 	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
@@ -244,19 +244,19 @@ func (p *Azure) AuthorizeSign(token string) ([]SignOption, error) {
 	if len(re) == 0 {
 		return nil, errors.Errorf("error parsing xms_mirid claim: %s", claims.XMSMirID)
 	}
-	subscription, name := re[1], re[3]
+	group, name := re[2], re[3]
 
-	// Filter by subscriptions
-	if len(p.Subscriptions) > 0 {
+	// Filter by resource group
+	if len(p.ResourceGroups) > 0 {
 		var found bool
-		for _, s := range p.Subscriptions {
-			if s == subscription {
+		for _, g := range p.ResourceGroups {
+			if g == group {
 				found = true
 				break
 			}
 		}
 		if !found {
-			return nil, errors.New("validation failed: invalid subscription id")
+			return nil, errors.New("validation failed: invalid resource group")
 		}
 	}
 
diff --git a/authority/provisioner/azure_test.go b/authority/provisioner/azure_test.go
index 5b3c817c..a247dbfa 100644
--- a/authority/provisioner/azure_test.go
+++ b/authority/provisioner/azure_test.go
@@ -208,7 +208,7 @@ func TestAzure_AuthorizeSign(t *testing.T) {
 	p2, err := generateAzure()
 	assert.FatalError(t, err)
 	p2.TenantID = p1.TenantID
-	p2.Subscriptions = []string{"subscriptionID"}
+	p2.ResourceGroups = []string{"resourceGroup"}
 	p2.config = p1.config
 	p2.oidcConfig = p1.oidcConfig
 	p2.keyStore = p1.keyStore
@@ -223,7 +223,7 @@ func TestAzure_AuthorizeSign(t *testing.T) {
 	p4, err := generateAzure()
 	assert.FatalError(t, err)
 	p4.TenantID = p1.TenantID
-	p4.Subscriptions = []string{"subscriptionID1"}
+	p4.ResourceGroups = []string{"foobarzar"}
 	p4.config = p1.config
 	p4.oidcConfig = p1.oidcConfig
 	p4.keyStore = p1.keyStore
@@ -280,7 +280,7 @@ func TestAzure_AuthorizeSign(t *testing.T) {
 		{"ok", p2, args{t2}, 5, false},
 		{"ok", p1, args{t11}, 4, false},
 		{"fail tenant", p3, args{t3}, 0, true},
-		{"fail subscription", p4, args{t4}, 0, true},
+		{"fail resource group", p4, args{t4}, 0, true},
 		{"fail token", p1, args{"token"}, 0, true},
 		{"fail issuer", p1, args{failIssuer}, 0, true},
 		{"fail audience", p1, args{failAudience}, 0, true},