diff --git a/controllers/azuremanagedcontrolplane_reconciler.go b/controllers/azuremanagedcontrolplane_reconciler.go
index 8f70b500a81..783a0ba7e1f 100644
--- a/controllers/azuremanagedcontrolplane_reconciler.go
+++ b/controllers/azuremanagedcontrolplane_reconciler.go
@@ -33,6 +33,7 @@ import (
 	"sigs.k8s.io/cluster-api-provider-azure/azure/services/subnets"
 	"sigs.k8s.io/cluster-api-provider-azure/azure/services/virtualnetworks"
 	"sigs.k8s.io/cluster-api-provider-azure/util/tele"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/util/secret"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -137,6 +138,15 @@ func (r *azureManagedControlPlaneService) reconcileKubeconfig(ctx context.Contex
 			kubeConfigSecret.Data = map[string][]byte{
 				secret.KubeconfigDataName: kubeConfigData,
 			}
+
+			// When upgrading from an older version of CAPI, the kubeconfig secret may not have the required
+			// cluster name label. Add it here to avoid kubeconfig issues during upgrades.
+			if _, ok := kubeConfigSecret.Labels[clusterv1.ClusterNameLabel]; !ok {
+				if kubeConfigSecret.Labels == nil {
+					kubeConfigSecret.Labels = make(map[string]string)
+				}
+				kubeConfigSecret.Labels[clusterv1.ClusterNameLabel] = r.scope.ClusterName()
+			}
 			return nil
 		}); err != nil {
 			return errors.Wrap(err, "failed to reconcile kubeconfig secret for cluster")