diff --git a/api/v1alpha1/azureresourcegraph_types.go b/api/v1alpha1/azureresourcegraph_types.go
index bae40f9..a1f8cfa 100644
--- a/api/v1alpha1/azureresourcegraph_types.go
+++ b/api/v1alpha1/azureresourcegraph_types.go
@@ -33,12 +33,11 @@ type AzureResourceGraphSpec struct {
 	// +required
 	Tenant string `json:"tenant"`
 
-	//+kubebuilder:validation:MinLength=0
-	// +optional
-	ManagedIdentiy string `json:"managedIdentity"`
-
 	// +required
 	Interval metav1.Duration `json:"interval"`
+
+	// +required
+	SecretRef string `json:"secretRef"`
 }
 
 // AzureResourceGraphStatus defines the observed state of AzureResourceGraph
diff --git a/config/crd/bases/hub.kalypso.io_azureresourcegraphs.yaml b/config/crd/bases/hub.kalypso.io_azureresourcegraphs.yaml
index 16c40a1..6ca035c 100644
--- a/config/crd/bases/hub.kalypso.io_azureresourcegraphs.yaml
+++ b/config/crd/bases/hub.kalypso.io_azureresourcegraphs.yaml
@@ -38,8 +38,7 @@ spec:
             properties:
               interval:
                 type: string
-              managedIdentity:
-                minLength: 0
+              secretRef:
                 type: string
               subscription:
                 minLength: 0
@@ -49,6 +48,7 @@ spec:
                 type: string
             required:
             - interval
+            - secretRef
             - subscription
             - tenant
             type: object
diff --git a/config/samples/hub_v1alpha1_azureresourcegraph.yaml b/config/samples/hub_v1alpha1_azureresourcegraph.yaml
index bcc7992..b461bd9 100644
--- a/config/samples/hub_v1alpha1_azureresourcegraph.yaml
+++ b/config/samples/hub_v1alpha1_azureresourcegraph.yaml
@@ -1,18 +1,9 @@
 apiVersion: hub.kalypso.io/v1alpha1
 kind: AzureResourceGraph
 metadata:
-  labels:
-    app.kubernetes.io/name: azureresourcegraph
-    app.kubernetes.io/instance: azureresourcegraph-sample
-    app.kubernetes.io/part-of: kalypso-observability-hub
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/created-by: kalypso-observability-hub
-  name: azureresourcegraph-sample
+  name: azureresourcegraph
 spec:
-  subscription: "7be1b9e7-57ca-47ff-b5ab-82e7ccb8c611"
-  
-  tenant: "16b3c013-d300-468d-ac64-7eda0820b6d3"
-  
-  managedIdentity: "02552706-98f9-4301-a473-017752fc430b"
-  
+  subscription: "7be1b9e7-57ca-47ff-b5ab-82e7ccb8c611"  
+  tenant: "16b3c013-d300-468d-ac64-7eda0820b6d3"  
+  secretRef: "azureresourcegraph-secret"  
   interval: 10s
diff --git a/controllers/azureresourcegraph_controller.go b/controllers/azureresourcegraph_controller.go
index 2d37cf0..ecf44fb 100644
--- a/controllers/azureresourcegraph_controller.go
+++ b/controllers/azureresourcegraph_controller.go
@@ -24,9 +24,11 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -313,7 +315,7 @@ func (r *AzureResourceGraphReconciler) createReconciler(status string, statusMes
 
 	// Create the reconciler spec
 	reconciler := hubv1alpha1.ReconcilerSpec{
-		HostName:             fmt.Sprintf("%s-%s", resourceGroup, clusterName),
+		HostName:             clusterName,
 		ReconcilerName:       reconcilerName,
 		Type:                 reconcilerType,
 		ManifestsStorageType: hubv1alpha1.Git,
@@ -329,7 +331,7 @@ func (r *AzureResourceGraphReconciler) getReconcilersDataFromChildKalypsoObjects
 	var reconcilerData []hubv1alpha1.ReconcilerSpec
 
 	// TODO: identify cluster type (AKS vs conect cluster)
-	res, err := fluxConfigClient.Get(ctx, resourceGroup, "Microsoft.ContainerService", "managedClusters", clusterName, fluxConfigName, nil)
+	res, err := fluxConfigClient.Get(ctx, resourceGroup, "Microsoft.Kubernetes", "connectedClusters", clusterName, fluxConfigName, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -342,22 +344,16 @@ func (r *AzureResourceGraphReconciler) getReconcilersDataFromChildKalypsoObjects
 		}
 
 		//TODO Update Kalypso: name deployment target as workload.deploymentTarget or without workload at all
-		// expected flux resource name format: env.workspace.application.workload-deploymentTarget[.clusterType]
+		// expected flux resource name format: env.workspace.application.workload.deploymentTarget[.clusterType]
 		nameParts := strings.Split(*status.Name, ".")
-		if len(nameParts) < 4 {
+		if len(nameParts) < 5 {
 			continue
 		}
 		environmentName := nameParts[0]
 		workspace := nameParts[1]
 		application := nameParts[2]
-		workloadDeploymentTargetName := nameParts[3]
-
-		nameParts = strings.Split(workloadDeploymentTargetName, "-")
-		if len(nameParts) < 2 {
-			continue
-		}
-		workloadName := nameParts[0]
-		deploymentTargetName := strings.Replace(workloadDeploymentTargetName, workloadName+"-", "", 1)
+		workloadName := nameParts[3]
+		deploymentTargetName := nameParts[4]
 
 		dt, err := storageClient.GetDeploymentTarget(ctx, &pb.DeploymentTargetSearch{
 			WorkloadName:         workloadName,
@@ -367,6 +363,8 @@ func (r *AzureResourceGraphReconciler) getReconcilersDataFromChildKalypsoObjects
 			ApplicationName:      application,
 		})
 		if err != nil {
+			//log  workspace, application, workloadName and deploymentTargetName
+			logger.Error(err, "Failed to get deployment target", "workspace", workspace, "application", application, "workloadName", workloadName, "deploymentTargetName", deploymentTargetName)
 			continue
 		}
 
@@ -426,8 +424,18 @@ func (r *AzureResourceGraphReconciler) getStatusMessage(complianceState string,
 
 // Get Acxure Credentials
 func (r *AzureResourceGraphReconciler) getAzureCredentials(arg *hubv1alpha1.AzureResourceGraph) (*azidentity.DefaultAzureCredential, error) {
+	// find secret by name
+	secret := &corev1.Secret{}
+	err := r.Get(context.TODO(), types.NamespacedName{Name: arg.Spec.SecretRef, Namespace: arg.Namespace}, secret)
+	if err != nil {
+		return nil, err
+	}
+
+	//set the environment variables from the secret
 	os.Setenv("AZURE_TENANT_ID", arg.Spec.Tenant)
-	os.Setenv("AZURE_CLIENT_ID", arg.Spec.ManagedIdentiy)
+	os.Setenv("AZURE_SUBSCRIPTION_ID", arg.Spec.Subscription)
+	os.Setenv("AZURE_CLIENT_SECRET", string(secret.Data["AZURE_CLIENT_SECRET"]))
+	os.Setenv("AZURE_CLIENT_ID", string(secret.Data["AZURE_CLIENT_ID"]))
 
 	cred, err := azidentity.NewDefaultAzureCredential(nil)
 	if err != nil {
diff --git a/storage/scripts/ddl.pgsql b/storage/scripts/ddl.pgsql
index 2e1ae69..c2e88f4 100644
--- a/storage/scripts/ddl.pgsql
+++ b/storage/scripts/ddl.pgsql
@@ -112,7 +112,7 @@ create table if not exists host(
 
 create table if not exists reconciler(
     id serial primary key,
-    name varchar(150) not null unique,
+    name varchar(150) not null,
     host_id int not null references host(id),
     description text,
     reconciler_type varchar(20),