diff --git a/providers/azure/aci.go b/providers/azure/aci.go
index 58b533979..fc13c318e 100644
--- a/providers/azure/aci.go
+++ b/providers/azure/aci.go
@@ -676,10 +676,8 @@ func (p *ACIProvider) getContainers(pod *v1.Pod) ([]aci.Container, error) {
 
 		c.EnvironmentVariables = make([]aci.EnvironmentVariable, 0, len(container.Env))
 		for _, e := range container.Env {
-			c.EnvironmentVariables = append(c.EnvironmentVariables, aci.EnvironmentVariable{
-				Name:  e.Name,
-				Value: e.Value,
-			})
+			envVar := getACIEnvVar(e)
+			c.EnvironmentVariables = append(c.EnvironmentVariables, envVar)
 		}
 
 		// NOTE(robbiezhang): ACI CPU request must be times of 10m
@@ -1058,3 +1056,20 @@ func filterServiceAccountSecretVolume(osType string, containerGroup *aci.Contain
 		containerGroup.ContainerGroupProperties.Volumes = volumes
 	}
 }
+
+func getACIEnvVar(e v1.EnvVar) aci.EnvironmentVariable {
+	var envVar aci.EnvironmentVariable
+	// If the variable is a secret, use SecureValue
+	if e.ValueFrom.SecretKeyRef != nil {
+		envVar = aci.EnvironmentVariable{
+			Name:        e.Name,
+			SecureValue: e.Value,
+		}
+	} else {
+		envVar = aci.EnvironmentVariable{
+			Name:  e.Name,
+			Value: e.Value,
+		}
+	}
+	return envVar
+}
diff --git a/providers/azure/aci_test.go b/providers/azure/aci_test.go
index 81d7e3722..a71e5101e 100644
--- a/providers/azure/aci_test.go
+++ b/providers/azure/aci_test.go
@@ -363,6 +363,58 @@ func TestGetPodWithoutResourceRequestsLimits(t *testing.T) {
 		"Containers[0].Resources.Requests.Memory doesn't match")
 }
 
+func TestPodToACISecretEnvVar(t *testing.T) {
+
+	testKey := "testVar"
+	testVal := "testVal"
+
+	e := v1.EnvVar{
+		Name:  testKey,
+		Value: testVal,
+		ValueFrom: &v1.EnvVarSource{
+			SecretKeyRef: &v1.SecretKeySelector{},
+		},
+	}
+	aciEnvVar := getACIEnvVar(e)
+
+	if aciEnvVar.Value != "" {
+		t.Fatalf("ACI Env Variable Value should be empty for a secret")
+	}
+
+	if aciEnvVar.Name != testKey {
+		t.Fatalf("ACI Env Variable Name does not match expected Name")
+	}
+
+	if aciEnvVar.SecureValue != testVal {
+		t.Fatalf("ACI Env Variable Secure Value does not match expected value")
+	}
+}
+
+func TestPodToACIEnvVar(t *testing.T) {
+
+	testKey := "testVar"
+	testVal := "testVal"
+
+	e := v1.EnvVar{
+		Name:      testKey,
+		Value:     testVal,
+		ValueFrom: &v1.EnvVarSource{},
+	}
+	aciEnvVar := getACIEnvVar(e)
+
+	if aciEnvVar.SecureValue != "" {
+		t.Fatalf("ACI Env Variable Secure Value should be empty for non-secret variables")
+	}
+
+	if aciEnvVar.Name != testKey {
+		t.Fatalf("ACI Env Variable Name does not match expected Name")
+	}
+
+	if aciEnvVar.Value != testVal {
+		t.Fatalf("ACI Env Variable Value does not match expected value")
+	}
+}
+
 func prepareMocks() (*AADMock, *ACIMock, *ACIProvider, error) {
 	aadServerMocker := NewAADMock()
 	aciServerMocker := NewACIMock()