diff --git a/pkg/controller/vsphere/machine_scope.go b/pkg/controller/vsphere/machine_scope.go
index 549f51332..2fb4ef391 100644
--- a/pkg/controller/vsphere/machine_scope.go
+++ b/pkg/controller/vsphere/machine_scope.go
@@ -78,7 +78,7 @@ func newMachineScope(params machineScopeParams) (*machineScope, error) {
 	server := fmt.Sprintf("%s:%s", providerSpec.Workspace.Server, getPortFromConfig(vSphereConfig))
 	authSession, err := session.GetOrCreate(params.Context,
 		server, providerSpec.Workspace.Datacenter,
-		user, password)
+		user, password, getInsecureFlagFromConfig(vSphereConfig))
 	if err != nil {
 		return nil, fmt.Errorf("failed to create vSphere session: %w", err)
 	}
diff --git a/pkg/controller/vsphere/machine_scope_test.go b/pkg/controller/vsphere/machine_scope_test.go
index 51e9e096f..5407bc55f 100644
--- a/pkg/controller/vsphere/machine_scope_test.go
+++ b/pkg/controller/vsphere/machine_scope_test.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"testing"
 
+	configv1 "github.com/openshift/api/config/v1"
 	machinev1 "github.com/openshift/machine-api-operator/pkg/apis/machine/v1beta1"
 	vspherev1 "github.com/openshift/machine-api-operator/pkg/apis/vsphereprovider/v1beta1"
 	corev1 "k8s.io/api/core/v1"
@@ -296,6 +297,29 @@ func TestPatchMachine(t *testing.T) {
 		},
 	}
 
+	testConfig := fmt.Sprintf(testConfigFmt, "")
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "testName",
+			Namespace: openshiftConfigNamespace,
+		},
+		Data: map[string]string{
+			"testKey": testConfig,
+		},
+	}
+
+	infra := &configv1.Infrastructure{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: globalInfrastuctureName,
+		},
+		Spec: configv1.InfrastructureSpec{
+			CloudConfig: configv1.ConfigMapFileReference{
+				Name: "testName",
+				Key:  "testKey",
+			},
+		},
+	}
+
 	// original objects
 	originalProviderSpec := vspherev1.VSphereMachineProviderSpec{
 		CredentialsSecret: &corev1.LocalObjectReference{
@@ -362,11 +386,16 @@ func TestPatchMachine(t *testing.T) {
 	if err := machinev1.AddToScheme(scheme.Scheme); err != nil {
 		t.Fatal(err)
 	}
-	fakeClient := fake.NewFakeClientWithScheme(scheme.Scheme, credentialsSecret, originalMachine)
+	fakeClient := fake.NewFakeClientWithScheme(scheme.Scheme,
+		credentialsSecret,
+		originalMachine,
+		configMap,
+		infra)
 	machineScope, err := newMachineScope(machineScopeParams{
-		client:  fakeClient,
-		Context: context.TODO(),
-		machine: originalMachine,
+		client:    fakeClient,
+		Context:   context.TODO(),
+		machine:   originalMachine,
+		apiReader: fakeClient,
 	})
 	if err != nil {
 		t.Fatal(err)
diff --git a/pkg/controller/vsphere/reconciler_test.go b/pkg/controller/vsphere/reconciler_test.go
index 0ee6b07a4..e3cfb69c9 100644
--- a/pkg/controller/vsphere/reconciler_test.go
+++ b/pkg/controller/vsphere/reconciler_test.go
@@ -67,7 +67,7 @@ func initSimulator(t *testing.T) (*simulator.Model, *session.Session, *simulator
 	authSession, err := session.GetOrCreate(
 		context.TODO(),
 		server.URL.Host, "",
-		server.URL.User.Username(), pass)
+		server.URL.User.Username(), pass, true)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -88,6 +88,7 @@ func TestClone(t *testing.T) {
 	model, session, server := initSimulator(t)
 	defer model.Remove()
 	defer server.Close()
+
 	credentialsSecretUsername := fmt.Sprintf("%s.username", server.URL.Host)
 	credentialsSecretPassword := fmt.Sprintf("%s.password", server.URL.Host)
 
diff --git a/pkg/controller/vsphere/session/session.go b/pkg/controller/vsphere/session/session.go
index 041977897..ebcc09ba9 100644
--- a/pkg/controller/vsphere/session/session.go
+++ b/pkg/controller/vsphere/session/session.go
@@ -56,7 +56,7 @@ type Session struct {
 // already exist.
 func GetOrCreate(
 	ctx context.Context,
-	server, datacenter, username, password string) (*Session, error) {
+	server, datacenter, username, password string, insecure bool) (*Session, error) {
 
 	sessionMU.Lock()
 	defer sessionMU.Unlock()
@@ -78,8 +78,7 @@ func GetOrCreate(
 
 	soapURL.User = url.UserPassword(username, password)
 
-	// TODO: drop insecure flag
-	client, err := govmomi.NewClient(ctx, soapURL, true)
+	client, err := govmomi.NewClient(ctx, soapURL, insecure)
 	if err != nil {
 		return nil, fmt.Errorf("error setting up new vSphere SOAP client: %w", err)
 	}
diff --git a/pkg/controller/vsphere/session/session_test.go b/pkg/controller/vsphere/session/session_test.go
index 90742682a..e48c3da83 100644
--- a/pkg/controller/vsphere/session/session_test.go
+++ b/pkg/controller/vsphere/session/session_test.go
@@ -40,7 +40,7 @@ func initSimulator(t *testing.T) (*simulator.Model, *Session, *simulator.Server)
 	authSession, err := GetOrCreate(
 		context.TODO(),
 		server.URL.Host, "",
-		server.URL.User.Username(), pass)
+		server.URL.User.Username(), pass, true)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/pkg/controller/vsphere/util.go b/pkg/controller/vsphere/util.go
index 6f0930762..521535734 100644
--- a/pkg/controller/vsphere/util.go
+++ b/pkg/controller/vsphere/util.go
@@ -44,7 +44,8 @@ type Global struct {
 	// Port is the port on which the vSphere endpoint is listening.
 	// Defaults to 443.
 	// Has string type because we need empty string value for formatting
-	Port string `gcfg:"port"`
+	Port         string `gcfg:"port"`
+	InsecureFlag string `gcfg:"insecure-flag"`
 }
 
 func getInfrastructure(c runtimeclient.Reader) (*configv1.Infrastructure, error) {
@@ -170,3 +171,11 @@ func getPortFromConfig(config *vSphereConfig) string {
 	}
 	return ""
 }
+
+// getInsecureFlagFromConfig get insecure flag from config and default to false
+func getInsecureFlagFromConfig(config *vSphereConfig) bool {
+	if config != nil && config.Global.InsecureFlag == "1" {
+		return true
+	}
+	return false
+}
diff --git a/pkg/controller/vsphere/util_test.go b/pkg/controller/vsphere/util_test.go
index db6264928..4df78a28d 100644
--- a/pkg/controller/vsphere/util_test.go
+++ b/pkg/controller/vsphere/util_test.go
@@ -12,15 +12,17 @@ import (
 )
 
 const (
-	testRegion    = "testRegion"
-	testZone      = "testZone"
-	testPort      = "443"
-	testConfigFmt = `
+	testRegion       = "testRegion"
+	testZone         = "testZone"
+	testPort         = "443"
+	testInsecureFlag = "1"
+	testConfigFmt    = `
     [Labels]
 		zone = "testZone"
 		region = "testRegion"
 		[Global]
 		port = %s
+		insecure-flag="1"
 `
 )
 
@@ -67,4 +69,8 @@ func TestGetVSphereConfig(t *testing.T) {
 	if vSphereConfig.Global.Port != testPort {
 		t.Errorf("Expected zone %s, got %s", testZone, vSphereConfig.Global.Port)
 	}
+
+	if vSphereConfig.Global.InsecureFlag != testInsecureFlag {
+		t.Errorf("Expected insecure flag %s, got %s", testInsecureFlag, vSphereConfig.Global.InsecureFlag)
+	}
 }