diff --git a/pkg/cluster/clusterserviceprincipal_test.go b/pkg/cluster/clusterserviceprincipal_test.go
index 425b1b576..917daa42a 100644
--- a/pkg/cluster/clusterserviceprincipal_test.go
+++ b/pkg/cluster/clusterserviceprincipal_test.go
@@ -24,10 +24,8 @@ import (
 
 	"github.com/Azure/ARO-RP/pkg/api"
 	"github.com/Azure/ARO-RP/pkg/util/arm"
-	"github.com/Azure/ARO-RP/pkg/util/deployment"
 	mock_authz "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/mgmt/authorization"
 	mock_features "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/mgmt/features"
-	mock_env "github.com/Azure/ARO-RP/pkg/util/mocks/env"
 	"github.com/Azure/ARO-RP/pkg/util/rbac"
 )
 
@@ -53,11 +51,6 @@ func TestCreateOrUpdateClusterServicePrincipalRBAC(t *testing.T) {
 				},
 			},
 		},
-		subscriptionDoc: &api.SubscriptionDocument{ // TODO: can remove after the feature flag is removed
-			Subscription: &api.Subscription{
-				Properties: &api.SubscriptionProperties{},
-			},
-		},
 	}
 
 	for _, tt := range []struct {
@@ -142,12 +135,6 @@ func TestCreateOrUpdateClusterServicePrincipalRBAC(t *testing.T) {
 			controller := gomock.NewController(t)
 			defer controller.Finish()
 
-			// TODO: can remove after the feature flag is removed
-			env := mock_env.NewMockInterface(controller)
-			env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
-
-			m.env = env
-
 			raClient := mock_authz.NewMockRoleAssignmentsClient(controller)
 			deployments := mock_features.NewMockDeploymentsClient(controller)
 
diff --git a/pkg/cluster/deploystorage_resources.go b/pkg/cluster/deploystorage_resources.go
index 3066e0552..d8a60d492 100644
--- a/pkg/cluster/deploystorage_resources.go
+++ b/pkg/cluster/deploystorage_resources.go
@@ -15,7 +15,6 @@ import (
 	"github.com/Azure/ARO-RP/pkg/api"
 	"github.com/Azure/ARO-RP/pkg/util/arm"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient"
-	"github.com/Azure/ARO-RP/pkg/util/deployment"
 	"github.com/Azure/ARO-RP/pkg/util/feature"
 	"github.com/Azure/ARO-RP/pkg/util/rbac"
 )
@@ -83,65 +82,49 @@ func (m *manager) denyAssignment() *arm.Resource {
 }
 
 func (m *manager) clusterServicePrincipalRBAC() []*arm.Resource {
-	if m.env.DeploymentMode() != deployment.Production ||
-		feature.IsRegisteredForFeature(m.subscriptionDoc.Subscription.Properties, "Microsoft.RedHatOpenShift/RedHatEngineering") {
-		// new behaviour is behind a feature flag for now in PROD
-		m.log.Print("using custom role definition")
-
-		return []*arm.Resource{
-			rbac.CustomRoleDefinition("Azure Red Hat OpenShift Cluster",
-				[]mgmtauthorization.Permission{
-					{
-						Actions: &[]string{
-							//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/disks
-							"Microsoft.Compute/disks/*",
-
-							//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/internalloadbalancers
-							//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/publicloadbalancers
-							"Microsoft.Network/loadBalancers/*",
-
-							//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/networkinterfaces
-							"Microsoft.Network/networkInterfaces/*",
-
-							//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/publicips
-							"Microsoft.Network/publicIPAddresses/*",
-
-							//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/securitygroups
-							"Microsoft.Network/networkSecurityGroups/*",
-
-							//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/virtualmachines
-							"Microsoft.Compute/virtualMachines/*",
-
-							//based on openshift/cluster-insgress-operator /pkg/dns/azure/client
-							"Microsoft.Network/privateDnsZones/A/*",
-
-							//based on openshift/cluster-image-registry-operator /pkg/storage/azure
-							"Microsoft.Storage/storageAccounts/*",
-						},
-						NotActions: &[]string{
-							"Microsoft.Compute/virtualMachines/powerOff/action",
-							"Microsoft.Compute/virtualMachines/deallocate/action",
-							"Microsoft.Compute/virtualMachines/generalize/action",
-							"Microsoft.Compute/virtualMachines/capture/action",
-							"Microsoft.Compute/virtualMachines/performMaintenance/action",
-							"Microsoft.Network/networkSecurityGroups/delete",
-						},
-					},
-				}),
-			rbac.ResourceGroupCustomRoleAssignment(
-				rbac.CustomRoleDefinitionName("Azure Red Hat OpenShift Cluster"),
-				"'"+m.doc.OpenShiftCluster.Properties.ServicePrincipalProfile.SPObjectID+"'"),
-		}
-	}
-
-	//prod flow
-	m.log.Print("using Contributor role definition")
 	return []*arm.Resource{
-		rbac.ResourceGroupRoleAssignmentWithName(
-			rbac.RoleContributor,
-			"'"+m.doc.OpenShiftCluster.Properties.ServicePrincipalProfile.SPObjectID+"'",
-			"guid(resourceGroup().id, 'SP / Contributor')",
-		),
+		rbac.CustomRoleDefinition("Azure Red Hat OpenShift Cluster",
+			[]mgmtauthorization.Permission{
+				{
+					Actions: &[]string{
+						//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/disks
+						"Microsoft.Compute/disks/*",
+
+						//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/internalloadbalancers
+						//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/publicloadbalancers
+						"Microsoft.Network/loadBalancers/*",
+
+						//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/networkinterfaces
+						"Microsoft.Network/networkInterfaces/*",
+
+						//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/publicips
+						"Microsoft.Network/publicIPAddresses/*",
+
+						//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/securitygroups
+						"Microsoft.Network/networkSecurityGroups/*",
+
+						//based on openshift/cluster-api-provider-azure /pkg/cloud/azure/services/virtualmachines
+						"Microsoft.Compute/virtualMachines/*",
+
+						//based on openshift/cluster-insgress-operator /pkg/dns/azure/client
+						"Microsoft.Network/privateDnsZones/A/*",
+
+						//based on openshift/cluster-image-registry-operator /pkg/storage/azure
+						"Microsoft.Storage/storageAccounts/*",
+					},
+					NotActions: &[]string{
+						"Microsoft.Compute/virtualMachines/powerOff/action",
+						"Microsoft.Compute/virtualMachines/deallocate/action",
+						"Microsoft.Compute/virtualMachines/generalize/action",
+						"Microsoft.Compute/virtualMachines/capture/action",
+						"Microsoft.Compute/virtualMachines/performMaintenance/action",
+						"Microsoft.Network/networkSecurityGroups/delete",
+					},
+				},
+			}),
+		rbac.ResourceGroupCustomRoleAssignment(
+			rbac.CustomRoleDefinitionName("Azure Red Hat OpenShift Cluster"),
+			"'"+m.doc.OpenShiftCluster.Properties.ServicePrincipalProfile.SPObjectID+"'"),
 	}
 }