diff --git a/api/types/constants.go b/api/types/constants.go
index ddf07591d23ac..4f17367bce6d1 100644
--- a/api/types/constants.go
+++ b/api/types/constants.go
@@ -592,23 +592,23 @@ const (
 	// SubscriptionIDLabel is used to identify virtual machines by Azure
 	// subscription ID found via automatic discovery, to avoid re-running
 	// installation commands on the node.
-	SubscriptionIDLabel = TeleportNamespace + "/subscription-id"
+	SubscriptionIDLabel = TeleportInternalLabelPrefix + "subscription-id"
 	// VMIDLabel is used to identify virtual machines by ID found
 	// via automatic discovery, to avoid re-running installation commands
 	// on the node.
-	VMIDLabel = TeleportNamespace + "/vm-id"
+	VMIDLabel = TeleportInternalLabelPrefix + "vm-id"
 	// ProjectIDLabel is used to identify virtual machines by GCP project
 	// id found via automatic discovery, to avoid re-running
 	// installation commands on the node.
-	ProjectIDLabel = TeleportNamespace + "/project-id"
+	ProjectIDLabel = TeleportInternalLabelPrefix + "project-id"
 	// ZoneLabek is used to identify virtual machines by GCP zone
 	// found via automatic discovery, to avoid re-running installation
 	// commands on the node.
-	ZoneLabel = TeleportNamespace + "/zone"
+	ZoneLabel = TeleportInternalLabelPrefix + "zone"
 	// NameLabel is used to identify virtual machines by GCP VM name
 	// found via automatic discovery, to avoid re-running installation
 	// commands on the node.
-	NameLabel = TeleportNamespace + "/name"
+	NameLabel = TeleportInternalLabelPrefix + "name"
 
 	// CloudLabel is used to identify the cloud where the resource was discovered.
 	CloudLabel = TeleportNamespace + "/cloud"
diff --git a/lib/srv/discovery/discovery_test.go b/lib/srv/discovery/discovery_test.go
index c45c32973e51f..980696fe502ac 100644
--- a/lib/srv/discovery/discovery_test.go
+++ b/lib/srv/discovery/discovery_test.go
@@ -1657,8 +1657,8 @@ func TestAzureVMDiscovery(t *testing.T) {
 					Metadata: types.Metadata{
 						Name: "name",
 						Labels: map[string]string{
-							types.SubscriptionIDLabel: "testsub",
-							types.VMIDLabel:           "test-vmid",
+							"teleport.internal/subscription-id": "testsub",
+							"teleport.internal/vm-id":           "test-vmid",
 						},
 						Namespace: defaults.Namespace,
 					},
@@ -1689,8 +1689,8 @@ func TestAzureVMDiscovery(t *testing.T) {
 					Metadata: types.Metadata{
 						Name: "name",
 						Labels: map[string]string{
-							types.SubscriptionIDLabel: "testsub",
-							types.VMIDLabel:           "alternate-vmid",
+							"teleport.internal/subscription-id": "testsub",
+							"teleport.internal/vm-id":           "alternate-vmid",
 						},
 						Namespace: defaults.Namespace,
 					},
@@ -1878,9 +1878,9 @@ func TestGCPVMDiscovery(t *testing.T) {
 					Metadata: types.Metadata{
 						Name: "name",
 						Labels: map[string]string{
-							types.ProjectIDLabel: "myproject",
-							types.ZoneLabel:      "myzone",
-							types.NameLabel:      "myinstance",
+							"teleport.internal/project-id": "myproject",
+							"teleport.internal/zone":       "myzone",
+							"teleport.internal/name":       "myinstance",
 						},
 						Namespace: defaults.Namespace,
 					},
@@ -1905,9 +1905,9 @@ func TestGCPVMDiscovery(t *testing.T) {
 					Metadata: types.Metadata{
 						Name: "name",
 						Labels: map[string]string{
-							types.ProjectIDLabel: "myproject",
-							types.ZoneLabel:      "myzone",
-							types.NameLabel:      "myotherinstance",
+							"teleport.internal/project-id": "myproject",
+							"teleport.internal/zone":       "myzone",
+							"teleport.internal/name":       "myotherinstance",
 						},
 						Namespace: defaults.Namespace,
 					},
diff --git a/lib/srv/server/azure_installer.go b/lib/srv/server/azure_installer.go
index 798df4e0f8ec5..a8495524caa34 100644
--- a/lib/srv/server/azure_installer.go
+++ b/lib/srv/server/azure_installer.go
@@ -18,6 +18,7 @@ package server
 
 import (
 	"context"
+	"crypto/rand"
 	"fmt"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v3"
@@ -72,5 +73,14 @@ func (ai *AzureInstaller) Run(ctx context.Context, req AzureRunRequest) error {
 }
 
 func getInstallerScript(installerName, publicProxyAddr string) string {
-	return fmt.Sprintf("curl -s -L https://%s/v1/webapi/scripts/installer/%v | bash -s $@", publicProxyAddr, installerName)
+	// Azure treats scripts with the same content as the same invocation and
+	// won't run them more than once. This is fine when the installer script
+	// succeeds, but it makes troubleshooting much harder when it fails. To
+	// work around this, we generate a random string and append it as a comment
+	// to the script, forcing Azure to see each invocation as unique.
+	nonce := make([]byte, 8)
+	// No big deal if rand.Read fails, the script is still valid.
+	_, _ = rand.Read(nonce)
+	return fmt.Sprintf("curl -s -L https://%s/v1/webapi/scripts/installer/%v | bash -s $@ #%x",
+		publicProxyAddr, installerName, nonce)
 }