diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 6d00d8a..d6ca6fc 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -196,9 +196,21 @@ jobs:
     permissions: {} # no permissions required
 
     steps:
+      - name: Log in to Azure - CI subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve GitHub PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
       - name: Dispatch deployment
         env:
-          GITHUB_TOKEN: ${{ secrets.DEPLOYMENT_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
         run: >
           gh workflow run deploy-passwordless-dotnet
           --repo bitwarden/passwordless-devops