diff --git a/.github/workflows/aro-hcp-cd.yml b/.github/workflows/aro-hcp-cd.yml
index 4f0e2b69b..5f156537d 100644
--- a/.github/workflows/aro-hcp-cd.yml
+++ b/.github/workflows/aro-hcp-cd.yml
@@ -45,9 +45,18 @@
       name: 'Ensure PR is submitted from Azure/ARO-HCP'
       if: github.event_name != 'workflow_dispatch'
       runs-on: ubuntu-latest
+      permissions:
+        id-token: 'write'
+        contents: 'read'
       steps:
+        - name: 'Az CLI login - will fail if PR is submitted from a fork of the repo'
+          uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
+          with:
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         - name: Fail if PR submitted from fork
-          if: ${{ github.event.pull_request.head.repo.full_name != 'Azure/ARO-HCP' }}
+          if: failure()
           run: core.setFailed('Expected source repository to be Azure/ARO-HCP, not ${{ github.event.pull_request.head.repo.full_name }}, re-create PR as a branch of Azure/ARO-HCP')
 
     deploy_global_rg: