diff --git a/hack/ensure-azcli.sh b/hack/ensure-azcli.sh
index 288656e153cb..465d04cb1b04 100755
--- a/hack/ensure-azcli.sh
+++ b/hack/ensure-azcli.sh
@@ -25,5 +25,9 @@ if [[ -z "$(command -v az)" ]]; then
   AZ_REPO=$(lsb_release -cs)
   echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ ${AZ_REPO} main" | tee /etc/apt/sources.list.d/azure-cli.list
   apt-get update && apt-get install -y azure-cli
-  az login --service-principal -u "${AZURE_CLIENT_ID}" -p "${AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}" > /dev/null
+  if [[ -n "${AZURE_WORKLOAD_ID:-}" ]]; then
+    az login --service-principal -u "${AZURE_WORKLOAD_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat /var/run/secrets/azure-token/serviceaccount/token)" > /dev/null
+  else
+    az login --service-principal -u "${AZURE_CLIENT_ID}" -p "${AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}" > /dev/null
+  fi
 fi