diff --git a/.github/workflows/platform.deployment.history.cleanup.yml b/.github/workflows/platform.deployment.history.cleanup.yml
index a18ccbd6f1..d098f1cae6 100644
--- a/.github/workflows/platform.deployment.history.cleanup.yml
+++ b/.github/workflows/platform.deployment.history.cleanup.yml
@@ -50,6 +50,9 @@ jobs:
   job_cleanup_subscription_deployments:
     runs-on: ubuntu-latest
     name: "Remove Subscription deployments"
+    environment: avm-validation
+    permissions:
+      id-token: write # For OIDC
     needs:
       - job_initialize_pipeline
     if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleSubscriptionScope == 'true' }}
@@ -62,10 +65,17 @@ jobs:
       - name: Set environment
         uses: ./.github/actions/templates/avm-setEnvironment
 
+      # [Azure login] task(s)
+      # ------------------------------
+      # Supports both OIDC and service principal with secret
+      # 'creds' will be ignored if 'client-id', 'subscription-id' or 'tenant-id' is set
       - name: Azure Login
         uses: azure/login@v2
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.VALIDATE_CLIENT_ID }}
+          tenant-id: ${{ secrets.VALIDATE_TENANT_ID }}
+          subscription-id: ${{ secrets.VALIDATE_SUBSCRIPTION_ID }}
           enable-AzPSSession: true
 
       - name: Remove deployments
@@ -89,6 +99,9 @@ jobs:
   job_cleanup_managementGroup_deployments:
     runs-on: ubuntu-latest
     name: "Remove Management Group deployments"
+    environment: avm-validation
+    permissions:
+      id-token: write # For OIDC
     needs:
       - job_initialize_pipeline
     if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleManagementGroupScope == 'true' }}
@@ -101,10 +114,17 @@ jobs:
       - name: Set environment
         uses: ./.github/actions/templates/avm-setEnvironment
 
+      # [Azure login] task(s)
+      # ------------------------------
+      # Supports both OIDC and service principal with secret
+      # 'creds' will be ignored if 'client-id', 'subscription-id' or 'tenant-id' is set
       - name: Azure Login
         uses: azure/login@v2
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.VALIDATE_CLIENT_ID }}
+          tenant-id: ${{ secrets.VALIDATE_TENANT_ID }}
+          subscription-id: ${{ secrets.VALIDATE_SUBSCRIPTION_ID }}
           enable-AzPSSession: true
 
       - name: Remove deployments