diff --git a/manifests/platform/argocd/operator/components/argocd.yaml b/manifests/platform/argocd/operator/components/argocd.yaml
index 34c476d..e7a0a87 100644
--- a/manifests/platform/argocd/operator/components/argocd.yaml
+++ b/manifests/platform/argocd/operator/components/argocd.yaml
@@ -103,10 +103,10 @@ spec:
   # https://argocd-operator.readthedocs.io/en/latest/reference/argocd/#oidc-config
   oidcConfig: |
     name: azure
-    issuer: https://login.microsoftonline.com/<path:projects/1086456784694/secrets/azure_tenant_id#azure_tenant_id>/v2.0
+    issuer: <path:projects/1086456784694/secrets/azure_issuer_url#azure_issuer_url>
     clientID: <path:projects/1086456784694/secrets/azure_client_id#azure_client_id>
-    clientSecret: <path:projects/1086456784694/secrets/azure_client_secret#azure_client_secret>
+    clientSecret: $oidc-azure.azure_client_secret
     # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
-    requestedScopes: ["openid", "profile", "email", "groups"]
+    requestedScopes: ["openid", "profile", "email"]
     # Optional set of OIDC claims to request on the ID token.
     requestedIDTokenClaims: {"groups": {"essential": true}}
diff --git a/manifests/platform/argocd/overlays/okd/kustomization.yaml b/manifests/platform/argocd/overlays/okd/kustomization.yaml
index 755406b..0bb6504 100644
--- a/manifests/platform/argocd/overlays/okd/kustomization.yaml
+++ b/manifests/platform/argocd/overlays/okd/kustomization.yaml
@@ -3,5 +3,6 @@ kind: Kustomization
 resources:
   - ../../operator/base
   - ../../operator/components
-  - external-secret.yaml
+  - oidc-external-secret.yaml
+  - quay-external-secret.yaml
   - secretstore.yaml
diff --git a/manifests/platform/argocd/overlays/okd/oidc-external-secret.yaml b/manifests/platform/argocd/overlays/okd/oidc-external-secret.yaml
new file mode 100644
index 0000000..da1a351
--- /dev/null
+++ b/manifests/platform/argocd/overlays/okd/oidc-external-secret.yaml
@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: oidc-azure
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: gsm-secret-store
+    kind: SecretStore
+  target:
+    name: oidc-azure
+    creationPolicy: Owner
+  data:
+    - secretKey: azure_client_secret
+      remoteRef:
+        key: azure_client_secret
diff --git a/manifests/platform/argocd/overlays/okd/external-secret.yaml b/manifests/platform/argocd/overlays/okd/quay-external-secret.yaml
similarity index 100%
rename from manifests/platform/argocd/overlays/okd/external-secret.yaml
rename to manifests/platform/argocd/overlays/okd/quay-external-secret.yaml
diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf
index f7f98d1..e4507f4 100644
--- a/terraform/okd/main.tf
+++ b/terraform/okd/main.tf
@@ -8,6 +8,12 @@ locals {
         "project_id",
         "grafana_admin_user",
         "grafana_admin_password",
+        "azure_client_id",
+        "azure_issuer_url"
+    ]
+    argocd_eso_secrets = [
+        "quay-jennweir-pull-secret",
+        "azure_client_secret"
     ]
 }
 
@@ -146,9 +152,11 @@ resource "google_secret_manager_secret_iam_member" "openshift_monitoring_secret_
 }
 
 # make k8s service account secretAccessor directly instead of via impersonation of google service account bc of eso limitations
-resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" {
+resource "google_secret_manager_secret_iam_member" "argocd_eso_secret_access" {
+    for_each  = toset(local.argocd_eso_secrets)
+
     project   = data.google_project.okd_homelab.project_id
-    secret_id = "quay-jennweir-pull-secret"
+    secret_id = each.value
     role      = "roles/secretmanager.secretAccessor"
     member    = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:external-secrets"
 }