diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
index eb7c2cd..9508c10 100644
--- a/.github/workflows/deploy-dev.yml
+++ b/.github/workflows/deploy-dev.yml
@@ -25,3 +25,4 @@ jobs:
       postgres_client_host: ${{ secrets.POSTGRES_CLIENT_HOST }} 
       postgres_url: ${{ secrets.POSTGRES_URL }}
       opensearch_proxy_host: ${{ secrets.OPENSEARCH_PROXY_HOST }}
+      azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
diff --git a/.github/workflows/deploy-staged.yml b/.github/workflows/deploy-staged.yml
index ba8cfe0..a258b7e 100644
--- a/.github/workflows/deploy-staged.yml
+++ b/.github/workflows/deploy-staged.yml
@@ -26,6 +26,7 @@ jobs:
       postgres_client_host: ${{ secrets.POSTGRES_CLIENT_HOST }} 
       postgres_url: ${{ secrets.POSTGRES_URL }}
       opensearch_proxy_host: ${{ secrets.OPENSEARCH_PROXY_HOST }}
+      azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
 
   deploy-preprod:
     uses: ./.github/workflows/deploy-workflow.yml
@@ -43,3 +44,22 @@ jobs:
       postgres_client_host: ${{ secrets.POSTGRES_CLIENT_HOST }} 
       postgres_url: ${{ secrets.POSTGRES_URL }}
       opensearch_proxy_host: ${{ secrets.OPENSEARCH_PROXY_HOST }}
+      azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+
+  deploy-prod:
+    uses: ./.github/workflows/deploy-workflow.yml
+    needs: [deploy-preprod]
+    with:
+      env: prod
+      datahub_helm_version: "0.4.9"
+      datahub_prereqs_helm_version: "0.1.10"
+    secrets:
+      kube_namespace: "${{ secrets.KUBE_NAMESPACE }}"
+      kube_cert: "${{ secrets.KUBE_CERT }}"
+      kube_cluster: "${{ secrets.KUBE_CLUSTER }}"
+      kube_token: "${{ secrets.KUBE_TOKEN }}"
+      postgres_host: ${{ secrets.POSTGRES_HOST}}
+      postgres_client_host: ${{ secrets.POSTGRES_CLIENT_HOST }} 
+      postgres_url: ${{ secrets.POSTGRES_URL }}
+      opensearch_proxy_host: ${{ secrets.OPENSEARCH_PROXY_HOST }}
+      azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
diff --git a/.github/workflows/deploy-workflow.yml b/.github/workflows/deploy-workflow.yml
index bdb23dc..e79456e 100644
--- a/.github/workflows/deploy-workflow.yml
+++ b/.github/workflows/deploy-workflow.yml
@@ -40,6 +40,9 @@ on:
       opensearch_proxy_host:
         description: "domain address to reach opensearch"
         required: true
+      azure_client_secret:
+        description: "client secret for azure authentication"
+        required: true
 
 concurrency:
   group: ${{ inputs.env }}
@@ -183,6 +186,17 @@ jobs:
           envsubst < helm_deploy/monitoring/datahub-networkpolicy.yaml | 
             kubectl apply -f - --namespace=${KUBE_NAMESPACE}
 
+      - name: create azure k8s secrets
+        shell: bash
+        env:
+          KUBE_NAMESPACE: ${{ secrets.kube_namespace }}
+          AZURE_CLIENT_ID: ${{ vars.CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+          TENANT_ID: ${{ vars.TENANT_ID }}
+        run: |
+          envsubst < helm_deploy/secrets.yaml |
+          kubectl -n ${KUBE_NAMESPACE} apply -f -
+
       - name: update grafana status dashboard configmap
         if: ${{ inputs.env == 'dev' }}
         shell: bash
diff --git a/helm_deploy/secrets.yaml b/helm_deploy/secrets.yaml
new file mode 100644
index 0000000..a4806fd
--- /dev/null
+++ b/helm_deploy/secrets.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "azure-secrets"
+type: Opaque
+stringData:
+  client_id: "${AZURE_CLIENT_ID}"
+  client_secret: "${AZURE_CLIENT_SECRET}"
+  tenant_id: "${TENANT_ID}"