diff --git a/cmd/aro/dbtoken.go b/cmd/aro/dbtoken.go
index 5e30ad108..67129eacd 100644
--- a/cmd/aro/dbtoken.go
+++ b/cmd/aro/dbtoken.go
@@ -37,6 +37,11 @@ func dbtoken(ctx context.Context, log *logrus.Entry) error {
 		}
 	}
 
+	msiAuthorizer, err := _env.NewMSIAuthorizer(env.MSIContextRP, _env.Environment().ResourceManagerEndpoint)
+	if err != nil {
+		return err
+	}
+
 	msiKVAuthorizer, err := _env.NewMSIAuthorizer(env.MSIContextRP, _env.Environment().ResourceIdentifiers.KeyVault)
 	if err != nil {
 		return err
@@ -44,7 +49,7 @@ func dbtoken(ctx context.Context, log *logrus.Entry) error {
 
 	m := statsd.New(ctx, log.WithField("component", "dbtoken"), _env, os.Getenv("MDM_ACCOUNT"), os.Getenv("MDM_NAMESPACE"))
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer)
 	if err != nil {
 		return err
 	}
diff --git a/cmd/aro/monitor.go b/cmd/aro/monitor.go
index 3a58e805a..922a4cd05 100644
--- a/cmd/aro/monitor.go
+++ b/cmd/aro/monitor.go
@@ -53,6 +53,11 @@ func monitor(ctx context.Context, log *logrus.Entry) error {
 
 	clusterm := statsd.New(ctx, log.WithField("component", "metrics"), _env, os.Getenv("CLUSTER_MDM_ACCOUNT"), os.Getenv("CLUSTER_MDM_NAMESPACE"))
 
+	msiAuthorizer, err := _env.NewMSIAuthorizer(env.MSIContextRP, _env.Environment().ResourceManagerEndpoint)
+	if err != nil {
+		return err
+	}
+
 	msiKVAuthorizer, err := _env.NewMSIAuthorizer(env.MSIContextRP, _env.Environment().ResourceIdentifiers.KeyVault)
 	if err != nil {
 		return err
@@ -76,7 +81,7 @@ func monitor(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer)
 	if err != nil {
 		return err
 	}
diff --git a/cmd/aro/portal.go b/cmd/aro/portal.go
index a9ad56acc..28187c12a 100644
--- a/cmd/aro/portal.go
+++ b/cmd/aro/portal.go
@@ -62,6 +62,11 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error {
 		return err
 	}
 
+	msiAuthorizer, err := _env.NewMSIAuthorizer(env.MSIContextRP, _env.Environment().ResourceManagerEndpoint)
+	if err != nil {
+		return err
+	}
+
 	msiKVAuthorizer, err := _env.NewMSIAuthorizer(env.MSIContextRP, _env.Environment().ResourceIdentifiers.KeyVault)
 	if err != nil {
 		return err
@@ -87,7 +92,7 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error {
 		return err
 	}
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer)
 	if err != nil {
 		return err
 	}
diff --git a/cmd/aro/rp.go b/cmd/aro/rp.go
index 7673325ca..dccd997cc 100644
--- a/cmd/aro/rp.go
+++ b/cmd/aro/rp.go
@@ -73,6 +73,11 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 		RequestLatency: k8s.NewLatency(m),
 	})
 
+	msiAuthorizer, err := _env.NewMSIAuthorizer(env.MSIContextRP, _env.Environment().ResourceManagerEndpoint)
+	if err != nil {
+		return err
+	}
+
 	dbKey, err := _env.ServiceKeyvault().GetBase64Secret(ctx, env.EncryptionSecretName)
 	if err != nil {
 		return err
@@ -83,7 +88,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 		return err
 	}
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer)
 	if err != nil {
 		return err
 	}
diff --git a/hack/db/db.go b/hack/db/db.go
index d72e59371..ffb6d7d72 100644
--- a/hack/db/db.go
+++ b/hack/db/db.go
@@ -31,6 +31,11 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
+	authorizer, err := auth.NewAuthorizerFromCLIWithResource(_env.Environment().ResourceManagerEndpoint)
+	if err != nil {
+		return err
+	}
+
 	kvAuthorizer, err := auth.NewAuthorizerFromCLIWithResource(_env.Environment().ResourceIdentifiers.KeyVault)
 	if err != nil {
 		return err
@@ -53,7 +58,7 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, authorizer)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/database/database.go b/pkg/database/database.go
index fa87e2835..bd7597b46 100644
--- a/pkg/database/database.go
+++ b/pkg/database/database.go
@@ -12,6 +12,7 @@ import (
 	"reflect"
 	"time"
 
+	"github.com/Azure/go-autorest/autorest"
 	"github.com/sirupsen/logrus"
 	"github.com/ugorji/go/codec"
 
@@ -59,7 +60,7 @@ func NewDatabaseClient(log *logrus.Entry, env env.Core, authorizer cosmosdb.Auth
 	return cosmosdb.NewDatabaseClient(log, c, h, os.Getenv("DATABASE_ACCOUNT_NAME")+"."+env.Environment().CosmosDBDNSSuffix, authorizer), nil
 }
 
-func NewMasterKeyAuthorizer(ctx context.Context, _env env.Core) (cosmosdb.Authorizer, error) {
+func NewMasterKeyAuthorizer(ctx context.Context, _env env.Core, msiAuthorizer autorest.Authorizer) (cosmosdb.Authorizer, error) {
 	for _, key := range []string{
 		"DATABASE_ACCOUNT_NAME",
 	} {
@@ -68,11 +69,6 @@ func NewMasterKeyAuthorizer(ctx context.Context, _env env.Core) (cosmosdb.Author
 		}
 	}
 
-	msiAuthorizer, err := _env.NewMSIAuthorizer(env.MSIContextRP, _env.Environment().ResourceManagerEndpoint)
-	if err != nil {
-		return nil, err
-	}
-
 	databaseaccounts := documentdb.NewDatabaseAccountsClient(_env.Environment(), _env.SubscriptionID(), msiAuthorizer)
 
 	keys, err := databaseaccounts.ListKeys(ctx, _env.ResourceGroup(), os.Getenv("DATABASE_ACCOUNT_NAME"))