diff --git a/pom.xml b/pom.xml
index 6672afb..06b012b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -36,7 +36,7 @@
         <dependency>
             <groupId>com.uid2</groupId>
             <artifactId>uid2-attestation-api</artifactId>
-            <version>1.1.0</version>
+            <version>1.5.0-676519b018</version>
         </dependency>
         <dependency>
             <groupId>com.google.code.gson</groupId>
@@ -44,6 +44,31 @@
             <version>2.10</version>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>32.1.2-jre</version>
+        </dependency>
+        <dependency>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-security-keyvault-secrets</artifactId>
+            <version>4.7.0</version>
+        </dependency>
+        <dependency>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-identity</artifactId>
+            <version>1.10.1</version>
+        </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-core</artifactId>
+            <version>1.3.5</version>
+        </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+            <version>1.3.5</version>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
diff --git a/src/main/java/com/uid2/attestation/azure/AzureVaultOperatorKeyRetriever.java b/src/main/java/com/uid2/attestation/azure/AzureVaultOperatorKeyRetriever.java
new file mode 100644
index 0000000..08225d5
--- /dev/null
+++ b/src/main/java/com/uid2/attestation/azure/AzureVaultOperatorKeyRetriever.java
@@ -0,0 +1,43 @@
+package com.uid2.attestation.azure;
+
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+import com.azure.security.keyvault.secrets.SecretClientBuilder;
+import com.google.common.base.Strings;
+import com.uid2.enclave.IOperatorKeyRetriever;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AzureVaultOperatorKeyRetriever implements IOperatorKeyRetriever {
+    private static final Logger LOGGER = LoggerFactory.getLogger(AzureVaultOperatorKeyRetriever.class);
+
+    private final String vaultName;
+    private final String secretName;
+
+    public AzureVaultOperatorKeyRetriever(String vaultName, String secretName) {
+        if (Strings.isNullOrEmpty(vaultName)) {
+            throw new IllegalArgumentException("vaultName is null or empty");
+        }
+        if (Strings.isNullOrEmpty(secretName)) {
+            throw new IllegalArgumentException("secretName is null or empty");
+        }
+        this.vaultName = vaultName;
+        this.secretName = secretName;
+    }
+
+    // ManagedIdentityCredential is used here.
+    @Override
+    public String retrieve() {
+        String vaultUrl = "https://" + this.vaultName + ".vault.azure.net";
+        LOGGER.info(String.format("Load OperatorKey secret (%s) from %s", this.secretName, vaultUrl));
+        // Use default ExponentialBackoff retry policy
+        var secretClient = new SecretClientBuilder()
+                .vaultUrl(vaultUrl)
+                .credential(new ManagedIdentityCredentialBuilder().build())
+                .buildClient();
+
+        var retrievedSecret = secretClient.getSecret(secretName);
+
+        LOGGER.info("OperatorKey secret is loaded.");
+        return retrievedSecret.getValue();
+    }
+}