diff --git a/manifests/init.pp b/manifests/init.pp
index 1b4fe15f..915c2fdf 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -597,17 +597,17 @@
         default => 'pcs host auth',
       }
 
-      # Attempt to authorize all members. The command will return successfully
-      # if they were already authenticated so it's safe to run every time this
-      # is applied.
-      # TODO - make it run only once
-      exec { 'authorize_members':
-        command => "${pcs_auth_command} ${node_string} ${auth_credential_string}",
-        path    => $exec_path,
-        require => [
-          Service['pcsd'],
-          User['hacluster'],
-        ],
+      # Attempt to authorize each member
+      $quorum_members.each |$node| {
+        exec { "authorize_member_${node}":
+          command => "${pcs_auth_command} ${node} ${auth_credential_string}",
+          unless  => "grep '${node}' /var/lib/pcsd/tokens",
+          path    => $exec_path,
+          require => [
+            Service['pcsd'],
+            User['hacluster'],
+          ],
+        }
       }
     }
 
@@ -636,7 +636,7 @@
         command => "pcs cluster setup --force ${pcs_cluster_setup_namearg} ${cluster_name} ${node_string}",
         path    => $exec_path,
         onlyif  => 'test ! -f /etc/corosync/corosync.conf',
-        require => Exec['authorize_members'],
+        require => Exec[$quorum_members.map |$node| { "authorize_member_${node}" }],
       }
       # We need to do this so the temporary cluster doesn't delete our authkey
       if $enable_secauth {
@@ -655,7 +655,7 @@
         onlyif  => $qdevice_token_check,
         require => [
           Package[$package_quorum_device],
-          Exec['authorize_members'],
+          Exec[$quorum_members.map |$node| { "authorize_member_${node}" }],
           Exec['pcs_cluster_temporary'],
         ],
       }