diff --git a/bootstrap/github-azure-oidc/main.tf b/bootstrap/github-azure-oidc/main.tf
index d8d1e7a..53022a8 100644
--- a/bootstrap/github-azure-oidc/main.tf
+++ b/bootstrap/github-azure-oidc/main.tf
@@ -1,9 +1,27 @@
 // TERRAMATE: GENERATED AUTOMATICALLY DO NOT EDIT
 
+data "azurerm_subscription" "current" {
+}
 module "github_azure_oidc" {
-  entity_type     = "pull_request"
+  entity_type     = "ref"
   identity_name   = "github-oidc-identity"
+  ref_branch      = "main"
   repository_name = "terramate-io/terramate-quickstart-azure"
   source          = "ned1313/github_oidc/azuread"
   version         = "1.2.2"
 }
+resource "azuread_application_federated_identity_credential" "oidc_pr" {
+  application_object_id = module.github_azure_oidc.azuread_application.object_id
+  audiences = [
+    "api://AzureADTokenExchange",
+  ]
+  description  = "GitHub OIDC for terramate-io/terramate-quickstart-azure PRs."
+  display_name = "${module.github_azure_oidc.service_principal.display_name}-pr"
+  issuer       = "https://token.actions.githubusercontent.com"
+  subject      = "repo:terramate-io/terramate-quickstart-azure:pull_request"
+}
+resource "azurerm_role_assignment" "oidc" {
+  principal_id         = module.github_azure_oidc.service_principal.object_id
+  role_definition_name = "Contributor"
+  scope                = data.azurerm_subscription.current.id
+}
diff --git a/bootstrap/github-azure-oidc/main.tm.hcl b/bootstrap/github-azure-oidc/main.tm.hcl
index 7dc09fb..a98ca9d 100644
--- a/bootstrap/github-azure-oidc/main.tm.hcl
+++ b/bootstrap/github-azure-oidc/main.tm.hcl
@@ -2,13 +2,31 @@ generate_hcl "main.tf" {
   inherit = false
 
   content {
+    data "azurerm_subscription" "current" {}
+
     module "github_azure_oidc" {
       source  = "ned1313/github_oidc/azuread"
       version = "1.2.2"
 
+      entity_type     = "ref"
+      ref_branch      = "main"
       identity_name   = tm_try(global.azure.oidc.identity, "github-oidc-identity")
       repository_name = global.azure.oidc.repository
-      entity_type     = "pull_request"
+    }
+
+    resource "azuread_application_federated_identity_credential" "oidc_pr" {
+      application_object_id = module.github_azure_oidc.azuread_application.object_id
+      display_name          = "${module.github_azure_oidc.service_principal.display_name}-pr"
+      description           = "GitHub OIDC for ${global.azure.oidc.repository} PRs."
+      audiences             = ["api://AzureADTokenExchange"]
+      issuer                = "https://token.actions.githubusercontent.com"
+      subject               = "repo:${global.azure.oidc.repository}:pull_request"
+    }
+
+    resource "azurerm_role_assignment" "oidc" {
+      scope                = data.azurerm_subscription.current.id
+      role_definition_name = "Contributor"
+      principal_id         = module.github_azure_oidc.service_principal.object_id
     }
   }
 }