diff --git a/CHANGELOG.md b/CHANGELOG.md
index 63bce1e77..c59517adc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 
 ## Next release
+
+### Breaking Changes
+- Eth2 Azure command line option --azure-secrets-tags is now deprecated and is replaced with --azure-tags. The --azure-secrets-tags option will be removed in a future release.
+
 ### Features Added
 - Azure bulk mode support for loading multiline (`\n` delimited, up to 200) keys per secret.
 - Hashicorp connection properties can now override http protocol to HTTP/1.1 from the default of HTTP/2. [#817](https://github.com/ConsenSys/web3signer/pull/817)
@@ -8,6 +12,7 @@
 - Add eth_signTransaction RPC method under the eth1 subcommand [#822](https://github.com/ConsenSys/web3signer/pull/822)
 - Add eth_sendTransaction RPC method under the eth1 subcommand [#835](https://github.com/Consensys/web3signer/pull/835)
 - Add EIP-1559 support for eth1 public transactions for eth_sendTransaction and eth_signTransaction [#836](https://github.com/Consensys/web3signer/pull/836)
+- Add Azure bulk loading for secp256k1 keys in eth1 mode [#850](https://github.com/Consensys/web3signer/pull/850)
 
 ### Bugs fixed
 - Support long name aliases in environment variables and YAML configuration [#825](https://github.com/Consensys/web3signer/pull/825)
diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java
index 8a0181e18..a00ffc94d 100644
--- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java
+++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java
@@ -115,33 +115,6 @@ public List<String> createCmdLineParams() {
     if (signerConfig.getMode().equals("eth2")) {
       yamlConfig.append(createEth2SlashingProtectionArgs());
 
-      if (signerConfig.getAzureKeyVaultParameters().isPresent()) {
-        final AzureKeyVaultParameters azureParams = signerConfig.getAzureKeyVaultParameters().get();
-        yamlConfig.append(
-            String.format(YAML_BOOLEAN_FMT, "eth2.azure-vault-enabled", Boolean.TRUE));
-        yamlConfig.append(
-            String.format(
-                YAML_STRING_FMT,
-                "eth2.azure-vault-auth-mode",
-                azureParams.getAuthenticationMode().name()));
-        yamlConfig.append(
-            String.format(YAML_STRING_FMT, "eth2.azure-vault-name", azureParams.getKeyVaultName()));
-        yamlConfig.append(
-            String.format(YAML_STRING_FMT, "eth2.azure-client-id", azureParams.getClientId()));
-        yamlConfig.append(
-            String.format(
-                YAML_STRING_FMT, "eth2.azure-client-secret", azureParams.getClientSecret()));
-        yamlConfig.append(
-            String.format(YAML_STRING_FMT, "eth2.azure-tenant-id", azureParams.getTenantId()));
-
-        azureParams
-            .getTags()
-            .forEach(
-                (tagName, tagValue) ->
-                    yamlConfig.append(
-                        String.format(
-                            YAML_STRING_FMT, "eth2.azure-secrets-tags", tagName + "=" + tagValue)));
-      }
       if (signerConfig.getKeystoresParameters().isPresent()) {
         final KeystoresParameters keystoresParameters = signerConfig.getKeystoresParameters().get();
         yamlConfig.append(
@@ -181,6 +154,12 @@ public List<String> createCmdLineParams() {
       yamlConfig.append(createDownstreamTlsArgs());
     }
 
+    signerConfig
+        .getAzureKeyVaultParameters()
+        .ifPresent(
+            azureParams ->
+                yamlConfig.append(azureBulkLoadingOptions(signerConfig.getMode(), azureParams)));
+
     // create temporary config file
     try {
       final Path configFile = Files.createTempFile("web3signer_config", ".yaml");
@@ -196,6 +175,35 @@ public List<String> createCmdLineParams() {
     return params;
   }
 
+  private String azureBulkLoadingOptions(
+      final String mode, final AzureKeyVaultParameters azureParams) {
+    final StringBuilder yamlConfig = new StringBuilder();
+    yamlConfig.append(String.format(YAML_BOOLEAN_FMT, mode + ".azure-vault-enabled", Boolean.TRUE));
+    yamlConfig.append(
+        String.format(
+            YAML_STRING_FMT,
+            mode + ".azure-vault-auth-mode",
+            azureParams.getAuthenticationMode().name()));
+    yamlConfig.append(
+        String.format(YAML_STRING_FMT, mode + ".azure-vault-name", azureParams.getKeyVaultName()));
+    yamlConfig.append(
+        String.format(YAML_STRING_FMT, mode + ".azure-client-id", azureParams.getClientId()));
+    yamlConfig.append(
+        String.format(
+            YAML_STRING_FMT, mode + ".azure-client-secret", azureParams.getClientSecret()));
+    yamlConfig.append(
+        String.format(YAML_STRING_FMT, mode + ".azure-tenant-id", azureParams.getTenantId()));
+
+    azureParams
+        .getTags()
+        .forEach(
+            (tagName, tagValue) ->
+                yamlConfig.append(
+                    String.format(
+                        YAML_STRING_FMT, mode + ".azure-tags", tagName + "=" + tagValue)));
+    return yamlConfig.toString();
+  }
+
   private CommandArgs createSubCommandArgs() {
     final List<String> params = new ArrayList<>();
     final StringBuilder yamlConfig = new StringBuilder();
diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java
index f07a2d2e0..90c9e29ea 100644
--- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java
+++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java
@@ -99,26 +99,7 @@ public List<String> createCmdLineParams() {
       params.addAll(createEth2Args());
 
       if (signerConfig.getAzureKeyVaultParameters().isPresent()) {
-        final AzureKeyVaultParameters azureParams = signerConfig.getAzureKeyVaultParameters().get();
-        params.add("--azure-vault-enabled=true");
-        params.add("--azure-vault-auth-mode");
-        params.add(azureParams.getAuthenticationMode().name());
-        params.add("--azure-vault-name");
-        params.add(azureParams.getKeyVaultName());
-        params.add("--azure-client-id");
-        params.add(azureParams.getClientId());
-        params.add("--azure-client-secret");
-        params.add(azureParams.getClientSecret());
-        params.add("--azure-tenant-id");
-        params.add(azureParams.getTenantId());
-
-        azureParams
-            .getTags()
-            .forEach(
-                (tagName, tagValue) -> {
-                  params.add("--azure-secrets-tags");
-                  params.add(tagName + "=" + tagValue);
-                });
+        createAzureArgs(params);
       }
       if (signerConfig.getKeystoresParameters().isPresent()) {
         final KeystoresParameters keystoresParameters = signerConfig.getKeystoresParameters().get();
@@ -143,6 +124,10 @@ public List<String> createCmdLineParams() {
       params.add("--chain-id");
       params.add(Long.toString(signerConfig.getChainIdProvider().id()));
       params.addAll(createDownstreamTlsArgs());
+
+      if (signerConfig.getAzureKeyVaultParameters().isPresent()) {
+        createAzureArgs(params);
+      }
     }
 
     return params;
@@ -331,6 +316,29 @@ private Collection<String> awsBulkLoadingOptions(
     return params;
   }
 
+  private void createAzureArgs(final List<String> params) {
+    final AzureKeyVaultParameters azureParams = signerConfig.getAzureKeyVaultParameters().get();
+    params.add("--azure-vault-enabled=true");
+    params.add("--azure-vault-auth-mode");
+    params.add(azureParams.getAuthenticationMode().name());
+    params.add("--azure-vault-name");
+    params.add(azureParams.getKeyVaultName());
+    params.add("--azure-client-id");
+    params.add(azureParams.getClientId());
+    params.add("--azure-client-secret");
+    params.add(azureParams.getClientSecret());
+    params.add("--azure-tenant-id");
+    params.add(azureParams.getTenantId());
+
+    azureParams
+        .getTags()
+        .forEach(
+            (tagName, tagValue) -> {
+              params.add("--azure-tags");
+              params.add(tagName + "=" + tagValue);
+            });
+  }
+
   private List<String> createSubCommandArgs() {
     final List<String> params = new ArrayList<>();
 
diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AzureKeyVaultAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AzureKeyVaultAcceptanceTest.java
index 3c8a24575..3c7dfa4da 100644
--- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AzureKeyVaultAcceptanceTest.java
+++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AzureKeyVaultAcceptanceTest.java
@@ -14,26 +14,27 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.hasItems;
 import static org.hamcrest.Matchers.hasSize;
 
 import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder;
-import tech.pegasys.web3signer.dsl.utils.DefaultAzureKeyVaultParameters;
 import tech.pegasys.web3signer.signing.KeyType;
 import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
+import tech.pegasys.web3signer.signing.config.DefaultAzureKeyVaultParameters;
 import tech.pegasys.web3signer.tests.AcceptanceTestBase;
 
 import java.util.Map;
+import java.util.stream.Stream;
 
 import io.restassured.http.ContentType;
 import io.restassured.response.Response;
 import io.vertx.core.json.JsonObject;
 import org.junit.jupiter.api.Assumptions;
 import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.ValueSource;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.EnumSource;
+import org.junit.jupiter.params.provider.MethodSource;
 
 public class AzureKeyVaultAcceptanceTest extends AcceptanceTestBase {
 
@@ -41,10 +42,14 @@ public class AzureKeyVaultAcceptanceTest extends AcceptanceTestBase {
   private static final String CLIENT_SECRET = System.getenv("AZURE_CLIENT_SECRET");
   private static final String TENANT_ID = System.getenv("AZURE_TENANT_ID");
   private static final String VAULT_NAME = System.getenv("AZURE_KEY_VAULT_NAME");
-  private static final String EXPECTED_KEY =
+  private static final String BLS_KEY =
       "0x989d34725a2bfc3f15105f3f5fc8741f436c25ee1ee4f948e425d6bcb8c56bce6e06c269635b7e985a7ffa639e2409bf";
-  private static final String EXPECTED_TAGGED_KEY =
+  private static final String BLS_TAGGED_KEY =
       "0xb3b6fb8dab2a4c9d00247c18c4b7e91c62da3f7ad31c822c00097f93ac8ff2c4a526611f7d0a9c85946e93f371852c69";
+  private static final String SECP_KEY =
+      "0xa95663509e608da3c2af5a48eb4315321f8430cbed5518a44590cc9d367f01dc72ebbc583fc7d94f9fdc20eb6e162c9f8cb35be8a91a3b1d32a63ecc10be4e08";
+  private static final String SECP_TAGGED_KEY =
+      "0x234053dbe014ebe573e5e8f6eab5e0417bf705466009f7c15b8d23593abd1bda426593d92b32efb240afe6efa46d5679fad0dc427e0aa0fc61c2464ce93c7c5e";
 
   @BeforeAll
   public static void setup() {
@@ -54,22 +59,25 @@ public static void setup() {
     Assumptions.assumeTrue(VAULT_NAME != null, "Set AZURE_KEY_VAULT_NAME environment variable");
   }
 
-  @Test
-  void ensureSecretsInKeyVaultAreLoadedAndReportedViaPublicKeysApi() {
+  @ParameterizedTest
+  @EnumSource(KeyType.class)
+  void ensureSecretsInKeyVaultAreLoadedAndReportedViaPublicKeysApi(final KeyType keyType) {
     final AzureKeyVaultParameters azureParams =
         new DefaultAzureKeyVaultParameters(VAULT_NAME, CLIENT_ID, TENANT_ID, CLIENT_SECRET);
 
     final SignerConfigurationBuilder configBuilder =
-        new SignerConfigurationBuilder().withMode("eth2").withAzureKeyVaultParameters(azureParams);
+        new SignerConfigurationBuilder()
+            .withMode(calculateMode(keyType))
+            .withAzureKeyVaultParameters(azureParams);
 
     startSigner(configBuilder.build());
 
-    final Response response = signer.callApiPublicKeys(KeyType.BLS);
+    final Response response = signer.callApiPublicKeys(keyType);
     response
         .then()
         .statusCode(200)
         .contentType(ContentType.JSON)
-        .body("", hasItems(EXPECTED_KEY, EXPECTED_TAGGED_KEY));
+        .body("", hasItems(expectedKey(keyType, false)));
 
     final Response healthcheckResponse = signer.healthcheck();
     healthcheckResponse
@@ -78,35 +86,37 @@ void ensureSecretsInKeyVaultAreLoadedAndReportedViaPublicKeysApi() {
         .contentType(ContentType.JSON)
         .body("status", equalTo("UP"));
 
+    // BLS keys include additional multi-line key with 200 keys
+    final int expectedKeyLoaded = keyType == KeyType.BLS ? 202 : 2;
+
     final String jsonBody = healthcheckResponse.body().asString();
-    int keysLoaded = getAzureBulkLoadingData(jsonBody, "keys-loaded");
-    assertThat(keysLoaded)
-        .isEqualTo(202); // ACCTEST-MULTILINE-KEY (200) + TEST-KEY (1) + TEST-KEY-2 (1)
+    final int keysLoaded = getAzureBulkLoadingData(jsonBody, "keys-loaded");
+    assertThat(keysLoaded).isEqualTo(expectedKeyLoaded);
   }
 
-  @ParameterizedTest(name = "{index} - Using config file: {0}")
-  @ValueSource(booleans = {true, false})
-  void azureSecretsViaTag(boolean useConfigFile) {
+  @ParameterizedTest(name = "{index} - KeyType: {0}, using config file: {1}")
+  @MethodSource("azureSecretsViaTag")
+  void azureSecretsViaTag(final KeyType keyType, boolean useConfigFile) {
     final AzureKeyVaultParameters azureParams =
         new DefaultAzureKeyVaultParameters(
             VAULT_NAME, CLIENT_ID, TENANT_ID, CLIENT_SECRET, Map.of("ENV", "TEST"));
 
     final SignerConfigurationBuilder configBuilder =
         new SignerConfigurationBuilder()
-            .withMode("eth2")
+            .withMode(calculateMode(keyType))
             .withUseConfigFile(useConfigFile)
             .withAzureKeyVaultParameters(azureParams);
 
     startSigner(configBuilder.build());
 
-    final Response response = signer.callApiPublicKeys(KeyType.BLS);
+    final Response response = signer.callApiPublicKeys(keyType);
     response
         .then()
         .statusCode(200)
         .contentType(ContentType.JSON)
-        .body("", hasItem(EXPECTED_TAGGED_KEY));
+        .body("", hasItems(expectedKey(keyType, true)));
 
-    // the tag filter will return only valid keys. The healtcheck should be UP
+    // the tag filter will return only valid keys. The healthcheck should be UP
     final Response healthcheckResponse = signer.healthcheck();
     healthcheckResponse
         .then()
@@ -116,36 +126,45 @@ void azureSecretsViaTag(boolean useConfigFile) {
 
     // keys loaded should be 1 as well.
     final String jsonBody = healthcheckResponse.body().asString();
-    int keysLoaded = getAzureBulkLoadingData(jsonBody, "keys-loaded");
-    int errorCount = getAzureBulkLoadingData(jsonBody, "error-count");
+    final int keysLoaded = getAzureBulkLoadingData(jsonBody, "keys-loaded");
+    final int errorCount = getAzureBulkLoadingData(jsonBody, "error-count");
     assertThat(keysLoaded).isOne();
     assertThat(errorCount).isZero();
   }
 
+  private static Stream<Arguments> azureSecretsViaTag() {
+    return Stream.of(
+        Arguments.arguments(KeyType.BLS, false),
+        Arguments.arguments(KeyType.BLS, true),
+        Arguments.arguments(KeyType.SECP256K1, false),
+        Arguments.arguments(KeyType.SECP256K1, true));
+  }
+
   private static int getAzureBulkLoadingData(String healthCheckJsonBody, String dataKey) {
-    JsonObject jsonObject = new JsonObject(healthCheckJsonBody);
-    int keysLoaded =
-        jsonObject.getJsonArray("checks").stream()
-            .filter(o -> "keys-check".equals(((JsonObject) o).getString("id")))
-            .flatMap(o -> ((JsonObject) o).getJsonArray("checks").stream())
-            .filter(o -> "azure-bulk-loading".equals(((JsonObject) o).getString("id")))
-            .mapToInt(o -> ((JsonObject) ((JsonObject) o).getValue("data")).getInteger(dataKey))
-            .findFirst()
-            .orElse(-1);
-    return keysLoaded;
+    final JsonObject jsonObject = new JsonObject(healthCheckJsonBody);
+    return jsonObject.getJsonArray("checks").stream()
+        .filter(o -> "keys-check".equals(((JsonObject) o).getString("id")))
+        .flatMap(o -> ((JsonObject) o).getJsonArray("checks").stream())
+        .filter(o -> "azure-bulk-loading".equals(((JsonObject) o).getString("id")))
+        .mapToInt(o -> ((JsonObject) ((JsonObject) o).getValue("data")).getInteger(dataKey))
+        .findFirst()
+        .orElse(-1);
   }
 
-  @Test
-  void invalidVaultParametersFailsToLoadKeys() {
+  @ParameterizedTest
+  @EnumSource(KeyType.class)
+  void invalidVaultParametersFailsToLoadKeys(final KeyType keyType) {
     final AzureKeyVaultParameters azureParams =
         new DefaultAzureKeyVaultParameters("nonExistentVault", CLIENT_ID, TENANT_ID, CLIENT_SECRET);
 
     final SignerConfigurationBuilder configBuilder =
-        new SignerConfigurationBuilder().withMode("eth2").withAzureKeyVaultParameters(azureParams);
+        new SignerConfigurationBuilder()
+            .withMode(calculateMode(keyType))
+            .withAzureKeyVaultParameters(azureParams);
 
     startSigner(configBuilder.build());
 
-    final Response response = signer.callApiPublicKeys(KeyType.BLS);
+    final Response response = signer.callApiPublicKeys(keyType);
     response.then().statusCode(200).contentType(ContentType.JSON).body("", hasSize(0));
 
     signer
@@ -156,23 +175,35 @@ void invalidVaultParametersFailsToLoadKeys() {
         .body("status", equalTo("DOWN"));
   }
 
-  @Test
-  void envVarsAreUsedToDefaultAzureParams() {
+  @ParameterizedTest
+  @EnumSource(KeyType.class)
+  void envVarsAreUsedToDefaultAzureParams(final KeyType keyType) {
     // This ensures env vars correspond to the WEB3SIGNER_<subcommand>_<option> syntax
+    final String envPrefix = keyType == KeyType.BLS ? "WEB3SIGNER_ETH2_" : "WEB3SIGNER_ETH1_";
     final Map<String, String> env =
         Map.of(
-            "WEB3SIGNER_ETH2_AZURE_VAULT_ENABLED", "true",
-            "WEB3SIGNER_ETH2_AZURE_VAULT_NAME", VAULT_NAME,
-            "WEB3SIGNER_ETH2_AZURE_CLIENT_ID", CLIENT_ID,
-            "WEB3SIGNER_ETH2_AZURE_CLIENT_SECRET", CLIENT_SECRET,
-            "WEB3SIGNER_ETH2_AZURE_TENANT_ID", TENANT_ID);
+            envPrefix + "AZURE_VAULT_ENABLED", "true",
+            envPrefix + "AZURE_VAULT_NAME", VAULT_NAME,
+            envPrefix + "AZURE_CLIENT_ID", CLIENT_ID,
+            envPrefix + "AZURE_CLIENT_SECRET", CLIENT_SECRET,
+            envPrefix + "AZURE_TENANT_ID", TENANT_ID);
 
     final SignerConfigurationBuilder configBuilder =
-        new SignerConfigurationBuilder().withMode("eth2").withEnvironment(env);
+        new SignerConfigurationBuilder().withMode(calculateMode(keyType)).withEnvironment(env);
 
     startSigner(configBuilder.build());
 
-    final Response response = signer.callApiPublicKeys(KeyType.BLS);
-    response.then().statusCode(200).contentType(ContentType.JSON).body("", hasItem(EXPECTED_KEY));
+    final Response response = signer.callApiPublicKeys(keyType);
+    response
+        .then()
+        .statusCode(200)
+        .contentType(ContentType.JSON)
+        .body("", hasItems(expectedKey(keyType, false)));
+  }
+
+  private String expectedKey(final KeyType keyType, final boolean tagged) {
+    return keyType == KeyType.BLS
+        ? tagged ? BLS_TAGGED_KEY : BLS_KEY
+        : tagged ? SECP_TAGGED_KEY : SECP_KEY;
   }
 }
diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AzureKeyVaultMultiValueAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AzureKeyVaultMultiValueAcceptanceTest.java
index 21e475950..25d125545 100644
--- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AzureKeyVaultMultiValueAcceptanceTest.java
+++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AzureKeyVaultMultiValueAcceptanceTest.java
@@ -21,9 +21,9 @@
 import tech.pegasys.teku.bls.BLSSecretKey;
 import tech.pegasys.web3signer.BLSTestUtil;
 import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder;
-import tech.pegasys.web3signer.dsl.utils.DefaultAzureKeyVaultParameters;
 import tech.pegasys.web3signer.signing.KeyType;
 import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
+import tech.pegasys.web3signer.signing.config.DefaultAzureKeyVaultParameters;
 import tech.pegasys.web3signer.tests.AcceptanceTestBase;
 
 import java.util.List;
diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/slashing/SlashingPruningAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/slashing/SlashingPruningAcceptanceTest.java
index 59dd6591c..244d009e1 100644
--- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/slashing/SlashingPruningAcceptanceTest.java
+++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/slashing/SlashingPruningAcceptanceTest.java
@@ -46,14 +46,16 @@ public class SlashingPruningAcceptanceTest extends AcceptanceTestBase {
   protected final BLSKeyPair keyPair = BLSTestUtil.randomKeyPair(0);
 
   @Test
-  void slashingDataIsPruned(@TempDir final Path testDirectory) throws IOException {
+  void slashingDataIsPruned(
+      @TempDir final Path dataSignerDirectory, @TempDir final Path prunerSignerDirectory)
+      throws IOException {
     final TestDatabaseInfo testDatabaseInfo = DatabaseUtil.create();
     final String dbUrl = testDatabaseInfo.databaseUrl();
     final Jdbi jdbi = testDatabaseInfo.getJdbi();
 
-    final Path keyConfigFile = testDirectory.resolve("keyfile.yaml");
+    final Path dataSignerKeyConfigFile = dataSignerDirectory.resolve("keyfile.yaml");
     METADATA_FILE_HELPERS.createUnencryptedYamlFileAt(
-        keyConfigFile, keyPair.getSecretKey().toBytes().toHexString(), KeyType.BLS);
+        dataSignerKeyConfigFile, keyPair.getSecretKey().toBytes().toHexString(), KeyType.BLS);
 
     final SignerConfigurationBuilder signerBuilder =
         new SignerConfigurationBuilder()
@@ -63,7 +65,7 @@ void slashingDataIsPruned(@TempDir final Path testDirectory) throws IOException
             .withSlashingProtectionDbPassword(DB_PASSWORD)
             .withSlashingProtectionDbUrl(dbUrl)
             .withNetwork("minimal")
-            .withKeyStoreDirectory(testDirectory);
+            .withKeyStoreDirectory(dataSignerDirectory);
 
     final Signer dataCreatingSigner = new Signer(signerBuilder.build(), null);
     dataCreatingSigner.start();
@@ -88,12 +90,17 @@ void slashingDataIsPruned(@TempDir final Path testDirectory) throws IOException
     assertThat(blocksBeforePruning).hasSize(2);
 
     // start signer with pruning enabled at boot configured to only keep one block and attestation
+    final Path prunerKeyConfigFile = prunerSignerDirectory.resolve("keyfile.yaml");
+    METADATA_FILE_HELPERS.createUnencryptedYamlFileAt(
+        prunerKeyConfigFile, keyPair.getSecretKey().toBytes().toHexString(), KeyType.BLS);
+
     signerBuilder
         .withSlashingPruningEnabled(true)
         .withSlashingPruningEnabledAtBoot(true)
         .withSlashingPruningEpochsToKeep(1)
         .withSlashingPruningSlotsPerEpoch(1)
-        .withSlashingPruningInterval(1);
+        .withSlashingPruningInterval(1)
+        .withKeyStoreDirectory(prunerSignerDirectory);
     final Signer pruningSigner = new Signer(signerBuilder.build(), null);
     pruningSigner.start();
     pruningSigner.awaitStartupCompletion();
diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAzureKeyVaultParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAzureKeyVaultParameters.java
index 6bb41fa48..944fba6b4 100644
--- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAzureKeyVaultParameters.java
+++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAzureKeyVaultParameters.java
@@ -15,12 +15,9 @@
 import tech.pegasys.web3signer.signing.config.AzureAuthenticationMode;
 import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
 
-import java.util.Collections;
-import java.util.Map;
-
 import picocli.CommandLine.Option;
 
-public class PicoCliAzureKeyVaultParameters implements AzureKeyVaultParameters {
+public abstract class PicoCliAzureKeyVaultParameters implements AzureKeyVaultParameters {
 
   @Option(
       names = {"--azure-vault-enabled"},
@@ -64,14 +61,6 @@ public class PicoCliAzureKeyVaultParameters implements AzureKeyVaultParameters {
       paramLabel = "<CLIENT_SECRET>")
   private String clientSecret;
 
-  @Option(
-      names = {"--azure-secrets-tags"},
-      description =
-          "Specify optional tags to filter the secrets. "
-              + "For example --azure-secrets-tags ENV=prod --azure-secrets-tags=CLIENT=A.",
-      paramLabel = "<TAG_NAME=TAG_VALUE>")
-  private Map<String, String> tags = Collections.emptyMap();
-
   @Override
   public boolean isAzureKeyVaultEnabled() {
     return azureKeyVaultEnabled;
@@ -101,9 +90,4 @@ public String getClientId() {
   public String getClientSecret() {
     return clientSecret;
   }
-
-  @Override
-  public Map<String, String> getTags() {
-    return tags;
-  }
 }
diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliEth1AzureKeyVaultParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliEth1AzureKeyVaultParameters.java
new file mode 100644
index 000000000..7e8fc7fed
--- /dev/null
+++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliEth1AzureKeyVaultParameters.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2023 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package tech.pegasys.web3signer.commandline;
+
+import java.util.Collections;
+import java.util.Map;
+
+import picocli.CommandLine;
+
+public class PicoCliEth1AzureKeyVaultParameters extends PicoCliAzureKeyVaultParameters {
+
+  @CommandLine.Option(
+      names = {"--azure-tags"},
+      description =
+          "Specify optional tags to filter on. "
+              + "For example --azure-tags ENV=prod --azure-tags=CLIENT=A.",
+      paramLabel = "<TAG_NAME=TAG_VALUE>")
+  private Map<String, String> tags = Collections.emptyMap();
+
+  @Override
+  public Map<String, String> getTags() {
+    return tags;
+  }
+}
diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliEth2AzureKeyVaultParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliEth2AzureKeyVaultParameters.java
new file mode 100644
index 000000000..47a1f368b
--- /dev/null
+++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliEth2AzureKeyVaultParameters.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2023 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package tech.pegasys.web3signer.commandline;
+
+import java.util.Collections;
+import java.util.Map;
+
+import picocli.CommandLine;
+
+public class PicoCliEth2AzureKeyVaultParameters extends PicoCliAzureKeyVaultParameters {
+
+  @CommandLine.Option(
+      names = {"--azure-tags", "--azure-secrets-tags"},
+      description =
+          "Specify optional tags to filter on. "
+              + "For example --azure-tags ENV=prod --azure-tags=CLIENT=A.",
+      paramLabel = "<TAG_NAME=TAG_VALUE>")
+  private Map<String, String> tags = Collections.emptyMap();
+
+  @Override
+  public Map<String, String> getTags() {
+    return tags;
+  }
+}
diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java
index 837fe5e7f..49847c4c8 100644
--- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java
+++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java
@@ -18,6 +18,7 @@
 import static tech.pegasys.web3signer.commandline.DefaultCommandValues.PORT_FORMAT_HELP;
 import static tech.pegasys.web3signer.commandline.util.RequiredOptionsUtil.checkIfRequiredOptionsAreInitialized;
 
+import tech.pegasys.web3signer.commandline.PicoCliEth1AzureKeyVaultParameters;
 import tech.pegasys.web3signer.commandline.annotations.RequiredOption;
 import tech.pegasys.web3signer.commandline.config.client.PicoCliClientTlsOptions;
 import tech.pegasys.web3signer.core.Eth1Runner;
@@ -26,6 +27,7 @@
 import tech.pegasys.web3signer.core.config.client.ClientTlsOptions;
 import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider;
 import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ConfigurationChainId;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
 
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -140,6 +142,8 @@ public void setDownstreamHttpPath(final String path) {
 
   @CommandLine.Mixin private PicoCliClientTlsOptions clientTlsOptions;
 
+  @CommandLine.Mixin private PicoCliEth1AzureKeyVaultParameters azureKeyVaultParameters;
+
   @Override
   public Runner createRunner() {
     return new Eth1Runner(config, this);
@@ -204,4 +208,9 @@ public Optional<ClientTlsOptions> getClientTlsOptions() {
   public ChainIdProvider getChainId() {
     return new ConfigurationChainId(chainId);
   }
+
+  @Override
+  public AzureKeyVaultParameters getAzureKeyVaultConfig() {
+    return azureKeyVaultParameters;
+  }
 }
diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java
index 21c1c1227..58c721a3a 100644
--- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java
+++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java
@@ -26,7 +26,7 @@
 import tech.pegasys.teku.spec.SpecMilestone;
 import tech.pegasys.teku.spec.networks.Eth2Network;
 import tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters;
-import tech.pegasys.web3signer.commandline.PicoCliAzureKeyVaultParameters;
+import tech.pegasys.web3signer.commandline.PicoCliEth2AzureKeyVaultParameters;
 import tech.pegasys.web3signer.commandline.PicoCliSlashingProtectionParameters;
 import tech.pegasys.web3signer.commandline.config.PicoKeystoresParameters;
 import tech.pegasys.web3signer.core.Eth2Runner;
@@ -124,7 +124,7 @@ private static class NetworkCliCompletionCandidates extends ArrayList<String> {
   private boolean isKeyManagerApiEnabled = false;
 
   @Mixin private PicoCliSlashingProtectionParameters slashingProtectionParameters;
-  @Mixin private PicoCliAzureKeyVaultParameters azureKeyVaultParameters;
+  @Mixin private PicoCliEth2AzureKeyVaultParameters azureKeyVaultParameters;
   @Mixin private PicoKeystoresParameters keystoreParameters;
   @Mixin private PicoCliAwsSecretsManagerParameters awsSecretsManagerParameters;
   private tech.pegasys.teku.spec.Spec eth2Spec;
diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/ModeSubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/ModeSubCommand.java
index 9411fa5c4..0e1fe58d0 100644
--- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/ModeSubCommand.java
+++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/ModeSubCommand.java
@@ -15,9 +15,12 @@
 import tech.pegasys.web3signer.commandline.Web3SignerBaseCommand;
 import tech.pegasys.web3signer.core.Runner;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import picocli.CommandLine;
 
 public abstract class ModeSubCommand implements Runnable {
+  private static final Logger LOG = LogManager.getLogger();
 
   @CommandLine.ParentCommand protected Web3SignerBaseCommand config;
 
@@ -25,7 +28,9 @@ public abstract class ModeSubCommand implements Runnable {
   public void run() {
     config.validateArgs();
     validateArgs();
-    createRunner().run();
+    final Runner runner = createRunner();
+    addShutdownHook(runner);
+    runner.run();
   }
 
   public abstract Runner createRunner();
@@ -33,4 +38,18 @@ public void run() {
   public abstract String getCommandName();
 
   protected abstract void validateArgs();
+
+  private void addShutdownHook(Runner runner) {
+    Runtime.getRuntime()
+        .addShutdownHook(
+            new Thread(
+                () -> {
+                  try {
+                    runner.close();
+                  } catch (Exception e) {
+                    LOG.error("Failed to stop Web3Signer");
+                  }
+                },
+                "Web3Signer-Shutdown-Hook"));
+  }
 }
diff --git a/core/build.gradle b/core/build.gradle
index bd7eb11a4..ca48e3408 100644
--- a/core/build.gradle
+++ b/core/build.gradle
@@ -72,6 +72,7 @@ dependencies {
   }
   integrationTestImplementation 'org.awaitility:awaitility'
   integrationTestRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
+  integrationTestImplementation (testFixtures(project(":signing")))
 }
 
 processResources {
diff --git a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java
index 1d6cfbecc..eddbf8ecb 100644
--- a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java
+++ b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java
@@ -16,6 +16,8 @@
 import tech.pegasys.web3signer.core.config.client.ClientTlsOptions;
 import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider;
 import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ConfigurationChainId;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
+import tech.pegasys.web3signer.signing.config.DefaultAzureKeyVaultParameters;
 
 import java.time.Duration;
 import java.util.Optional;
@@ -89,4 +91,9 @@ public Optional<ClientTlsOptions> getClientTlsOptions() {
   public ChainIdProvider getChainId() {
     return chainId;
   }
+
+  @Override
+  public AzureKeyVaultParameters getAzureKeyVaultConfig() {
+    return new DefaultAzureKeyVaultParameters("", "", "", "");
+  }
 }
diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java
index 67243542c..a28ef7831 100644
--- a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java
+++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java
@@ -12,6 +12,7 @@
  */
 package tech.pegasys.web3signer.core;
 
+import static tech.pegasys.web3signer.core.config.HealthCheckNames.KEYS_CHECK_AZURE_BULK_LOADING;
 import static tech.pegasys.web3signer.signing.KeyType.SECP256K1;
 
 import tech.pegasys.web3signer.core.config.BaseConfig;
@@ -35,10 +36,16 @@
 import tech.pegasys.web3signer.core.service.jsonrpc.handlers.internalresponse.InternalResponseHandler;
 import tech.pegasys.web3signer.core.service.jsonrpc.handlers.sendtransaction.SendTransactionHandler;
 import tech.pegasys.web3signer.core.service.jsonrpc.handlers.sendtransaction.transaction.TransactionFactory;
+import tech.pegasys.web3signer.keystorage.azure.AzureKeyVault;
+import tech.pegasys.web3signer.keystorage.common.MappedResults;
 import tech.pegasys.web3signer.keystorage.hashicorp.HashicorpConnectionFactory;
+import tech.pegasys.web3signer.signing.ArtifactSigner;
 import tech.pegasys.web3signer.signing.ArtifactSignerProvider;
 import tech.pegasys.web3signer.signing.EthSecpArtifactSigner;
 import tech.pegasys.web3signer.signing.SecpArtifactSignature;
+import tech.pegasys.web3signer.signing.bulkloading.SecpAzureBulkLoader;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
 import tech.pegasys.web3signer.signing.config.DefaultArtifactSignerProvider;
 import tech.pegasys.web3signer.signing.config.SecpArtifactSignerProviderAdapter;
 import tech.pegasys.web3signer.signing.config.SignerLoader;
@@ -49,6 +56,7 @@
 import tech.pegasys.web3signer.signing.config.metadata.yubihsm.YubiHsmOpaqueDataProvider;
 import tech.pegasys.web3signer.signing.secp256k1.azure.AzureKeyVaultSignerFactory;
 
+import java.util.ArrayList;
 import java.util.List;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
@@ -56,17 +64,22 @@
 import io.vertx.core.Vertx;
 import io.vertx.core.http.HttpClient;
 import io.vertx.core.http.HttpMethod;
+import io.vertx.core.json.JsonObject;
+import io.vertx.ext.healthchecks.Status;
 import io.vertx.ext.web.Router;
 import io.vertx.ext.web.client.WebClientOptions;
 import io.vertx.ext.web.handler.BodyHandler;
 import io.vertx.ext.web.handler.ResponseContentTypeHandler;
 import io.vertx.ext.web.impl.BlockingHandlerDecorator;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.hyperledger.besu.plugin.services.MetricsSystem;
 
 public class Eth1Runner extends Runner {
   public static final String PUBLIC_KEYS_PATH = "/api/v1/eth1/publicKeys";
   public static final String ROOT_PATH = "/";
   public static final String SIGN_PATH = "/api/v1/eth1/sign/:identifier";
+  private static final Logger LOG = LogManager.getLogger();
   private final Eth1Config eth1Config;
   private final HttpResponseFactory responseFactory = new HttpResponseFactory();
 
@@ -147,36 +160,78 @@ protected ArtifactSignerProvider createArtifactSignerProvider(
       final Vertx vertx, final MetricsSystem metricsSystem) {
     return new DefaultArtifactSignerProvider(
         () -> {
-          final AzureKeyVaultSignerFactory azureFactory = new AzureKeyVaultSignerFactory();
-          final HashicorpConnectionFactory hashicorpConnectionFactory =
-              new HashicorpConnectionFactory();
-          try (final InterlockKeyProvider interlockKeyProvider = new InterlockKeyProvider(vertx);
-              final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider =
-                  new YubiHsmOpaqueDataProvider()) {
-
-            final Secp256k1ArtifactSignerFactory ethSecpArtifactSignerFactory =
-                new Secp256k1ArtifactSignerFactory(
-                    hashicorpConnectionFactory,
-                    baseConfig.getKeyConfigPath(),
-                    azureFactory,
-                    interlockKeyProvider,
-                    yubiHsmOpaqueDataProvider,
-                    EthSecpArtifactSigner::new,
-                    true);
-
-            return new SignerLoader(baseConfig.keystoreParallelProcessingEnabled())
-                .load(
-                    baseConfig.getKeyConfigPath(),
-                    "yaml",
-                    new YamlSignerParser(
-                        List.of(ethSecpArtifactSignerFactory),
-                        YamlMapperFactory.createYamlMapper(
-                            baseConfig.getKeyStoreConfigFileMaxSize())))
-                .getValues();
-          }
+          final List<ArtifactSigner> signers = new ArrayList<>();
+          final AzureKeyVaultFactory azureKeyVaultFactory = new AzureKeyVaultFactory();
+          registerClose(azureKeyVaultFactory::close);
+          final AzureKeyVaultSignerFactory azureSignerFactory =
+              new AzureKeyVaultSignerFactory(azureKeyVaultFactory);
+
+          signers.addAll(
+              loadSignersFromKeyConfigFiles(vertx, azureKeyVaultFactory, azureSignerFactory)
+                  .getValues());
+          signers.addAll(bulkLoadSigners(azureKeyVaultFactory, azureSignerFactory).getValues());
+          return signers;
         });
   }
 
+  private MappedResults<ArtifactSigner> loadSignersFromKeyConfigFiles(
+      final Vertx vertx,
+      final AzureKeyVaultFactory azureKeyVaultFactory,
+      final AzureKeyVaultSignerFactory azureSignerFactory) {
+    final HashicorpConnectionFactory hashicorpConnectionFactory = new HashicorpConnectionFactory();
+    try (final InterlockKeyProvider interlockKeyProvider = new InterlockKeyProvider(vertx);
+        final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider =
+            new YubiHsmOpaqueDataProvider()) {
+
+      final Secp256k1ArtifactSignerFactory ethSecpArtifactSignerFactory =
+          new Secp256k1ArtifactSignerFactory(
+              hashicorpConnectionFactory,
+              baseConfig.getKeyConfigPath(),
+              azureSignerFactory,
+              interlockKeyProvider,
+              yubiHsmOpaqueDataProvider,
+              EthSecpArtifactSigner::new,
+              azureKeyVaultFactory,
+              true);
+
+      return new SignerLoader(baseConfig.keystoreParallelProcessingEnabled())
+          .load(
+              baseConfig.getKeyConfigPath(),
+              "yaml",
+              new YamlSignerParser(
+                  List.of(ethSecpArtifactSignerFactory),
+                  YamlMapperFactory.createYamlMapper(baseConfig.getKeyStoreConfigFileMaxSize())));
+    }
+  }
+
+  private MappedResults<ArtifactSigner> bulkLoadSigners(
+      final AzureKeyVaultFactory azureKeyVaultFactory,
+      final AzureKeyVaultSignerFactory azureSignerFactory) {
+    final AzureKeyVaultParameters azureKeyVaultConfig = eth1Config.getAzureKeyVaultConfig();
+    if (azureKeyVaultConfig.isAzureKeyVaultEnabled()) {
+      LOG.info("Bulk loading keys from Azure key vault ... ");
+      final AzureKeyVault azureKeyVault =
+          azureKeyVaultFactory.createAzureKeyVault(
+              azureKeyVaultConfig.getClientId(),
+              azureKeyVaultConfig.getClientSecret(),
+              azureKeyVaultConfig.getKeyVaultName(),
+              azureKeyVaultConfig.getTenantId(),
+              azureKeyVaultConfig.getAuthenticationMode());
+      final SecpAzureBulkLoader secpAzureBulkLoader =
+          new SecpAzureBulkLoader(azureKeyVault, azureSignerFactory);
+      final MappedResults<ArtifactSigner> azureResult =
+          secpAzureBulkLoader.load(azureKeyVaultConfig);
+      LOG.info(
+          "Keys loaded from Azure: [{}], with error count: [{}]",
+          azureResult.getValues().size(),
+          azureResult.getErrorCount());
+      registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, azureResult);
+      return azureResult;
+    } else {
+      return MappedResults.newSetInstance();
+    }
+  }
+
   private String formatSecpSignature(final SecpArtifactSignature signature) {
     return SecpArtifactSignature.toBytes(signature).toHexString();
   }
@@ -232,4 +287,18 @@ private void loadSignerProvider(final ArtifactSignerProvider signerProvider) {
       throw new InitializationException(e);
     }
   }
+
+  private void registerSignerLoadingHealthCheck(
+      final String name, final MappedResults<ArtifactSigner> result) {
+    super.registerHealthCheckProcedure(
+        name,
+        promise -> {
+          final JsonObject statusJson =
+              new JsonObject()
+                  .put("keys-loaded", result.getValues().size())
+                  .put("error-count", result.getErrorCount());
+          promise.complete(
+              result.getErrorCount() > 0 ? Status.KO(statusJson) : Status.OK(statusJson));
+        });
+  }
 }
diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java
index 3f859b341..04cbd0713 100644
--- a/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java
+++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java
@@ -36,15 +36,15 @@
 import tech.pegasys.web3signer.keystorage.azure.AzureKeyVault;
 import tech.pegasys.web3signer.keystorage.common.MappedResults;
 import tech.pegasys.web3signer.keystorage.hashicorp.HashicorpConnectionFactory;
-import tech.pegasys.web3signer.signing.AWSBulkLoadingArtifactSignerProvider;
 import tech.pegasys.web3signer.signing.ArtifactSigner;
 import tech.pegasys.web3signer.signing.ArtifactSignerProvider;
 import tech.pegasys.web3signer.signing.BlsArtifactSignature;
 import tech.pegasys.web3signer.signing.BlsArtifactSigner;
-import tech.pegasys.web3signer.signing.BlsKeystoreBulkLoader;
 import tech.pegasys.web3signer.signing.FileValidatorManager;
 import tech.pegasys.web3signer.signing.KeystoreFileManager;
 import tech.pegasys.web3signer.signing.ValidatorManager;
+import tech.pegasys.web3signer.signing.bulkloading.AWSBulkLoadingArtifactSignerProvider;
+import tech.pegasys.web3signer.signing.bulkloading.BlsKeystoreBulkLoader;
 import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters;
 import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
 import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
@@ -66,6 +66,7 @@
 import tech.pegasys.web3signer.slashingprotection.SlashingProtectionParameters;
 import tech.pegasys.web3signer.slashingprotection.dao.ValidatorsDao;
 
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.Executors;
@@ -73,7 +74,6 @@
 import java.util.stream.Collectors;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.Lists;
 import io.vertx.core.Vertx;
 import io.vertx.core.http.HttpMethod;
 import io.vertx.core.json.JsonObject;
@@ -238,104 +238,122 @@ protected ArtifactSignerProvider createArtifactSignerProvider(
       final Vertx vertx, final MetricsSystem metricsSystem) {
     return new DefaultArtifactSignerProvider(
         () -> {
-          final List<ArtifactSigner> signers = Lists.newArrayList();
-          try (final HashicorpConnectionFactory hashicorpConnectionFactory =
-                  new HashicorpConnectionFactory();
-              final InterlockKeyProvider interlockKeyProvider = new InterlockKeyProvider(vertx);
-              final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider =
-                  new YubiHsmOpaqueDataProvider();
-              final AwsSecretsManagerProvider awsSecretsManagerProvider =
-                  new AwsSecretsManagerProvider(
-                      awsSecretsManagerParameters.getCacheMaximumSize())) {
-            final AbstractArtifactSignerFactory artifactSignerFactory =
-                new BlsArtifactSignerFactory(
-                    baseConfig.getKeyConfigPath(),
-                    metricsSystem,
-                    hashicorpConnectionFactory,
-                    interlockKeyProvider,
-                    yubiHsmOpaqueDataProvider,
-                    awsSecretsManagerProvider,
-                    (args) ->
-                        new BlsArtifactSigner(args.getKeyPair(), args.getOrigin(), args.getPath()));
-
-            final MappedResults<ArtifactSigner> results =
-                new SignerLoader(baseConfig.keystoreParallelProcessingEnabled())
-                    .load(
-                        baseConfig.getKeyConfigPath(),
-                        "yaml",
-                        new YamlSignerParser(
-                            List.of(artifactSignerFactory),
-                            YamlMapperFactory.createYamlMapper(
-                                baseConfig.getKeyStoreConfigFileMaxSize())));
-            registerSignerLoadingHealthCheck(KEYS_CHECK_CONFIG_FILE_LOADING, results);
-            signers.addAll(results.getValues());
+          try (final AzureKeyVaultFactory azureKeyVaultFactory = new AzureKeyVaultFactory()) {
+            final List<ArtifactSigner> signers = new ArrayList<>();
+            signers.addAll(
+                loadSignersFromKeyConfigFiles(vertx, azureKeyVaultFactory, metricsSystem)
+                    .getValues());
+            signers.addAll(bulkLoadSigners(azureKeyVaultFactory).getValues());
+
+            final List<Bytes> validators =
+                signers.stream()
+                    .map(ArtifactSigner::getIdentifier)
+                    .map(Bytes::fromHexString)
+                    .collect(Collectors.toList());
+            if (validators.isEmpty()) {
+              LOG.warn("No BLS keys loaded. Check that the key store has BLS key config files");
+            } else {
+              slashingProtectionContext.ifPresent(
+                  context -> context.getRegisteredValidators().registerValidators(validators));
+            }
+
+            return signers;
           }
+        });
+  }
 
-          if (azureKeyVaultParameters.isAzureKeyVaultEnabled()) {
-            LOG.info("Bulk loading keys from Azure key vault ... ");
-            /*
-             Note: Azure supports 25K bytes per secret. https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets
-             Each raw bls private key in hex format is approximately 100 bytes. We should store about 200 or fewer
-             `\n` delimited keys per secret.
-            */
-            final MappedResults<ArtifactSigner> azureResult = loadAzureSigners();
-            LOG.info(
-                "Keys loaded from Azure: [{}], with error count: [{}]",
-                azureResult.getValues().size(),
-                azureResult.getErrorCount());
-            registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, azureResult);
-            signers.addAll(azureResult.getValues());
-          }
+  private MappedResults<ArtifactSigner> loadSignersFromKeyConfigFiles(
+      final Vertx vertx,
+      final AzureKeyVaultFactory azureKeyVaultFactory,
+      final MetricsSystem metricsSystem) {
+    try (final HashicorpConnectionFactory hashicorpConnectionFactory =
+            new HashicorpConnectionFactory();
+        final InterlockKeyProvider interlockKeyProvider = new InterlockKeyProvider(vertx);
+        final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider =
+            new YubiHsmOpaqueDataProvider();
+        final AwsSecretsManagerProvider awsSecretsManagerProvider =
+            new AwsSecretsManagerProvider(awsSecretsManagerParameters.getCacheMaximumSize()); ) {
+      final AbstractArtifactSignerFactory artifactSignerFactory =
+          new BlsArtifactSignerFactory(
+              baseConfig.getKeyConfigPath(),
+              metricsSystem,
+              hashicorpConnectionFactory,
+              interlockKeyProvider,
+              yubiHsmOpaqueDataProvider,
+              awsSecretsManagerProvider,
+              (args) -> new BlsArtifactSigner(args.getKeyPair(), args.getOrigin(), args.getPath()),
+              azureKeyVaultFactory);
+
+      final MappedResults<ArtifactSigner> results =
+          new SignerLoader(baseConfig.keystoreParallelProcessingEnabled())
+              .load(
+                  baseConfig.getKeyConfigPath(),
+                  "yaml",
+                  new YamlSignerParser(
+                      List.of(artifactSignerFactory),
+                      YamlMapperFactory.createYamlMapper(
+                          baseConfig.getKeyStoreConfigFileMaxSize())));
+      registerSignerLoadingHealthCheck(KEYS_CHECK_CONFIG_FILE_LOADING, results);
+
+      return results;
+    }
+  }
 
-          if (keystoresParameters.isEnabled()) {
-            LOG.info("Bulk loading keys from local keystores ... ");
-            final BlsKeystoreBulkLoader blsKeystoreBulkLoader = new BlsKeystoreBulkLoader();
-            final MappedResults<ArtifactSigner> keystoreSignersResult =
-                keystoresParameters.hasKeystoresPasswordsPath()
-                    ? blsKeystoreBulkLoader.loadKeystoresUsingPasswordDir(
-                        keystoresParameters.getKeystoresPath(),
-                        keystoresParameters.getKeystoresPasswordsPath())
-                    : blsKeystoreBulkLoader.loadKeystoresUsingPasswordFile(
-                        keystoresParameters.getKeystoresPath(),
-                        keystoresParameters.getKeystoresPasswordFile());
-            LOG.info(
-                "Keys loaded from local keystores: [{}], with error count: [{}]",
-                keystoreSignersResult.getValues().size(),
-                keystoreSignersResult.getErrorCount());
-
-            registerSignerLoadingHealthCheck(
-                KEYS_CHECK_KEYSTORE_BULK_LOADING, keystoreSignersResult);
-            signers.addAll(keystoreSignersResult.getValues());
-          }
+  private MappedResults<ArtifactSigner> bulkLoadSigners(
+      final AzureKeyVaultFactory azureKeyVaultFactory) {
+    MappedResults<ArtifactSigner> results = MappedResults.newSetInstance();
+    if (azureKeyVaultParameters.isAzureKeyVaultEnabled()) {
+      LOG.info("Bulk loading keys from Azure key vault ... ");
+      /*
+       Note: Azure supports 25K bytes per secret. https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets
+       Each raw bls private key in hex format is approximately 100 bytes. We should store about 200 or fewer
+       `\n` delimited keys per secret.
+      */
+      final MappedResults<ArtifactSigner> azureResult = loadAzureSigners(azureKeyVaultFactory);
+      LOG.info(
+          "Keys loaded from Azure: [{}], with error count: [{}]",
+          azureResult.getValues().size(),
+          azureResult.getErrorCount());
+      registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, azureResult);
+      results = MappedResults.merge(results, azureResult);
+    }
 
-          if (awsSecretsManagerParameters.isEnabled()) {
-            LOG.info("Bulk loading keys from AWS Secrets Manager ... ");
-            final AWSBulkLoadingArtifactSignerProvider awsBulkLoadingArtifactSignerProvider =
-                new AWSBulkLoadingArtifactSignerProvider();
-
-            final MappedResults<ArtifactSigner> awsResult =
-                awsBulkLoadingArtifactSignerProvider.load(awsSecretsManagerParameters);
-            LOG.info(
-                "Keys loaded from AWS Secrets Manager: [{}], with error count: [{}]",
-                awsResult.getValues().size(),
-                awsResult.getErrorCount());
-            registerSignerLoadingHealthCheck(KEYS_CHECK_AWS_BULK_LOADING, awsResult);
-            signers.addAll(awsResult.getValues());
-          }
+    if (keystoresParameters.isEnabled()) {
+      LOG.info("Bulk loading keys from local keystores ... ");
+      final BlsKeystoreBulkLoader blsKeystoreBulkLoader = new BlsKeystoreBulkLoader();
+      final MappedResults<ArtifactSigner> keystoreSignersResult =
+          keystoresParameters.hasKeystoresPasswordsPath()
+              ? blsKeystoreBulkLoader.loadKeystoresUsingPasswordDir(
+                  keystoresParameters.getKeystoresPath(),
+                  keystoresParameters.getKeystoresPasswordsPath())
+              : blsKeystoreBulkLoader.loadKeystoresUsingPasswordFile(
+                  keystoresParameters.getKeystoresPath(),
+                  keystoresParameters.getKeystoresPasswordFile());
+      LOG.info(
+          "Keys loaded from local keystores: [{}], with error count: [{}]",
+          keystoreSignersResult.getValues().size(),
+          keystoreSignersResult.getErrorCount());
+
+      registerSignerLoadingHealthCheck(KEYS_CHECK_KEYSTORE_BULK_LOADING, keystoreSignersResult);
+      results = MappedResults.merge(results, keystoreSignersResult);
+    }
 
-          final List<Bytes> validators =
-              signers.stream()
-                  .map(ArtifactSigner::getIdentifier)
-                  .map(Bytes::fromHexString)
-                  .collect(Collectors.toList());
-          if (validators.isEmpty()) {
-            LOG.warn("No BLS keys loaded. Check that the key store has BLS key config files");
-          } else {
-            slashingProtectionContext.ifPresent(
-                context -> context.getRegisteredValidators().registerValidators(validators));
-          }
-          return signers;
-        });
+    if (awsSecretsManagerParameters.isEnabled()) {
+      LOG.info("Bulk loading keys from AWS Secrets Manager ... ");
+      final AWSBulkLoadingArtifactSignerProvider awsBulkLoadingArtifactSignerProvider =
+          new AWSBulkLoadingArtifactSignerProvider();
+
+      final MappedResults<ArtifactSigner> awsResult =
+          awsBulkLoadingArtifactSignerProvider.load(awsSecretsManagerParameters);
+      LOG.info(
+          "Keys loaded from AWS Secrets Manager: [{}], with error count: [{}]",
+          awsResult.getValues().size(),
+          awsResult.getErrorCount());
+      registerSignerLoadingHealthCheck(KEYS_CHECK_AWS_BULK_LOADING, awsResult);
+      results = MappedResults.merge(results, awsResult);
+    }
+
+    return results;
   }
 
   private void registerSignerLoadingHealthCheck(
@@ -390,9 +408,10 @@ private void scheduleAndExecuteInitialDbPruning() {
     dbPrunerRunner.schedule();
   }
 
-  final MappedResults<ArtifactSigner> loadAzureSigners() {
+  final MappedResults<ArtifactSigner> loadAzureSigners(
+      final AzureKeyVaultFactory azureKeyVaultFactory) {
     final AzureKeyVault keyVault =
-        AzureKeyVaultFactory.createAzureKeyVault(azureKeyVaultParameters);
+        azureKeyVaultFactory.createAzureKeyVault(azureKeyVaultParameters);
 
     return keyVault.mapSecrets(
         (name, value) -> {
diff --git a/core/src/main/java/tech/pegasys/web3signer/core/FilecoinRunner.java b/core/src/main/java/tech/pegasys/web3signer/core/FilecoinRunner.java
index 9d0d2b786..e5a9e8532 100644
--- a/core/src/main/java/tech/pegasys/web3signer/core/FilecoinRunner.java
+++ b/core/src/main/java/tech/pegasys/web3signer/core/FilecoinRunner.java
@@ -27,6 +27,7 @@
 import tech.pegasys.web3signer.signing.ArtifactSignerProvider;
 import tech.pegasys.web3signer.signing.FcBlsArtifactSigner;
 import tech.pegasys.web3signer.signing.FcSecpArtifactSigner;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
 import tech.pegasys.web3signer.signing.config.DefaultArtifactSignerProvider;
 import tech.pegasys.web3signer.signing.config.SignerLoader;
 import tech.pegasys.web3signer.signing.config.metadata.AbstractArtifactSignerFactory;
@@ -104,7 +105,10 @@ protected ArtifactSignerProvider createArtifactSignerProvider(
       final Vertx vertx, final MetricsSystem metricsSystem) {
     return new DefaultArtifactSignerProvider(
         () -> {
-          final AzureKeyVaultSignerFactory azureFactory = new AzureKeyVaultSignerFactory();
+          final AzureKeyVaultFactory azureKeyVaultFactory = new AzureKeyVaultFactory();
+          registerClose(azureKeyVaultFactory::close);
+          final AzureKeyVaultSignerFactory azureSignerFactory =
+              new AzureKeyVaultSignerFactory(azureKeyVaultFactory);
 
           try (final HashicorpConnectionFactory hashicorpConnectionFactory =
                   new HashicorpConnectionFactory();
@@ -122,16 +126,18 @@ protected ArtifactSignerProvider createArtifactSignerProvider(
                     interlockKeyProvider,
                     yubiHsmOpaqueDataProvider,
                     awsSecretsManagerProvider,
-                    (args) -> new FcBlsArtifactSigner(args.getKeyPair(), network));
+                    (args) -> new FcBlsArtifactSigner(args.getKeyPair(), network),
+                    azureKeyVaultFactory);
 
             final AbstractArtifactSignerFactory secpArtifactSignerFactory =
                 new Secp256k1ArtifactSignerFactory(
                     hashicorpConnectionFactory,
                     baseConfig.getKeyConfigPath(),
-                    azureFactory,
+                    azureSignerFactory,
                     interlockKeyProvider,
                     yubiHsmOpaqueDataProvider,
                     signer -> new FcSecpArtifactSigner(signer, network),
+                    azureKeyVaultFactory,
                     false);
 
             return new SignerLoader(baseConfig.keystoreParallelProcessingEnabled())
diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Runner.java
index dab1294f8..56cb4fc86 100644
--- a/core/src/main/java/tech/pegasys/web3signer/core/Runner.java
+++ b/core/src/main/java/tech/pegasys/web3signer/core/Runner.java
@@ -30,11 +30,13 @@
 import tech.pegasys.web3signer.core.util.FileUtil;
 import tech.pegasys.web3signer.signing.ArtifactSignerProvider;
 
+import java.io.Closeable;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.nio.file.AccessDeniedException;
 import java.nio.file.NoSuchFileException;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
 import java.util.Properties;
@@ -73,7 +75,7 @@
 import org.hyperledger.besu.metrics.prometheus.MetricsConfiguration;
 import org.hyperledger.besu.plugin.services.MetricsSystem;
 
-public abstract class Runner implements Runnable {
+public abstract class Runner implements Runnable, AutoCloseable {
   public static final String JSON = HttpHeaderValues.APPLICATION_JSON.toString();
   public static final String HEALTHCHECK_PATH = "/healthcheck";
   public static final String UPCHECK_PATH = "/upcheck";
@@ -84,6 +86,7 @@ public abstract class Runner implements Runnable {
   protected final BaseConfig baseConfig;
 
   private HealthCheckHandler healthCheckHandler;
+  private final List<Closeable> closeables = new ArrayList<>();
 
   protected Runner(final BaseConfig baseConfig) {
     this.baseConfig = baseConfig;
@@ -394,4 +397,19 @@ private String buildCorsRegexFromConfig() {
       return stringJoiner.toString();
     }
   }
+
+  protected void registerClose(final Closeable closeable) {
+    closeables.add(closeable);
+  }
+
+  @Override
+  public void close() throws Exception {
+    for (Closeable closeable : closeables) {
+      try {
+        closeable.close();
+      } catch (Exception e) {
+        LOG.error("Failed to close Runner resource", e);
+      }
+    }
+  }
 }
diff --git a/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java b/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java
index 98ed3fabf..febccb5d3 100644
--- a/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java
+++ b/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java
@@ -14,6 +14,7 @@
 
 import tech.pegasys.web3signer.core.config.client.ClientTlsOptions;
 import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
 
 import java.time.Duration;
 import java.util.Optional;
@@ -39,4 +40,6 @@ public interface Eth1Config {
   Optional<ClientTlsOptions> getClientTlsOptions();
 
   ChainIdProvider getChainId();
+
+  AzureKeyVaultParameters getAzureKeyVaultConfig();
 }
diff --git a/keystorage/src/main/java/tech/pegasys/web3signer/keystorage/azure/AzureKeyVault.java b/keystorage/src/main/java/tech/pegasys/web3signer/keystorage/azure/AzureKeyVault.java
index ae9565c26..7f1219aec 100644
--- a/keystorage/src/main/java/tech/pegasys/web3signer/keystorage/azure/AzureKeyVault.java
+++ b/keystorage/src/main/java/tech/pegasys/web3signer/keystorage/azure/AzureKeyVault.java
@@ -19,8 +19,10 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.function.BiFunction;
+import java.util.function.Function;
 
 import com.azure.core.credential.TokenCredential;
 import com.azure.core.exception.ResourceNotFoundException;
@@ -31,6 +33,7 @@
 import com.azure.security.keyvault.keys.KeyClientBuilder;
 import com.azure.security.keyvault.keys.cryptography.CryptographyClient;
 import com.azure.security.keyvault.keys.cryptography.CryptographyClientBuilder;
+import com.azure.security.keyvault.keys.models.KeyProperties;
 import com.azure.security.keyvault.keys.models.KeyVaultKey;
 import com.azure.security.keyvault.secrets.SecretClient;
 import com.azure.security.keyvault.secrets.SecretClientBuilder;
@@ -51,12 +54,14 @@ public static AzureKeyVault createUsingClientSecretCredentials(
       final String clientId,
       final String clientSecret,
       final String tenantId,
-      final String vaultName) {
+      final String vaultName,
+      final ExecutorService executorService) {
     final TokenCredential tokenCredential =
         new ClientSecretCredentialBuilder()
             .clientId(clientId)
             .clientSecret(clientSecret)
             .tenantId(tenantId)
+            .executorService(executorService)
             .build();
 
     return new AzureKeyVault(tokenCredential, vaultName);
@@ -148,13 +153,57 @@ public <R> MappedResults<R> mapSecrets(
     return MappedResults.newInstance(result, errorCount.intValue());
   }
 
+  public <R> MappedResults<R> mapKeyProperties(
+      final Function<KeyProperties, R> mapper, final Map<String, String> tags) {
+    final Set<R> result = ConcurrentHashMap.newKeySet();
+    final AtomicInteger errorCount = new AtomicInteger(0);
+    try {
+      keyClient
+          .listPropertiesOfKeys()
+          .streamByPage()
+          .forEach(
+              keyPage ->
+                  keyPage.getValue().parallelStream()
+                      .filter(keyProperties -> keyPropertiesPredicate(tags, keyProperties))
+                      .forEach(
+                          kp -> {
+                            try {
+                              final R value = mapper.apply(kp);
+                              result.add(value);
+                            } catch (final Exception e) {
+                              LOG.warn(
+                                  "Failed to map keyProperties '{}' to requested object type.",
+                                  kp.getName());
+                              errorCount.incrementAndGet();
+                            }
+                          }));
+    } catch (final Exception e) {
+      LOG.error("Unexpected error during Azure mapKeyProperties", e);
+      errorCount.incrementAndGet();
+    }
+
+    return MappedResults.newInstance(result, errorCount.intValue());
+  }
+
+  private static boolean isEmptyTags(final Map<String, String> tags) {
+    return tags == null || tags.isEmpty();
+  }
+
   private static boolean secretPropertiesPredicate(
       final Map<String, String> tags, final SecretProperties secretProperties) {
-    if (tags == null || tags.isEmpty()) {
+    if (isEmptyTags(tags))
       return true; // we don't want to filter if user-supplied tags map is empty
-    }
 
     return secretProperties.getTags() != null // return false if remote secret doesn't have any tags
         && secretProperties.getTags().entrySet().containsAll(tags.entrySet());
   }
+
+  private static boolean keyPropertiesPredicate(
+      final Map<String, String> tags, final KeyProperties keyProperties) {
+    if (isEmptyTags(tags))
+      return true; // we don't want to filter if user-supplied tags map is empty
+
+    return keyProperties.getTags() != null // return false if remote secret doesn't have any tags
+        && keyProperties.getTags().entrySet().containsAll(tags.entrySet());
+  }
 }
diff --git a/keystorage/src/test/java/tech/pegasys/web3signer/keystorage/azure/AzureKeyVaultTest.java b/keystorage/src/test/java/tech/pegasys/web3signer/keystorage/azure/AzureKeyVaultTest.java
index 35b265d98..8c2113a0b 100644
--- a/keystorage/src/test/java/tech/pegasys/web3signer/keystorage/azure/AzureKeyVaultTest.java
+++ b/keystorage/src/test/java/tech/pegasys/web3signer/keystorage/azure/AzureKeyVaultTest.java
@@ -22,7 +22,10 @@
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
 
+import com.azure.security.keyvault.keys.models.KeyProperties;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Assumptions;
 import org.junit.jupiter.api.BeforeAll;
@@ -34,10 +37,14 @@ public class AzureKeyVaultTest {
   private static final String TENANT_ID = System.getenv("AZURE_TENANT_ID");
   private static final String VAULT_NAME = System.getenv("AZURE_KEY_VAULT_NAME");
   private static final String SECRET_NAME = "TEST-KEY";
+  private static final String SECRET_NAME2 = "TEST-KEY-2";
+  public static final String KEY_NAME = "TestKey2";
+  public static final String KEY_NAME2 = "TestKeyWithTag";
   private static final String EXPECTED_KEY =
       "3ee2224386c82ffea477e2adf28a2929f5c349165a4196158c7f3a2ecca40f35";
   private static final String EXPECTED_KEY2 =
       "0x5aba5b89c1d8b731dba1ba29128a4070df0dbfd7e0a67edb40ae7f860cd3ca1c";
+  private final ExecutorService azureExecutor = Executors.newCachedThreadPool();
 
   @BeforeAll
   public static void setup() {
@@ -50,7 +57,8 @@ public static void setup() {
   @Test
   void fetchExistingSecretKeyFromAzureVault() {
     final AzureKeyVault azureKeyVault =
-        createUsingClientSecretCredentials(CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME);
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
     final Optional<String> hexKey = azureKeyVault.fetchSecret(SECRET_NAME);
     Assertions.assertThat(hexKey).isNotEmpty().get().isEqualTo(EXPECTED_KEY);
   }
@@ -58,7 +66,8 @@ void fetchExistingSecretKeyFromAzureVault() {
   @Test
   void connectingWithInvalidClientSecretThrowsException() {
     final AzureKeyVault azureKeyVault =
-        createUsingClientSecretCredentials(CLIENT_ID, "invalid", TENANT_ID, VAULT_NAME);
+        createUsingClientSecretCredentials(
+            CLIENT_ID, "invalid", TENANT_ID, VAULT_NAME, azureExecutor);
     Assertions.assertThatExceptionOfType(RuntimeException.class)
         .isThrownBy(() -> azureKeyVault.fetchSecret(SECRET_NAME))
         .withMessageContaining("Invalid client secret");
@@ -67,7 +76,8 @@ void connectingWithInvalidClientSecretThrowsException() {
   @Test
   void connectingWithInvalidClientIdThrowsException() {
     final AzureKeyVault azureKeyVault =
-        createUsingClientSecretCredentials("invalid", CLIENT_SECRET, TENANT_ID, VAULT_NAME);
+        createUsingClientSecretCredentials(
+            "invalid", CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
     Assertions.assertThatExceptionOfType(RuntimeException.class)
         .isThrownBy(() -> azureKeyVault.fetchSecret(SECRET_NAME))
         .withMessageContaining(
@@ -77,29 +87,48 @@ void connectingWithInvalidClientIdThrowsException() {
   @Test
   void nonExistingSecretReturnEmpty() {
     final AzureKeyVault azureKeyVault =
-        createUsingClientSecretCredentials(CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME);
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
     assertThat(azureKeyVault.fetchSecret("X-" + SECRET_NAME)).isEmpty();
   }
 
   @Test
   void secretsCanBeMappedUsingCustomMappingFunction() {
     final AzureKeyVault azureKeyVault =
-        createUsingClientSecretCredentials(CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME);
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
 
     final MappedResults<SimpleEntry<String, String>> result =
         azureKeyVault.mapSecrets(SimpleEntry::new, Collections.emptyMap());
     final Collection<SimpleEntry<String, String>> entries = result.getValues();
 
     final Optional<SimpleEntry<String, String>> testKeyEntry =
-        entries.stream().filter(e -> e.getKey().equals("TEST-KEY")).findAny();
+        entries.stream().filter(e -> e.getKey().equals(SECRET_NAME)).findAny();
     Assertions.assertThat(testKeyEntry).isPresent();
     Assertions.assertThat(testKeyEntry.get().getValue()).isEqualTo(EXPECTED_KEY);
+    Assertions.assertThat(result.getErrorCount()).isZero();
+  }
+
+  @Test
+  void keyPropertiesCanBeMappedUsingCustomMappingFunction() {
+    final AzureKeyVault azureKeyVault =
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
+
+    final MappedResults<String> result =
+        azureKeyVault.mapKeyProperties(KeyProperties::getName, Collections.emptyMap());
+    final Collection<String> entries = result.getValues();
+    final Optional<String> testKeyEntry =
+        entries.stream().filter(e -> e.equals(KEY_NAME)).findAny();
+    Assertions.assertThat(testKeyEntry).hasValue(KEY_NAME);
+    Assertions.assertThat(result.getErrorCount()).isZero();
   }
 
   @Test
   void mapSecretsUsingTags() {
     final AzureKeyVault azureKeyVault =
-        createUsingClientSecretCredentials(CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME);
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
 
     final MappedResults<SimpleEntry<String, String>> result =
         azureKeyVault.mapSecrets(SimpleEntry::new, Map.of("ENV", "TEST"));
@@ -108,7 +137,7 @@ void mapSecretsUsingTags() {
     Assertions.assertThat(result.getValues().size()).isOne();
     Optional<SimpleEntry<String, String>> secretEntry =
         result.getValues().stream()
-            .filter(entry -> "TEST-KEY-2".equals(entry.getKey()))
+            .filter(entry -> SECRET_NAME2.equals(entry.getKey()))
             .findFirst();
     Assertions.assertThat(secretEntry).isPresent();
     Assertions.assertThat(secretEntry.get().getValue()).isEqualTo(EXPECTED_KEY2);
@@ -117,10 +146,26 @@ void mapSecretsUsingTags() {
     Assertions.assertThat(result.getErrorCount()).isZero();
   }
 
+  @Test
+  void mapKeyPropertiesUsingTags() {
+    final AzureKeyVault azureKeyVault =
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
+
+    final MappedResults<String> result =
+        azureKeyVault.mapKeyProperties(KeyProperties::getName, Map.of("ENV", "TEST"));
+    final Collection<String> entries = result.getValues();
+    final Optional<String> testKeyEntry =
+        entries.stream().filter(e -> e.equals(KEY_NAME2)).findAny();
+    Assertions.assertThat(testKeyEntry).hasValue(KEY_NAME2);
+    Assertions.assertThat(result.getErrorCount()).isZero();
+  }
+
   @Test
   void mapSecretsWhenTagsDoesNotExist() {
     final AzureKeyVault azureKeyVault =
-        createUsingClientSecretCredentials(CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME);
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
 
     final MappedResults<SimpleEntry<String, String>> result =
         azureKeyVault.mapSecrets(SimpleEntry::new, Map.of("INVALID_TAG", "INVALID_TEST"));
@@ -133,53 +178,132 @@ void mapSecretsWhenTagsDoesNotExist() {
   }
 
   @Test
-  void azureVaultThrowsAwayObjectsWhichFailMapper() {
+  void mapKeyPropertiesWhenTagsDoesNotExist() {
+    final AzureKeyVault azureKeyVault =
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
+
+    final MappedResults<String> result =
+        azureKeyVault.mapKeyProperties(
+            KeyProperties::getName, Map.of("INVALID_TAG", "INVALID_TEST"));
+
+    // The key vault is not expected to have any secrets with above tags.
+    Assertions.assertThat(result.getValues()).isEmpty();
+
+    // we should not encounter any error count
+    Assertions.assertThat(result.getErrorCount()).isZero();
+  }
+
+  @Test
+  void mapSecretsThrowsAwayObjectsWhichFailMapper() {
     final AzureKeyVault azureKeyVault =
-        createUsingClientSecretCredentials(CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME);
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
 
     final MappedResults<SimpleEntry<String, String>> result =
         azureKeyVault.mapSecrets(
             (name, value) -> {
-              if (name.equals("MyBls")) {
+              if (name.equals(SECRET_NAME2)) {
                 throw new RuntimeException("Arbitrary Failure");
               }
               return new SimpleEntry<>(name, value);
             },
             Collections.emptyMap());
     final Collection<SimpleEntry<String, String>> entries = result.getValues();
+    Assertions.assertThat(result.getErrorCount()).isOne();
 
     final Optional<SimpleEntry<String, String>> testKeyEntry =
-        entries.stream().filter(e -> e.getKey().equals("TEST-KEY")).findAny();
+        entries.stream().filter(e -> e.getKey().equals(SECRET_NAME)).findAny();
     Assertions.assertThat(testKeyEntry).isPresent();
     Assertions.assertThat(testKeyEntry.get().getValue()).isEqualTo(EXPECTED_KEY);
 
-    final Optional<SimpleEntry<String, String>> myBlsEntry =
-        entries.stream().filter(e -> e.getKey().equals("MyBls")).findAny();
-    Assertions.assertThat(myBlsEntry).isEmpty();
+    final Optional<SimpleEntry<String, String>> testKey2 =
+        entries.stream().filter(e -> e.getKey().equals(SECRET_NAME2)).findAny();
+    Assertions.assertThat(testKey2).isEmpty();
   }
 
   @Test
-  void azureVaultThrowsAwayObjectsWhichMapToNull() {
+  void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() {
     final AzureKeyVault azureKeyVault =
-        createUsingClientSecretCredentials(CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME);
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
+
+    final MappedResults<String> result =
+        azureKeyVault.mapKeyProperties(
+            keyProperties -> {
+              if (keyProperties.getName().equals(KEY_NAME2)) {
+                throw new RuntimeException("Arbitrary Failure");
+              }
+              return keyProperties.getName();
+            },
+            Collections.emptyMap());
+
+    final Collection<String> entries = result.getValues();
+    Assertions.assertThat(result.getErrorCount()).isOne();
+
+    final Optional<String> testKey2Entry =
+        entries.stream().filter(e -> e.equals(KEY_NAME)).findAny();
+    Assertions.assertThat(testKey2Entry).isPresent();
+    Assertions.assertThat(testKey2Entry).hasValue(KEY_NAME);
+
+    final Optional<String> testKeyWithTag =
+        entries.stream().filter(e -> e.equals(KEY_NAME2)).findAny();
+    Assertions.assertThat(testKeyWithTag).isEmpty();
+  }
+
+  @Test
+  void mapSecretsThrowsAwayObjectsWhichMapToNull() {
+    final AzureKeyVault azureKeyVault =
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
 
     final MappedResults<SimpleEntry<String, String>> result =
         azureKeyVault.mapSecrets(
             (name, value) -> {
-              if (name.equals("TEST-KEY")) {
+              if (name.equals(SECRET_NAME)) {
                 return null;
               }
               return new SimpleEntry<>(name, value);
             },
             Collections.emptyMap());
     final Collection<SimpleEntry<String, String>> entries = result.getValues();
+    Assertions.assertThat(result.getErrorCount()).isOne();
     final Optional<SimpleEntry<String, String>> testKeyEntry =
-        entries.stream().filter(e -> e.getKey().equals("TEST-KEY")).findAny();
+        entries.stream().filter(e -> e.getKey().equals(SECRET_NAME)).findAny();
     Assertions.assertThat(testKeyEntry).isEmpty();
 
-    final Optional<SimpleEntry<String, String>> myBlsEntry =
-        entries.stream().filter(e -> e.getKey().equals("TEST-KEY-2")).findAny();
-    Assertions.assertThat(myBlsEntry).isPresent();
-    Assertions.assertThat(myBlsEntry.get().getValue()).isEqualTo(EXPECTED_KEY2);
+    final Optional<SimpleEntry<String, String>> testKey2Entry =
+        entries.stream().filter(e -> e.getKey().equals(SECRET_NAME2)).findAny();
+    Assertions.assertThat(testKey2Entry).isPresent();
+    Assertions.assertThat(testKey2Entry.get().getValue()).isEqualTo(EXPECTED_KEY2);
+  }
+
+  @Test
+  void mapKeyPropertiesThrowsAwayObjectsWhichMapToNull() {
+    final AzureKeyVault azureKeyVault =
+        createUsingClientSecretCredentials(
+            CLIENT_ID, CLIENT_SECRET, TENANT_ID, VAULT_NAME, azureExecutor);
+
+    final MappedResults<String> result =
+        azureKeyVault.mapKeyProperties(
+            keyProperties -> {
+              if (keyProperties.getName().equals(KEY_NAME2)) {
+                return null;
+              }
+              return keyProperties.getName();
+            },
+            Collections.emptyMap());
+
+    final Collection<String> entries = result.getValues();
+    Assertions.assertThat(result.getErrorCount()).isOne();
+
+    final Optional<String> testKey2Entry =
+        entries.stream().filter(e -> e.equals(KEY_NAME)).findAny();
+    Assertions.assertThat(testKey2Entry).isPresent();
+    Assertions.assertThat(testKey2Entry).hasValue(KEY_NAME);
+
+    final Optional<String> testKeyWithTag =
+        entries.stream().filter(e -> e.equals(KEY_NAME2)).findAny();
+    Assertions.assertThat(testKeyWithTag).isEmpty();
   }
 }
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/AWSBulkLoadingArtifactSignerProvider.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java
similarity index 92%
rename from signing/src/main/java/tech/pegasys/web3signer/signing/AWSBulkLoadingArtifactSignerProvider.java
rename to signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java
index 187b5fb31..f33db9b4a 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/AWSBulkLoadingArtifactSignerProvider.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java
@@ -10,13 +10,15 @@
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
  */
-package tech.pegasys.web3signer.signing;
+package tech.pegasys.web3signer.signing.bulkloading;
 
 import tech.pegasys.teku.bls.BLSKeyPair;
 import tech.pegasys.teku.bls.BLSSecretKey;
 import tech.pegasys.web3signer.keystorage.aws.AwsSecretsManager;
 import tech.pegasys.web3signer.keystorage.aws.AwsSecretsManagerProvider;
 import tech.pegasys.web3signer.keystorage.common.MappedResults;
+import tech.pegasys.web3signer.signing.ArtifactSigner;
+import tech.pegasys.web3signer.signing.BlsArtifactSigner;
 import tech.pegasys.web3signer.signing.config.AwsSecretsManagerFactory;
 import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters;
 import tech.pegasys.web3signer.signing.config.metadata.SignerOrigin;
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/BlsKeystoreBulkLoader.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsKeystoreBulkLoader.java
similarity index 96%
rename from signing/src/main/java/tech/pegasys/web3signer/signing/BlsKeystoreBulkLoader.java
rename to signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsKeystoreBulkLoader.java
index c735fa47f..23ec4c722 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/BlsKeystoreBulkLoader.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsKeystoreBulkLoader.java
@@ -10,7 +10,7 @@
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
  */
-package tech.pegasys.web3signer.signing;
+package tech.pegasys.web3signer.signing.bulkloading;
 
 import tech.pegasys.signers.bls.keystore.KeyStore;
 import tech.pegasys.signers.bls.keystore.KeyStoreLoader;
@@ -19,6 +19,8 @@
 import tech.pegasys.teku.bls.BLSKeyPair;
 import tech.pegasys.teku.bls.BLSSecretKey;
 import tech.pegasys.web3signer.keystorage.common.MappedResults;
+import tech.pegasys.web3signer.signing.ArtifactSigner;
+import tech.pegasys.web3signer.signing.BlsArtifactSigner;
 import tech.pegasys.web3signer.signing.config.metadata.SignerOrigin;
 
 import java.io.IOException;
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAzureBulkLoader.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAzureBulkLoader.java
new file mode 100644
index 000000000..b762447b3
--- /dev/null
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAzureBulkLoader.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2023 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package tech.pegasys.web3signer.signing.bulkloading;
+
+import tech.pegasys.web3signer.keystorage.azure.AzureKeyVault;
+import tech.pegasys.web3signer.keystorage.common.MappedResults;
+import tech.pegasys.web3signer.signing.ArtifactSigner;
+import tech.pegasys.web3signer.signing.EthSecpArtifactSigner;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
+import tech.pegasys.web3signer.signing.secp256k1.azure.AzureConfig;
+import tech.pegasys.web3signer.signing.secp256k1.azure.AzureKeyVaultSignerFactory;
+
+public class SecpAzureBulkLoader {
+  private final AzureKeyVault azureKeyVault;
+  private final AzureKeyVaultSignerFactory azureKeyVaultSignerFactory;
+
+  public SecpAzureBulkLoader(
+      final AzureKeyVault azureKeyVault,
+      final AzureKeyVaultSignerFactory azureKeyVaultSignerFactory) {
+    this.azureKeyVault = azureKeyVault;
+    this.azureKeyVaultSignerFactory = azureKeyVaultSignerFactory;
+  }
+
+  public MappedResults<ArtifactSigner> load(final AzureKeyVaultParameters azureKeyVaultParameters) {
+    return azureKeyVault.mapKeyProperties(
+        kp -> createSigner(kp.getName(), azureKeyVaultParameters),
+        azureKeyVaultParameters.getTags());
+  }
+
+  private EthSecpArtifactSigner createSigner(
+      final String keyName, final AzureKeyVaultParameters azureKeyVaultParameters) {
+    return new EthSecpArtifactSigner(
+        azureKeyVaultSignerFactory.createSigner(
+            new AzureConfig(
+                azureKeyVaultParameters.getKeyVaultName(),
+                keyName,
+                azureKeyVaultParameters.getClientId(),
+                azureKeyVaultParameters.getClientSecret(),
+                azureKeyVaultParameters.getTenantId())));
+  }
+}
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AzureKeyVaultFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AzureKeyVaultFactory.java
index 9933bb2db..f031ec770 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AzureKeyVaultFactory.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AzureKeyVaultFactory.java
@@ -14,25 +14,61 @@
 
 import tech.pegasys.web3signer.keystorage.azure.AzureKeyVault;
 
+import java.util.Objects;
 import java.util.Optional;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.atomic.AtomicReference;
 
-public class AzureKeyVaultFactory {
-  public static AzureKeyVault createAzureKeyVault(
-      final AzureKeyVaultParameters azureKeyVaultParameters) {
-    switch (azureKeyVaultParameters.getAuthenticationMode()) {
+import com.google.common.annotations.VisibleForTesting;
+
+public class AzureKeyVaultFactory implements AutoCloseable {
+  private final AtomicReference<ExecutorService> executorServiceCache = new AtomicReference<>();
+
+  public AzureKeyVault createAzureKeyVault(final AzureKeyVaultParameters azureKeyVaultParameters) {
+    return createAzureKeyVault(
+        azureKeyVaultParameters.getClientId(),
+        azureKeyVaultParameters.getClientSecret(),
+        azureKeyVaultParameters.getKeyVaultName(),
+        azureKeyVaultParameters.getTenantId(),
+        azureKeyVaultParameters.getAuthenticationMode());
+  }
+
+  public AzureKeyVault createAzureKeyVault(
+      final String clientId,
+      final String clientSecret,
+      final String keyVaultName,
+      final String tenantId,
+      final AzureAuthenticationMode mode) {
+    switch (mode) {
       case USER_ASSIGNED_MANAGED_IDENTITY:
-        return AzureKeyVault.createUsingManagedIdentity(
-            Optional.of(azureKeyVaultParameters.getClientId()),
-            azureKeyVaultParameters.getKeyVaultName());
+        return AzureKeyVault.createUsingManagedIdentity(Optional.of(clientId), keyVaultName);
       case SYSTEM_ASSIGNED_MANAGED_IDENTITY:
-        return AzureKeyVault.createUsingManagedIdentity(
-            Optional.empty(), azureKeyVaultParameters.getKeyVaultName());
+        return AzureKeyVault.createUsingManagedIdentity(Optional.empty(), keyVaultName);
       default:
         return AzureKeyVault.createUsingClientSecretCredentials(
-            azureKeyVaultParameters.getClientId(),
-            azureKeyVaultParameters.getClientSecret(),
-            azureKeyVaultParameters.getTenantId(),
-            azureKeyVaultParameters.getKeyVaultName());
+            clientId, clientSecret, tenantId, keyVaultName, getOrCreateExecutor());
     }
   }
+
+  private ExecutorService getOrCreateExecutor() {
+    return executorServiceCache.updateAndGet(
+        e ->
+            Objects.requireNonNullElseGet(
+                e, () -> Executors.newFixedThreadPool(Runtime.getRuntime().availableProcessors())));
+  }
+
+  @Override
+  public void close() {
+    final ExecutorService executorService = executorServiceCache.get();
+    if (executorService != null) {
+      executorService.shutdownNow();
+      executorServiceCache.set(null);
+    }
+  }
+
+  @VisibleForTesting
+  protected AtomicReference<ExecutorService> getExecutorServiceCache() {
+    return executorServiceCache;
+  }
 }
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/SignerLoader.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/SignerLoader.java
index fb170d8ca..ee0cfe3a8 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/SignerLoader.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/SignerLoader.java
@@ -31,7 +31,6 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
-import java.util.concurrent.ForkJoinPool;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.stream.Collectors;
@@ -47,7 +46,6 @@ public class SignerLoader {
 
   private static final Logger LOG = LogManager.getLogger();
   private static final long FILES_PROCESSED_TO_REPORT = 10;
-  private static final int MAX_FORK_JOIN_THREADS = 5;
   // enable or disable parallel streams to convert and load private keys from metadata files
   private final boolean useParallelStreams;
 
@@ -195,25 +193,15 @@ private MappedResults<ArtifactSigner> mapMetadataToArtifactSigner(
         "Converting signing metadata to Artifact Signer using {} streams ...",
         useParallelStreams ? "parallel" : "sequential");
 
-    // use custom fork-join pool instead of common. Limit number of threads to avoid Azure bug
-    ForkJoinPool forkJoinPool = null;
     try {
       if (useParallelStreams) {
-        forkJoinPool = new ForkJoinPool(numberOfThreads());
-        return forkJoinPool
-            .submit(
-                () -> mapToArtifactSigner(signingMetadataCollection.parallelStream(), signerParser))
-            .get();
+        return mapToArtifactSigner(signingMetadataCollection.parallelStream(), signerParser);
       } else {
         return mapToArtifactSigner(signingMetadataCollection.stream(), signerParser);
       }
     } catch (final Exception e) {
       LOG.error("Unexpected error in processing configuration files: {}", e.getMessage(), e);
       return MappedResults.errorResult();
-    } finally {
-      if (forkJoinPool != null) {
-        forkJoinPool.shutdown();
-      }
     }
   }
 
@@ -258,16 +246,4 @@ private void renderException(final Throwable t, final String filename) {
         ExceptionUtils.getRootCauseMessage(t));
     LOG.debug(ExceptionUtils.getStackTrace(t));
   }
-
-  private int numberOfThreads() {
-    // try to allocate between 1-5 threads (based on processor cores) to process files in parallel
-    int defaultNumberOfThreads = Runtime.getRuntime().availableProcessors() / 2;
-
-    if (defaultNumberOfThreads >= MAX_FORK_JOIN_THREADS) {
-      return MAX_FORK_JOIN_THREADS;
-    } else if (defaultNumberOfThreads < 1) {
-      return 1;
-    }
-    return defaultNumberOfThreads;
-  }
 }
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AbstractArtifactSignerFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AbstractArtifactSignerFactory.java
index 97088118d..ba69aa603 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AbstractArtifactSignerFactory.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AbstractArtifactSignerFactory.java
@@ -41,20 +41,23 @@ public abstract class AbstractArtifactSignerFactory implements ArtifactSignerFac
   final Path configsDirectory;
   private final InterlockKeyProvider interlockKeyProvider;
   private final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider;
+  private final AzureKeyVaultFactory azureKeyVaultFactory;
 
   protected AbstractArtifactSignerFactory(
       final HashicorpConnectionFactory hashicorpConnectionFactory,
       final Path configsDirectory,
       final InterlockKeyProvider interlockKeyProvider,
-      final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider) {
+      final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider,
+      final AzureKeyVaultFactory azureKeyVaultFactory) {
     this.hashicorpConnectionFactory = hashicorpConnectionFactory;
     this.configsDirectory = configsDirectory;
     this.interlockKeyProvider = interlockKeyProvider;
     this.yubiHsmOpaqueDataProvider = yubiHsmOpaqueDataProvider;
+    this.azureKeyVaultFactory = azureKeyVaultFactory;
   }
 
   protected Bytes extractBytesFromVault(final AzureSecretSigningMetadata metadata) {
-    final AzureKeyVault azureVault = AzureKeyVaultFactory.createAzureKeyVault(metadata);
+    final AzureKeyVault azureVault = azureKeyVaultFactory.createAzureKeyVault(metadata);
 
     return azureVault
         .fetchSecret(metadata.getSecretName())
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/BlsArtifactSignerFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/BlsArtifactSignerFactory.java
index 2fee7e873..53c046583 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/BlsArtifactSignerFactory.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/BlsArtifactSignerFactory.java
@@ -25,6 +25,7 @@
 import tech.pegasys.web3signer.signing.ArtifactSigner;
 import tech.pegasys.web3signer.signing.KeyType;
 import tech.pegasys.web3signer.signing.config.AwsSecretsManagerFactory;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
 import tech.pegasys.web3signer.signing.config.metadata.interlock.InterlockKeyProvider;
 import tech.pegasys.web3signer.signing.config.metadata.yubihsm.YubiHsmOpaqueDataProvider;
 
@@ -51,8 +52,14 @@ public BlsArtifactSignerFactory(
       final InterlockKeyProvider interlockKeyProvider,
       final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider,
       final AwsSecretsManagerProvider awsSecretsManagerProvider,
-      final Function<BlsArtifactSignerArgs, ArtifactSigner> signerFactory) {
-    super(connectionFactory, configsDirectory, interlockKeyProvider, yubiHsmOpaqueDataProvider);
+      final Function<BlsArtifactSignerArgs, ArtifactSigner> signerFactory,
+      final AzureKeyVaultFactory azureKeyVaultFactory) {
+    super(
+        connectionFactory,
+        configsDirectory,
+        interlockKeyProvider,
+        yubiHsmOpaqueDataProvider,
+        azureKeyVaultFactory);
     privateKeyRetrievalTimer =
         metricsSystem.createLabelledTimer(
             Web3SignerMetricCategory.SIGNING,
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/Secp256k1ArtifactSignerFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/Secp256k1ArtifactSignerFactory.java
index 1591a7cc9..cadf8f5f9 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/Secp256k1ArtifactSignerFactory.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/Secp256k1ArtifactSignerFactory.java
@@ -15,6 +15,7 @@
 import tech.pegasys.web3signer.keystorage.hashicorp.HashicorpConnectionFactory;
 import tech.pegasys.web3signer.signing.ArtifactSigner;
 import tech.pegasys.web3signer.signing.KeyType;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
 import tech.pegasys.web3signer.signing.config.metadata.interlock.InterlockKeyProvider;
 import tech.pegasys.web3signer.signing.config.metadata.yubihsm.YubiHsmOpaqueDataProvider;
 import tech.pegasys.web3signer.signing.secp256k1.Signer;
@@ -46,12 +47,14 @@ public Secp256k1ArtifactSignerFactory(
       final InterlockKeyProvider interlockKeyProvider,
       final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider,
       final Function<Signer, ArtifactSigner> signerFactory,
+      final AzureKeyVaultFactory azureKeyVaultFactory,
       final boolean needToHash) {
     super(
         hashicorpConnectionFactory,
         configsDirectory,
         interlockKeyProvider,
-        yubiHsmOpaqueDataProvider);
+        yubiHsmOpaqueDataProvider,
+        azureKeyVaultFactory);
     this.azureCloudSignerFactory = azureCloudSignerFactory;
     this.signerFactory = signerFactory;
     this.needToHash = needToHash;
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureConfig.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureConfig.java
index cfdc9eff0..322cb0218 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureConfig.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureConfig.java
@@ -12,8 +12,6 @@
  */
 package tech.pegasys.web3signer.signing.secp256k1.azure;
 
-import static com.google.common.base.Preconditions.checkNotNull;
-
 import com.fasterxml.jackson.annotation.JsonCreator;
 
 public class AzureConfig {
@@ -24,6 +22,8 @@ public class AzureConfig {
   private final String clientSecret;
   private final String tenantId;
 
+  private static final String KEY_LATEST_VERSION = "";
+
   @JsonCreator
   public AzureConfig(
       final String keyVaultName,
@@ -40,6 +40,15 @@ public AzureConfig(
     this.tenantId = tenantId;
   }
 
+  public AzureConfig(
+      final String keyVaultName,
+      final String keyName,
+      final String clientId,
+      final String clientSecret,
+      final String tenantId) {
+    this(keyVaultName, keyName, KEY_LATEST_VERSION, clientId, clientSecret, tenantId);
+  }
+
   public String getKeyVaultName() {
     return keyVaultName;
   }
@@ -63,55 +72,4 @@ public String getClientSecret() {
   public String getTenantId() {
     return tenantId;
   }
-
-  public static class AzureConfigBuilder {
-
-    private String keyVaultName;
-    private String keyName;
-    private String keyVersion;
-    private String clientId;
-    private String clientSecret;
-    private String tenantId;
-
-    public AzureConfigBuilder withKeyVaultName(final String keyVaultName) {
-      this.keyVaultName = keyVaultName;
-      return this;
-    }
-
-    public AzureConfigBuilder withKeyName(final String keyName) {
-      this.keyName = keyName;
-      return this;
-    }
-
-    public AzureConfigBuilder withKeyVersion(final String keyVersion) {
-      this.keyVersion = keyVersion;
-      return this;
-    }
-
-    public AzureConfigBuilder withClientId(final String clientId) {
-      this.clientId = clientId;
-      return this;
-    }
-
-    public AzureConfigBuilder withClientSecret(final String clientSecret) {
-      this.clientSecret = clientSecret;
-      return this;
-    }
-
-    public AzureConfigBuilder withTenantId(final String tenantId) {
-      this.tenantId = tenantId;
-      return this;
-    }
-
-    public AzureConfig build() {
-      checkNotNull(keyVaultName, "Key Vault Name was not set.");
-      checkNotNull(keyName, "Key Name was not set.");
-      checkNotNull(keyVersion, "Key Version was not set.");
-      checkNotNull(clientId, "Client Id was not set.");
-      checkNotNull(clientSecret, "Client Secret was not set.");
-      checkNotNull(tenantId, "Tenant Id was not set.");
-
-      return new AzureConfig(keyVaultName, keyName, keyVersion, clientId, clientSecret, tenantId);
-    }
-  }
 }
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSigner.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSigner.java
index 8052e698b..6bf23484f 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSigner.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSigner.java
@@ -12,9 +12,9 @@
  */
 package tech.pegasys.web3signer.signing.secp256k1.azure;
 
-import static tech.pegasys.web3signer.keystorage.azure.AzureKeyVault.createUsingClientSecretCredentials;
-
 import tech.pegasys.web3signer.keystorage.azure.AzureKeyVault;
+import tech.pegasys.web3signer.signing.config.AzureAuthenticationMode;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
 import tech.pegasys.web3signer.signing.secp256k1.EthPublicKeyUtils;
 import tech.pegasys.web3signer.signing.secp256k1.Signature;
 import tech.pegasys.web3signer.signing.secp256k1.Signer;
@@ -44,13 +44,15 @@ public class AzureKeyVaultSigner implements Signer {
   private final AzureConfig config;
   private final ECPublicKey publicKey;
   private final SignatureAlgorithm signingAlgo;
+  private final AzureKeyVaultFactory azureKeyVaultFactory;
   private final boolean needsToHash; // Apply Hash.sha3(data) before signing
 
   AzureKeyVaultSigner(
       final AzureConfig config,
       final Bytes publicKey,
       final boolean needsToHash,
-      final boolean useDeprecatedSignatureAlgorithm) {
+      final boolean useDeprecatedSignatureAlgorithm,
+      final AzureKeyVaultFactory azureKeyVaultFactory) {
     this.config = config;
     this.publicKey = EthPublicKeyUtils.createPublicKey(publicKey);
     this.needsToHash = needsToHash;
@@ -58,6 +60,7 @@ public class AzureKeyVaultSigner implements Signer {
         useDeprecatedSignatureAlgorithm
             ? SignatureAlgorithm.fromString("ECDSA256")
             : SignatureAlgorithm.ES256K;
+    this.azureKeyVaultFactory = azureKeyVaultFactory;
   }
 
   @Override
@@ -65,11 +68,12 @@ public Signature sign(byte[] data) {
     final AzureKeyVault vault;
     try {
       vault =
-          createUsingClientSecretCredentials(
+          azureKeyVaultFactory.createAzureKeyVault(
               config.getClientId(),
               config.getClientSecret(),
+              config.getKeyVaultName(),
               config.getTenantId(),
-              config.getKeyVaultName());
+              AzureAuthenticationMode.CLIENT_SECRET);
     } catch (final Exception e) {
       LOG.error("Failed to connect to vault", e);
       throw new SignerInitializationException(INACCESSIBLE_KEY_ERROR, e);
diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSignerFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSignerFactory.java
index aaf53a5dc..a797ac87f 100644
--- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSignerFactory.java
+++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSignerFactory.java
@@ -13,9 +13,10 @@
 package tech.pegasys.web3signer.signing.secp256k1.azure;
 
 import static com.google.common.base.Preconditions.checkNotNull;
-import static tech.pegasys.web3signer.keystorage.azure.AzureKeyVault.createUsingClientSecretCredentials;
 
 import tech.pegasys.web3signer.keystorage.azure.AzureKeyVault;
+import tech.pegasys.web3signer.signing.config.AzureAuthenticationMode;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
 import tech.pegasys.web3signer.signing.secp256k1.Signer;
 import tech.pegasys.web3signer.signing.secp256k1.common.SignerInitializationException;
 
@@ -36,15 +37,10 @@ public class AzureKeyVaultSignerFactory {
   private static final String DEPRECATED_CURVE_NAME = "SECP256K1";
   private static final Set<String> SUPPORTED_CURVE_NAMES = Set.of(DEPRECATED_CURVE_NAME, "P-256K");
   private static final Logger LOG = LogManager.getLogger();
+  private final AzureKeyVaultFactory azureKeyVaultFactory;
 
-  private final boolean needsToHash;
-
-  public AzureKeyVaultSignerFactory() {
-    this(true);
-  }
-
-  public AzureKeyVaultSignerFactory(final boolean needsToHash) {
-    this.needsToHash = needsToHash;
+  public AzureKeyVaultSignerFactory(final AzureKeyVaultFactory azureKeyVaultFactory) {
+    this.azureKeyVaultFactory = azureKeyVaultFactory;
   }
 
   public Signer createSigner(final AzureConfig config) {
@@ -53,11 +49,12 @@ public Signer createSigner(final AzureConfig config) {
     final AzureKeyVault vault;
     try {
       vault =
-          createUsingClientSecretCredentials(
+          azureKeyVaultFactory.createAzureKeyVault(
               config.getClientId(),
               config.getClientSecret(),
+              config.getKeyVaultName(),
               config.getTenantId(),
-              config.getKeyVaultName());
+              AzureAuthenticationMode.CLIENT_SECRET);
     } catch (final Exception e) {
       LOG.error("Failed to connect to vault", e);
       throw new SignerInitializationException(INACCESSIBLE_KEY_ERROR, e);
@@ -80,6 +77,7 @@ public Signer createSigner(final AzureConfig config) {
     final Bytes rawPublicKey =
         Bytes.concatenate(Bytes.wrap(jsonWebKey.getX()), Bytes.wrap(jsonWebKey.getY()));
     final boolean useDeprecatedCurveName = DEPRECATED_CURVE_NAME.equals(curveName);
-    return new AzureKeyVaultSigner(config, rawPublicKey, needsToHash, useDeprecatedCurveName);
+    return new AzureKeyVaultSigner(
+        config, rawPublicKey, true, useDeprecatedCurveName, azureKeyVaultFactory);
   }
 }
diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/BlsKeystoreBulkLoaderTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/BlsKeystoreBulkLoaderTest.java
index 82c528ddb..21702e127 100644
--- a/signing/src/test/java/tech/pegasys/web3signer/signing/BlsKeystoreBulkLoaderTest.java
+++ b/signing/src/test/java/tech/pegasys/web3signer/signing/BlsKeystoreBulkLoaderTest.java
@@ -18,6 +18,7 @@
 import tech.pegasys.web3signer.BLSTestUtil;
 import tech.pegasys.web3signer.KeystoreUtil;
 import tech.pegasys.web3signer.keystorage.common.MappedResults;
+import tech.pegasys.web3signer.signing.bulkloading.BlsKeystoreBulkLoader;
 
 import java.io.IOException;
 import java.nio.file.Files;
diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/config/AzureKeyVaultFactoryTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/config/AzureKeyVaultFactoryTest.java
new file mode 100644
index 000000000..f4efac819
--- /dev/null
+++ b/signing/src/test/java/tech/pegasys/web3signer/signing/config/AzureKeyVaultFactoryTest.java
@@ -0,0 +1,104 @@
+/*
+ * Copyright 2023 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package tech.pegasys.web3signer.signing.config;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.concurrent.ExecutorService;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+class AzureKeyVaultFactoryTest {
+  final AzureKeyVaultFactory azureKeyVaultFactory = new AzureKeyVaultFactory();
+
+  @AfterEach
+  void shutdownExecutor() {
+    azureKeyVaultFactory.close();
+  }
+
+  @Test
+  void executorIsNotCreatedWhenFactoryIsCreated() {
+    assertThat(azureKeyVaultFactory.getExecutorServiceCache().get()).isNull();
+  }
+
+  @Test
+  void createsExecutorWhenUsingClientSecretMode() {
+    azureKeyVaultFactory.createAzureKeyVault(
+        "clientId",
+        "clientSecret",
+        "keyVaultName",
+        "tenantId",
+        AzureAuthenticationMode.CLIENT_SECRET);
+    assertThat(azureKeyVaultFactory.getExecutorServiceCache().get()).isNotNull();
+  }
+
+  @Test
+  void reusesExecutorWhenUsingClientSecretMode() {
+    azureKeyVaultFactory.createAzureKeyVault(
+        "clientId",
+        "clientSecret",
+        "keyVaultName",
+        "tenantId",
+        AzureAuthenticationMode.CLIENT_SECRET);
+    final ExecutorService executorService = azureKeyVaultFactory.getExecutorServiceCache().get();
+    assertThat(executorService).isNotNull();
+
+    azureKeyVaultFactory.createAzureKeyVault(
+        "clientId",
+        "clientSecret",
+        "keyVaultName",
+        "tenantId",
+        AzureAuthenticationMode.CLIENT_SECRET);
+    final ExecutorService executorService2 = azureKeyVaultFactory.getExecutorServiceCache().get();
+    assertThat(executorService).isSameAs(executorService2);
+  }
+
+  @Test
+  void doesNotCreateExecutorWhenUsingUserAssignedMode() {
+    azureKeyVaultFactory.createAzureKeyVault(
+        "clientId",
+        "clientSecret",
+        "keyVaultName",
+        "tenantId",
+        AzureAuthenticationMode.USER_ASSIGNED_MANAGED_IDENTITY);
+    assertThat(azureKeyVaultFactory.getExecutorServiceCache().get()).isNull();
+  }
+
+  @Test
+  void doesNotCreateExecutorWhenUsingSystemAssignedMode() {
+    azureKeyVaultFactory.createAzureKeyVault(
+        "clientId",
+        "clientSecret",
+        "keyVaultName",
+        "tenantId",
+        AzureAuthenticationMode.SYSTEM_ASSIGNED_MANAGED_IDENTITY);
+    assertThat(azureKeyVaultFactory.getExecutorServiceCache().get()).isNull();
+  }
+
+  @Test
+  void closeShutdownsExecutor() {
+    azureKeyVaultFactory.createAzureKeyVault(
+        "clientId",
+        "clientSecret",
+        "keyVaultName",
+        "tenantId",
+        AzureAuthenticationMode.CLIENT_SECRET);
+    final ExecutorService executorService = azureKeyVaultFactory.getExecutorServiceCache().get();
+    assertThat(executorService).isNotNull();
+
+    azureKeyVaultFactory.close();
+    assertThat(executorService.isShutdown()).isTrue();
+    assertThat(azureKeyVaultFactory.getExecutorServiceCache().get()).isNull();
+  }
+}
diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/config/SignerLoaderTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/config/SignerLoaderTest.java
index 9fbbe207f..8086fe87b 100644
--- a/signing/src/test/java/tech/pegasys/web3signer/signing/config/SignerLoaderTest.java
+++ b/signing/src/test/java/tech/pegasys/web3signer/signing/config/SignerLoaderTest.java
@@ -66,6 +66,7 @@ class SignerLoaderTest {
   @Mock private InterlockKeyProvider interlockKeyProvider;
   @Mock private YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider;
   @Mock private AwsSecretsManagerProvider awsSecretsManagerProvider;
+  @Mock private AzureKeyVaultFactory azureKeyVaultFactory;
   @Mock private LabelledMetric<OperationTimer> privateKeyRetrievalTimer;
   @Mock private OperationTimer operationTimer;
 
@@ -98,7 +99,8 @@ public void setup() {
             interlockKeyProvider,
             yubiHsmOpaqueDataProvider,
             awsSecretsManagerProvider,
-            (args) -> new BlsArtifactSigner(args.getKeyPair(), args.getOrigin(), args.getPath()));
+            (args) -> new BlsArtifactSigner(args.getKeyPair(), args.getOrigin(), args.getPath()),
+            azureKeyVaultFactory);
 
     signerParser =
         new YamlSignerParser(
diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/config/metadata/BlsArtifactSignerFactoryTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/config/metadata/BlsArtifactSignerFactoryTest.java
index 6b4666cea..b34f61f44 100644
--- a/signing/src/test/java/tech/pegasys/web3signer/signing/config/metadata/BlsArtifactSignerFactoryTest.java
+++ b/signing/src/test/java/tech/pegasys/web3signer/signing/config/metadata/BlsArtifactSignerFactoryTest.java
@@ -31,6 +31,7 @@
 import tech.pegasys.web3signer.signing.ArtifactSigner;
 import tech.pegasys.web3signer.signing.BlsArtifactSigner;
 import tech.pegasys.web3signer.signing.KeyType;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
 import tech.pegasys.web3signer.signing.config.metadata.interlock.InterlockKeyProvider;
 import tech.pegasys.web3signer.signing.config.metadata.yubihsm.YubiHsmOpaqueDataProvider;
 
@@ -65,6 +66,7 @@ class BlsArtifactSignerFactoryTest {
   private InterlockKeyProvider interlockKeyProvider;
   private YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider;
   private AwsSecretsManagerProvider awsSecretsManagerProvider;
+  private AzureKeyVaultFactory azureKeyVaultFactory;
 
   @BeforeAll
   static void setupKeystoreFiles() throws IOException {
@@ -85,6 +87,7 @@ void setup() {
     interlockKeyProvider = new InterlockKeyProvider(vertx);
     yubiHsmOpaqueDataProvider = new YubiHsmOpaqueDataProvider();
     awsSecretsManagerProvider = new AwsSecretsManagerProvider(100);
+    azureKeyVaultFactory = new AzureKeyVaultFactory();
 
     artifactSignerFactory =
         new BlsArtifactSignerFactory(
@@ -94,7 +97,8 @@ void setup() {
             interlockKeyProvider,
             yubiHsmOpaqueDataProvider,
             awsSecretsManagerProvider,
-            (args) -> new BlsArtifactSigner(args.getKeyPair(), args.getOrigin()));
+            (args) -> new BlsArtifactSigner(args.getKeyPair(), args.getOrigin()),
+            azureKeyVaultFactory);
   }
 
   @AfterEach
diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/config/metadata/parser/YamlSignerParserMultiReadTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/config/metadata/parser/YamlSignerParserMultiReadTest.java
index 949268536..18cc58871 100644
--- a/signing/src/test/java/tech/pegasys/web3signer/signing/config/metadata/parser/YamlSignerParserMultiReadTest.java
+++ b/signing/src/test/java/tech/pegasys/web3signer/signing/config/metadata/parser/YamlSignerParserMultiReadTest.java
@@ -28,6 +28,7 @@
 import tech.pegasys.web3signer.signing.ArtifactSigner;
 import tech.pegasys.web3signer.signing.BlsArtifactSigner;
 import tech.pegasys.web3signer.signing.KeyType;
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
 import tech.pegasys.web3signer.signing.config.metadata.BlsArtifactSignerFactory;
 import tech.pegasys.web3signer.signing.config.metadata.SigningMetadataException;
 import tech.pegasys.web3signer.signing.config.metadata.interlock.InterlockKeyProvider;
@@ -59,6 +60,7 @@ class YamlSignerParserMultiReadTest {
   @Mock private InterlockKeyProvider interlockKeyProvider;
   @Mock private YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider;
   @Mock private AwsSecretsManagerProvider awsSecretsManagerProvider;
+  @Mock private AzureKeyVaultFactory azureKeyVaultFactory;
   @Mock private LabelledMetric<OperationTimer> privateKeyRetrievalTimer;
   @Mock private OperationTimer operationTimer;
 
@@ -88,7 +90,8 @@ public void setup() {
             interlockKeyProvider,
             yubiHsmOpaqueDataProvider,
             awsSecretsManagerProvider,
-            (args) -> new BlsArtifactSigner(args.getKeyPair(), args.getOrigin(), args.getPath()));
+            (args) -> new BlsArtifactSigner(args.getKeyPair(), args.getOrigin(), args.getPath()),
+            azureKeyVaultFactory);
 
     signerParser =
         new YamlSignerParser(
diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSignerTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSignerTest.java
index a4e3b3e76..fb363fb75 100644
--- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSignerTest.java
+++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/azure/AzureKeyVaultSignerTest.java
@@ -16,6 +16,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static tech.pegasys.web3signer.signing.secp256k1.azure.AzureKeyVaultSignerFactory.UNSUPPORTED_CURVE_NAME;
 
+import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory;
 import tech.pegasys.web3signer.signing.secp256k1.EthPublicKeyUtils;
 import tech.pegasys.web3signer.signing.secp256k1.Signature;
 import tech.pegasys.web3signer.signing.secp256k1.Signer;
@@ -28,54 +29,46 @@
 import org.junit.jupiter.api.Assumptions;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
-import org.web3j.crypto.Hash;
 import org.web3j.crypto.Sign;
 import org.web3j.crypto.Sign.SignatureData;
 import org.web3j.utils.Numeric;
 
 public class AzureKeyVaultSignerTest {
-  private static final String clientId = System.getenv("AZURE_CLIENT_ID");
-  private static final String clientSecret = System.getenv("AZURE_CLIENT_SECRET");
-  private static final String keyVaultName = System.getenv("AZURE_KEY_VAULT_NAME");
-  private static final String tenantId = System.getenv("AZURE_TENANT_ID");
-  // uses curve name P-256K
-  private static final String KEY_NAME = "TestKey2";
+  private static final String AZURE_CLIENT_ID = System.getenv("AZURE_CLIENT_ID");
+  private static final String AZURE_CLIENT_SECRET = System.getenv("AZURE_CLIENT_SECRET");
+  private static final String AZURE_KEY_VAULT_NAME = System.getenv("AZURE_KEY_VAULT_NAME");
+  private static final String AZURE_TENANT_ID = System.getenv("AZURE_TENANT_ID");
+  private static final String AZURE_INVALID_KEY_VAULT_NAME =
+      System.getenv("AZURE_INVALID_KEY_VAULT_NAME");
+
+  private static final String KEY_NAME = "TestKey2"; // uses curve name P-256K
   private static final String UNSUPPORTED_CURVE_KEY_NAME = "TestKeyP521";
 
   @BeforeAll
   static void preChecks() {
     Assumptions.assumeTrue(
-        clientId != null && clientSecret != null && keyVaultName != null && tenantId != null,
+        AZURE_CLIENT_ID != null
+            && AZURE_CLIENT_SECRET != null
+            && AZURE_KEY_VAULT_NAME != null
+            && AZURE_INVALID_KEY_VAULT_NAME != null
+            && AZURE_TENANT_ID != null,
         "Ensure Azure env variables are set");
   }
 
   @Test
-  public void azureSignerCanSignTwice() {
+  void azureSignerCanSign() throws SignatureException {
     final AzureConfig config =
-        new AzureConfig(keyVaultName, KEY_NAME, "", clientId, clientSecret, tenantId);
-
-    final AzureKeyVaultSignerFactory factory = new AzureKeyVaultSignerFactory();
-    final Signer signer = factory.createSigner(config);
-
-    final byte[] dataToHash = "Hello World".getBytes(UTF_8);
-    signer.sign(dataToHash);
-    signer.sign(dataToHash);
-  }
-
-  @Test
-  void azureWithoutHashingDoesntHashData() throws SignatureException {
-    final AzureConfig config =
-        new AzureConfig(keyVaultName, KEY_NAME, "", clientId, clientSecret, tenantId);
+        new AzureConfig(
+            AZURE_KEY_VAULT_NAME, KEY_NAME, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID);
 
     final Signer azureNonHashedDataSigner =
-        new AzureKeyVaultSignerFactory(false).createSigner(config);
+        new AzureKeyVaultSignerFactory(new AzureKeyVaultFactory()).createSigner(config);
     final BigInteger publicKey =
         Numeric.toBigInt(EthPublicKeyUtils.toByteArray(azureNonHashedDataSigner.getPublicKey()));
 
     final byte[] dataToSign = "Hello World".getBytes(UTF_8);
-    final byte[] hashedData = Hash.sha3(dataToSign); // manual hash before sending to remote signing
 
-    final Signature signature = azureNonHashedDataSigner.sign(hashedData);
+    final Signature signature = azureNonHashedDataSigner.sign(dataToSign);
 
     // Determine if Web3j thinks the signature comes from the public key used (really proves
     // that the hashedData isn't hashed a second time).
@@ -85,7 +78,7 @@ void azureWithoutHashingDoesntHashData() throws SignatureException {
             Numeric.toBytesPadded(signature.getR(), 32),
             Numeric.toBytesPadded(signature.getS(), 32));
 
-    final BigInteger recoveredPublicKey = Sign.signedMessageHashToKey(hashedData, sigData);
+    final BigInteger recoveredPublicKey = Sign.signedMessageToKey(dataToSign, sigData);
     assertThat(recoveredPublicKey).isEqualTo(publicKey);
   }
 
@@ -93,9 +86,15 @@ void azureWithoutHashingDoesntHashData() throws SignatureException {
   public void azureKeyWithUnsupportedCurveThrowsError() {
     final AzureConfig config =
         new AzureConfig(
-            keyVaultName, UNSUPPORTED_CURVE_KEY_NAME, "", clientId, clientSecret, tenantId);
-
-    final AzureKeyVaultSignerFactory factory = new AzureKeyVaultSignerFactory();
+            AZURE_INVALID_KEY_VAULT_NAME,
+            UNSUPPORTED_CURVE_KEY_NAME,
+            "",
+            AZURE_CLIENT_ID,
+            AZURE_CLIENT_SECRET,
+            AZURE_TENANT_ID);
+
+    final AzureKeyVaultSignerFactory factory =
+        new AzureKeyVaultSignerFactory(new AzureKeyVaultFactory());
     Assertions.assertThatExceptionOfType(SignerInitializationException.class)
         .isThrownBy(() -> factory.createSigner(config))
         .withMessage(UNSUPPORTED_CURVE_NAME);
diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/utils/DefaultAzureKeyVaultParameters.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/DefaultAzureKeyVaultParameters.java
similarity index 92%
rename from acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/utils/DefaultAzureKeyVaultParameters.java
rename to signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/DefaultAzureKeyVaultParameters.java
index edb1a01e8..775327789 100644
--- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/utils/DefaultAzureKeyVaultParameters.java
+++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/DefaultAzureKeyVaultParameters.java
@@ -10,10 +10,7 @@
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
  */
-package tech.pegasys.web3signer.dsl.utils;
-
-import tech.pegasys.web3signer.signing.config.AzureAuthenticationMode;
-import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters;
+package tech.pegasys.web3signer.signing.config;
 
 import java.util.Collections;
 import java.util.HashMap;