diff --git a/.github/workflows/build_and_deploy_prod.yml b/.github/workflows/build_and_deploy_prod.yml
index c4469dff3..88f63c1f3 100644
--- a/.github/workflows/build_and_deploy_prod.yml
+++ b/.github/workflows/build_and_deploy_prod.yml
@@ -12,10 +12,14 @@ on:
 # There are secrets and environment variables that need to be set that control what is pushed to
 # ghcr and Azure.
 #
+# Org Secrets:
+#   DEPLOY_TOKEN:               token with permissions needed to determine if github.actor can deploy to production
+#   PRODUCTION_DEPLOYERS:       name of team identifying users that can deploy to production
+#   AZURE_CREDENTIALS:          service principal that has access to the Azure apps
+#
 # Secrets:
-#   AZURE_CREDENTIALS_PROD:          service principal that has access to the Azure prod WebApp
-#   AZURE_WEBAPP_PUBLISH_PROFILE:    publish profile for the Azure WebApp
-#   AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the Azure WebApp in Europe
+#   AZURE_WEBAPP_PUBLISH_PROFILE:    publish profile for the service production Azure WebApp
+#   AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the service production Azure WebApp in Europe
 #
 # Environment Variables:
 #   APPLICATION_TYPE:     type of application that is being deployed; used to add a label to the Docker image (values: api | web | worker)
@@ -34,10 +38,39 @@ env:
   DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/${{ github.repository }}
 
 jobs:
+  check-deployable:
+    uses: clearlydefined/operations/.github/workflows/deployable.yml@elr/deploy-limits
+    secrets: inherit
+
   build-and-deploy:
     name: Build and Deploy
     runs-on: ubuntu-latest
+    needs: check-deployable
     steps:
+      # verify required secrets are set
+      - name: Check secrets
+        run: |
+          if [[ -z "${{ secrets.AZURE_CREDENTIALS }}" ]]; then
+            echo "AZURE_CREDENTIALS is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}" ]]; then
+            echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}" ]]; then
+            echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.PRODUCTION_DEPLOYERS }}" ]]; then
+            echo "PRODUCTION_DEPLOYERS is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.DEPLOY_TOKEN }}" ]]; then
+            echo "DEPLOY_TOKEN is not set"
+            exit 1
+          fi
+  
       - name: Get version
         id: package
         run: |
@@ -75,8 +108,18 @@ jobs:
       - name: Login for Azure cli commands
         uses: azure/login@v2.0.0
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS_PROD }}
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
 
+      # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD isn't set, but should fail.
+      # Added secret check above to ensure it is set.
+      - name: Deploy to Azure WebApp
+        uses: azure/webapps-deploy@v3.0.1
+        with:
+          app-name: ${{ env.AZURE_WEBAPP_NAME }}
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}
+          images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}'
+
+      # set configs after deploy in case the deploy fails
       - name: Set DOCKER configs in Azure web app
         uses: azure/appservice-settings@v1.1.1
         with:
@@ -104,14 +147,17 @@ jobs:
                 "slotSetting": false
               }
             ]
-
-      - name: Deploy to Azure WebApp
-        uses: azure/webapps-deploy@v3.0.0
+  
+      # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU isn't set, but should fail.
+      # Added secret check to ensure it is set.
+      - name: Deploy to Azure EU WebApp
+        uses: azure/webapps-deploy@v3.0.1
         with:
-          app-name: ${{ env.AZURE_WEBAPP_NAME }}
-          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}
+          app-name: ${{ env.AZURE_EU_WEBAPP_NAME }}
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}
           images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}'
 
+      # set configs after deploy in case the deploy fails
       - name: Set DOCKER configs in Azure EU web app
         uses: azure/appservice-settings@v1.1.1
         with:
@@ -139,10 +185,4 @@ jobs:
                 "slotSetting": false
               }
             ]
-
-      - name: Deploy to Azure EU WebApp
-        uses: azure/webapps-deploy@v3.0.0
-        with:
-          app-name: ${{ env.AZURE_EU_WEBAPP_NAME }}
-          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}
-          images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}'
+  
\ No newline at end of file