diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
new file mode 100644
index 00000000..1213a528
--- /dev/null
+++ b/.config/dotnet-tools.json
@@ -0,0 +1,18 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "azuresigntool": {
+      "version": "2.0.17",
+      "commands": [
+        "azuresigntool"
+      ]
+    },
+    "nugetkeyvaultsigntool": {
+      "version": "1.2.28",
+      "commands": [
+        "NuGetKeyVaultSignTool"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 791be7b5..b56034fb 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -9,11 +9,7 @@ pr:
 - '*'
 
 variables:
-- name: kv-access-token
-  value: ''
 - group: AzureKeyVault
-- name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE
-  value: 1
 - name: BUILD_NUMBER
   value: $[counter('buildnumber', 1)]
 
@@ -38,10 +34,8 @@ stages:
         packageType: runtime
     - powershell: ./build.ps1 -ci
       displayName: Invoke build.ps1
-      condition: eq(variables['kv-access-token'], '')
-    - powershell: ./build.ps1 -ci /p:AzureKeyVaultClientSecret=$(kv-access-token)
-      displayName: Invoke build.ps1
-      condition: ne(variables['kv-access-token'], '')
+      env:
+        KEYVAULT_CLIENT_SECRET: kv-access-token
     - powershell: .\docs\generate.ps1 -Verbose -NoBuild
       displayName: Compile documentation
     - task: PublishTestResults@2
diff --git a/build.ps1 b/build.ps1
index 1b42acf5..a5715a12 100755
--- a/build.ps1
+++ b/build.ps1
@@ -20,8 +20,11 @@ Import-Module -Force -Scope Local "$PSScriptRoot/src/common.psm1"
 # Main
 #
 
+$isPr = $env:BUILD_REASON -eq 'PullRequest'
+
 if ($env:CI -eq 'true') {
     $ci = $true
+    & dotnet --info
 }
 
 if (!$Configuration) {
@@ -32,7 +35,6 @@ if ($ci) {
     $MSBuildArgs += '-p:CI=true'
 }
 
-$isPr = $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT -or ($env:BUILD_REASON -eq 'PullRequest')
 if (-not (Test-Path variable:\IsCoreCLR)) {
     $IsWindows = $true
 }
@@ -40,36 +42,16 @@ if (-not (Test-Path variable:\IsCoreCLR)) {
 $CodeSign = $sign -or ($ci -and -not $isPr -and $IsWindows)
 
 if ($CodeSign) {
-    $toolsDir = "$PSScriptRoot/.build/tools"
-    $AzureSignToolPath = "$toolsDir/azuresigntool"
-    if ($IsWindows) {
-        $AzureSignToolPath += ".exe"
-    }
-
-    if (-not (Test-Path $AzureSignToolPath)) {
-        exec dotnet tool install --tool-path $toolsDir `
-        AzureSignTool `
-        --version 2.0.17
-    }
-
-    $nstDir = "$toolsDir/nugetsigntool/1.1.4"
-    $NuGetKeyVaultSignToolPath = "$nstDir/tools/net471/NuGetKeyVaultSignTool.exe"
-    if (-not (Test-Path $NuGetKeyVaultSignToolPath)) {
-        New-Item $nstDir -ItemType Directory -ErrorAction Ignore | Out-Null
-        Invoke-WebRequest https://github.com/onovotny/NuGetKeyVaultSignTool/releases/download/v1.1.4/NuGetKeyVaultSignTool.1.1.4.nupkg `
-            -OutFile "$nstDir/NuGetKeyVaultSignTool.zip"
-        Expand-Archive "$nstDir/NuGetKeyVaultSignTool.zip" -DestinationPath $nstDir
-    }
-
+    exec dotnet tool restore
     $MSBuildArgs += '-p:CodeSign=true'
-    $MSBuildArgs += "-p:AzureSignToolPath=$AzureSignToolPath"
-    $MSBuildArgs += "-p:NuGetKeyVaultSignToolPath=$NuGetKeyVaultSignToolPath"
 }
 
 $artifacts = "$PSScriptRoot/artifacts/"
 
 Remove-Item -Recurse $artifacts -ErrorAction Ignore
-exec dotnet msbuild /t:UpdateCiSettings @MSBuildArgs
+if ($ci) {
+    exec dotnet msbuild /t:UpdateCiSettings @MSBuildArgs
+}
 exec dotnet build --configuration $Configuration '-warnaserror:CS1591' @MSBuildArgs
 exec dotnet pack --no-restore --no-build --configuration $Configuration -o $artifacts @MSBuildArgs
 exec dotnet build --configuration $Configuration "$PSScriptRoot/docs/samples/samples.sln"
diff --git a/src/CodeSign.targets b/src/CodeSign.targets
index 5245bfd1..a0588c97 100644
--- a/src/CodeSign.targets
+++ b/src/CodeSign.targets
@@ -12,10 +12,8 @@
     Inputs="$(TargetPath)"
     Outputs="$(CodeSignCacheFile)">
 
-    <Error Text="Missing required property: AzureSignToolPath" Condition="'$(AzureSignToolPath)' == ''" />
-
     <PropertyGroup>
-      <SignToolArgs>"$(AzureSignToolPath)" sign</SignToolArgs>
+      <SignToolArgs>dotnet tool run azuresigntool sign</SignToolArgs>
       <SignToolArgs>$(SignToolArgs) --file-digest sha256</SignToolArgs>
       <SignToolArgs>$(SignToolArgs) --description-url $(PackageProjectUrl)</SignToolArgs>
       <SignToolArgs>$(SignToolArgs) --no-page-hashing</SignToolArgs>
@@ -38,12 +36,11 @@
           BeforeTargets="Pack"
           Inputs="$(PackageOutputAbsolutePath)$(PackageId).$(PackageVersion).nupkg"
           Outputs="$(PackageSignCacheFile)">
-    <Error Text="Missing required property: NuGetKeyVaultSignToolPath" Condition="'$(NuGetKeyVaultSignToolPath)' == ''" />
 
     <PropertyGroup>
       <NupkgTargetPath>$(PackageOutputAbsolutePath)$(PackageId).$(PackageVersion).nupkg</NupkgTargetPath>
 
-      <NupkgSignToolArgs>"$(NuGetKeyVaultSignToolPath)" sign</NupkgSignToolArgs>
+      <NupkgSignToolArgs>dotnet tool run NuGetKeyVaultSignTool sign</NupkgSignToolArgs>
       <NupkgSignToolArgs>$(NupkgSignToolArgs) --file-digest sha256</NupkgSignToolArgs>
       <NupkgSignToolArgs>$(NupkgSignToolArgs) --timestamp-rfc3161 http://timestamp.digicert.com</NupkgSignToolArgs>
       <NupkgSignToolArgs>$(NupkgSignToolArgs) --timestamp-digest sha256</NupkgSignToolArgs>