diff --git a/azure-pipelines/1esstages.yml b/azure-pipelines/1esstages.yml
index 6ae6a5e1e7..78123d535a 100644
--- a/azure-pipelines/1esstages.yml
+++ b/azure-pipelines/1esstages.yml
@@ -19,7 +19,8 @@ stages:
             templateContext:
               mb: # Enable the MicroBuild Signing toolset
                 signing:
-                  enabled: true
+                  # Enable the signing toolset when the build is not a PR and the branch is main or starts with rel/
+                  enabled: $[and(ne(variables['Build.Reason'], 'PullRequest'), or(eq(variables['Build.SourceBranchName'], 'main'), startsWith(variables['Build.SourceBranchName'], 'rel/')))]
                   signType: real # options are 'real' & 'test'
                   zipSources: false
               outputs:
diff --git a/azure-pipelines/templates/sign.yml b/azure-pipelines/templates/sign.yml
index a49bf32b8c..2d06f1e3d8 100644
--- a/azure-pipelines/templates/sign.yml
+++ b/azure-pipelines/templates/sign.yml
@@ -11,6 +11,8 @@ steps:
           Write-Output "SignExtension.signproj file not found. Skipping signing."
       }
     displayName: "\U0001F449 Check for SignExtension.signproj File"
+    # Run this step when the build is not a PR and the branch is main or starts with rel/
+    condition: and(ne(variables['Build.Reason'], 'PullRequest'), or(eq(variables['Build.SourceBranchName'], 'main'), startsWith(variables['Build.SourceBranchName'], 'rel/')))
 
   # put the extension name and version from the package.json into variables to use later. Variables can be used in later steps as $(package.name) and $(package.version)
   - pwsh: |