diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 304cec4c9a2..8123fb3ab5f 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -2,6 +2,10 @@ trigger:
   branches:
     include:
     - master
+  paths:
+    exclude:
+    - docs/*
+    - README.md
 
 resources:
 - repo: self
@@ -311,4 +315,4 @@ steps:
     condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
     inputs:
       pathtoPublish: $(Build.ArtifactStagingDirectory)
-      artifactName: drop
\ No newline at end of file
+      artifactName: drop
diff --git a/pkg/resourcemanager/keyvaults/keyops.go b/pkg/resourcemanager/keyvaults/keyops.go
index 0476c74a439..9f4f5975471 100644
--- a/pkg/resourcemanager/keyvaults/keyops.go
+++ b/pkg/resourcemanager/keyvaults/keyops.go
@@ -109,7 +109,8 @@ func (k *KeyvaultKeyClient) Ensure(ctx context.Context, obj runtime.Object, opts
 
 		// this generally means the operator doesn't have access to the keyvault
 		// this can be resolved elsewhere so we should keep trying
-		if req.Response.StatusCode == http.StatusForbidden {
+		// See https://github.com/Azure/azure-sdk-for-go/issues/10975 for more details
+		if req.Response.Response != nil && req.Response.StatusCode == http.StatusForbidden {
 			return false, nil
 		}