diff --git a/data_safe_haven/commands/deploy_sre.py b/data_safe_haven/commands/deploy_sre.py
index c6b2d60803..554940c688 100644
--- a/data_safe_haven/commands/deploy_sre.py
+++ b/data_safe_haven/commands/deploy_sre.py
@@ -4,7 +4,7 @@
     DataSafeHavenError,
 )
 from data_safe_haven.external import GraphApi
-from data_safe_haven.functions import alphanumeric, bcrypt_salt, password
+from data_safe_haven.functions import alphanumeric, bcrypt_salt
 from data_safe_haven.infrastructure import SHMStackManager, SREStackManager
 from data_safe_haven.provisioning import SREProvisioningManager
 from data_safe_haven.utility import DatabaseSystem, SoftwarePackageCategory
@@ -141,7 +141,6 @@ def deploy_sre(
         )
         # Add necessary secrets
         stack.copy_secret("password-domain-ldap-searcher", shm_stack)
-        stack.add_secret("password-workspace-admin", password(20), replace=False)
         stack.add_secret("salt-dns-server-admin", bcrypt_salt(), replace=False)
         stack.add_secret("token-azuread-graphapi", graph_api.token, replace=True)
 
diff --git a/data_safe_haven/infrastructure/stacks/sre/data.py b/data_safe_haven/infrastructure/stacks/sre/data.py
index 7f0c8e6f3a..c5f6294c89 100644
--- a/data_safe_haven/infrastructure/stacks/sre/data.py
+++ b/data_safe_haven/infrastructure/stacks/sre/data.py
@@ -71,9 +71,6 @@ def __init__(
         self.networking_resource_group_name = Output.from_input(
             networking_resource_group
         ).apply(get_name_from_rg)
-        self.password_workspace_admin = self.get_secret(
-            pulumi_opts, "password-workspace-admin"
-        )
         self.private_dns_zone_base_id = self.get_secret(
             pulumi_opts, "shm-networking-private_dns_zone_base_id"
         )
@@ -332,11 +329,14 @@ def __init__(
             tags=child_tags,
         )
 
-        # Deploy key vault secrets
+        # Secret: Workspace admin password
+        password_workspace_admin = pulumi_random.RandomPassword(
+            f"{self._name}_password_workspace_admin", length=20, special=True
+        )
         keyvault.Secret(
             f"{self._name}_kvs_password_workspace_admin",
             properties=keyvault.SecretPropertiesArgs(
-                value=props.password_workspace_admin
+                value=password_workspace_admin.result
             ),
             resource_group_name=resource_group.name,
             secret_name="password-workspace-admin",
@@ -757,5 +757,5 @@ def __init__(
         self.password_user_database_admin = Output.secret(
             password_user_database_admin.result
         )
-        self.password_workspace_admin = Output.secret(props.password_workspace_admin)
+        self.password_workspace_admin = Output.secret(password_workspace_admin.result)
         self.resource_group_name = resource_group.name