diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go
index 2472fb943..184f21f79 100644
--- a/controllers/vaultdynamicsecret_controller.go
+++ b/controllers/vaultdynamicsecret_controller.go
@@ -123,6 +123,13 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R
 		return ctrl.Result{}, r.handleDeletion(ctx, o)
 	}
 
+	if addedFinalizer, err := maybeAddFinalizer(ctx, r.Client, o, vaultDynamicSecretFinalizer); err != nil {
+		return ctrl.Result{}, err
+	} else if addedFinalizer {
+		// the finalizer was added, requeue the request.
+		return ctrl.Result{Requeue: true}, nil
+	}
+
 	r.referenceCache.Set(SecretTransformation, req.NamespacedName,
 		helpers.GetTransformationRefObjKeys(
 			o.Spec.Destination.Transformation, o.Namespace)...)
@@ -558,8 +565,7 @@ func (r *VaultDynamicSecretReconciler) updateStatus(ctx context.Context, o *secr
 			"Failed to update the resource's status, err=%s", err)
 	}
 
-	_, err := maybeAddFinalizer(ctx, r.Client, o, vaultDynamicSecretFinalizer)
-	return err
+	return nil
 }
 
 func (r *VaultDynamicSecretReconciler) getVaultSecretLease(resp *api.Secret) *secretsv1beta1.VaultSecretLease {