diff --git a/resource_customizations/external-secrets.io/ExternalSecret/actions/action_test.yaml b/resource_customizations/external-secrets.io/ExternalSecret/actions/action_test.yaml
index 5b3f79bcebdef..ae3436cde60da 100644
--- a/resource_customizations/external-secrets.io/ExternalSecret/actions/action_test.yaml
+++ b/resource_customizations/external-secrets.io/ExternalSecret/actions/action_test.yaml
@@ -7,3 +7,6 @@ discoveryTests:
   - inputPath: testdata/external-secret.yaml
     result:
       - name: "refresh"
+  - inputPath: testdata/external-secret-refresh-policy.yaml
+    result:
+      - name: "refresh"
diff --git a/resource_customizations/external-secrets.io/ExternalSecret/actions/discovery.lua b/resource_customizations/external-secrets.io/ExternalSecret/actions/discovery.lua
index 1b295650b9471..3a0bab14ff910 100644
--- a/resource_customizations/external-secrets.io/ExternalSecret/actions/discovery.lua
+++ b/resource_customizations/external-secrets.io/ExternalSecret/actions/discovery.lua
@@ -3,10 +3,11 @@ local actions = {}
 local disable_refresh = false
 local time_units = {"ns", "us", "µs", "ms", "s", "m", "h"}
 local digits = obj.spec.refreshInterval
+local policy = obj.spec.refreshPolicy
 if digits ~= nil then
   digits = tostring(digits)
   for _, time_unit in ipairs(time_units) do
-    if digits == "0" or digits == "0" .. time_unit then
+    if (digits == "0" or digits == "0" .. time_unit) and policy ~= "OnChange" then
       disable_refresh = true
       break
     end
diff --git a/resource_customizations/external-secrets.io/ExternalSecret/actions/testdata/external-secret-refresh-policy.yaml b/resource_customizations/external-secrets.io/ExternalSecret/actions/testdata/external-secret-refresh-policy.yaml
new file mode 100644
index 0000000000000..c4c0340e3c9b1
--- /dev/null
+++ b/resource_customizations/external-secrets.io/ExternalSecret/actions/testdata/external-secret-refresh-policy.yaml
@@ -0,0 +1,55 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  creationTimestamp: '2021-11-16T21:59:33Z'
+  generation: 1
+  name: test-healthy
+  namespace: argocd
+  resourceVersion: '136487331'
+  selfLink: /apis/external-secrets.io/v1alpha1/namespaces/argocd/externalsecrets/test-healthy
+  uid: 1e754a7e-0781-4d57-932d-4651d5b19586
+spec:
+  data:
+    - remoteRef:
+        key: secret/sa/example
+        property: api.address
+      secretKey: url
+    - remoteRef:
+        key: secret/sa/example
+        property: ca.crt
+      secretKey: ca
+    - remoteRef:
+        key: secret/sa/example
+        property: token
+      secretKey: token
+  refreshInterval: 0
+  refreshPolicy: OnChange
+  secretStoreRef:
+    kind: SecretStore
+    name: example
+  target:
+    creationPolicy: Owner
+    template:
+      data:
+        config: |
+          {
+            "bearerToken": "{{ .token | base64decode | toString }}",
+            "tlsClientConfig": {
+              "insecure": false,
+              "caData": "{{ .ca | toString }}"
+            }
+          }
+        name: cluster-test
+        server: '{{ .url | toString }}'
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: cluster
+status:
+  conditions:
+    - lastTransitionTime: '2021-11-16T21:59:34Z'
+      message: Secret was synced
+      reason: SecretSynced
+      status: 'True'
+      type: Ready
+  refreshTime: '2021-11-29T18:32:24Z'
+  syncedResourceVersion: 1-519a61da0dc68b2575b4f8efada70e42