diff --git a/.vsts-ci-richnav.yml b/.vsts-ci-richnav.yml
index 2b254e9b8f72..1995db108e1d 100644
--- a/.vsts-ci-richnav.yml
+++ b/.vsts-ci-richnav.yml
@@ -26,7 +26,7 @@ stages:
         richCodeNavigationEnvironment: 'production'
         pool:
             name: $(DncEngPublicBuildPool)
-            demands: ImageOverride -equals windows.vs2019.amd64.open   
+            demands: ImageOverride -equals windows.vs2019.amd64.open
         timeoutInMinutes: 180
         strategy:
           matrix:
@@ -45,6 +45,7 @@ stages:
           - _SignArgs: ''
           - _InternalRuntimeDownloadArgs: ''
         steps:
+        - template: /eng/common/templates/steps/enable-internal-runtimes.yml
         - powershell: eng\common\build.ps1
                     -restore
                     -ci
@@ -65,23 +66,23 @@ stages:
             TestFullMSBuild: 'true'
             SYSTEM_ACCESSTOKEN: $(System.AccessToken)
 
-        - task: CopyFiles@2	
-          displayName: Gather Logs	
-          inputs:	
-            SourceFolder: '$(Build.SourcesDirectory)/artifacts'	
-            Contents: |	
-              log/$(_BuildConfig)/**/*	
-              TestResults/$(_BuildConfig)/**/*	
-              SymStore/$(_BuildConfig)/**/* 
-            TargetFolder: '$(Build.ArtifactStagingDirectory)'	
-          continueOnError: true	
+        - task: CopyFiles@2
+          displayName: Gather Logs
+          inputs:
+            SourceFolder: '$(Build.SourcesDirectory)/artifacts'
+            Contents: |
+              log/$(_BuildConfig)/**/*
+              TestResults/$(_BuildConfig)/**/*
+              SymStore/$(_BuildConfig)/**/*
+            TargetFolder: '$(Build.ArtifactStagingDirectory)'
+          continueOnError: true
           condition: always()
 
-        - task: PublishBuildArtifacts@1	
-          displayName: Publish Logs to VSTS	
-          inputs:	
-            PathtoPublish: '$(Build.ArtifactStagingDirectory)'	
-            ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'	
-            publishLocation: Container	
-          continueOnError: true	
+        - task: PublishBuildArtifacts@1
+          displayName: Publish Logs to VSTS
+          inputs:
+            PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+            ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'
+            publishLocation: Container
+          continueOnError: true
           condition: always()
diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 9362f9e0be4e..2aebe7dd3b36 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -36,10 +36,9 @@ variables:
       value: /p:OfficialBuilder=Microsoft
     - name: Codeql.Enabled
       value: true
-    - group: DotNetBuilds storage account read tokens
     - name: _InternalRuntimeDownloadArgs
-      value: /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal 
-        /p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64) 
+      value: /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal
+        /p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64)
   - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
     - group: DotNet-CLI-SDLValidation-Params
   - template: /eng/common/templates-official/variables/pool-providers.yml
@@ -115,6 +114,7 @@ extends:
               value: ''
       - template: /eng/common/templates-official/job/source-build.yml@self
         parameters:
+          enableInternalSources: true
           platform:
             name: 'Managed'
             container: 'mcr.microsoft.com/dotnet-buildtools/prereqs:centos-stream8'
diff --git a/.vsts-pr.yml b/.vsts-pr.yml
index a7e6ce5a0de7..3736c5a7885b 100644
--- a/.vsts-pr.yml
+++ b/.vsts-pr.yml
@@ -18,14 +18,8 @@ pr:
 variables:
   - name: teamName
     value: Roslyn-Project-System
-  - name: _DotNetPublishToBlobFeed
-    value: false
   - name: _CIBuild
     value: -restore -build -sign -pack -ci
-  - name: _DotNetArtifactsCategory
-    value: .NETCore
-  - name: _DotNetValidationArtifactsCategory
-    value: .NETCore
   - ${{ if or(startswith(variables['Build.SourceBranch'], 'refs/heads/release/'), startswith(variables['Build.SourceBranch'], 'refs/heads/internal/release/'), eq(variables['Build.Reason'], 'Manual')) }}:
     - name: PostBuildSign
       value: false
@@ -44,10 +38,9 @@ variables:
       value: /p:OfficialBuilder=Microsoft
     - name: Codeql.Enabled
       value: true
-    - group: DotNetBuilds storage account read tokens
     - name: _InternalRuntimeDownloadArgs
-      value: /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal 
-        /p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64) 
+      value: /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal
+        /p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64)
   - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
     - group: DotNet-CLI-SDLValidation-Params
   - template: /eng/common/templates/variables/pool-providers.yml
@@ -64,9 +57,9 @@ stages:
         name: $(DncEngInternalBuildPool)
         demands: ImageOverride -equals windows.vs2019.amd64
     steps:
-      - publish: $(Build.SourcesDirectory)\eng\BuildConfiguration
-        artifact: BuildConfiguration
-        displayName: Publish Build Config
+    - publish: $(Build.SourcesDirectory)\eng\BuildConfiguration
+      artifact: BuildConfiguration
+      displayName: Publish Build Config
   - template: /eng/build-pr.yml
     parameters:
       agentOs: Windows_NT
@@ -94,6 +87,7 @@ stages:
               _Test: ''
   - template: /eng/common/templates/job/source-build.yml
     parameters:
+      enableInternalSources: true
       platform:
         name: 'Managed'
         container: 'mcr.microsoft.com/dotnet-buildtools/prereqs:centos-stream8'
diff --git a/NuGet.config b/NuGet.config
index fc5e64092a4c..ae2cc237c36b 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -19,6 +19,10 @@
     <!--  End: Package sources from dotnet-runtime -->
     <!--  Begin: Package sources from dotnet-templating -->
     <add key="darc-pub-dotnet-templating-224824f" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-templating-224824ff/nuget/v3/index.json" />
+    <add key="darc-pub-dotnet-templating-224824f-5" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-templating-224824ff-5/nuget/v3/index.json" />
+    <add key="darc-pub-dotnet-templating-224824f-3" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-templating-224824ff-3/nuget/v3/index.json" />
+    <add key="darc-pub-dotnet-templating-224824f-2" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-templating-224824ff-2/nuget/v3/index.json" />
+    <add key="darc-pub-dotnet-templating-224824f-1" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-templating-224824ff-1/nuget/v3/index.json" />
     <!--  End: Package sources from dotnet-templating -->
     <!--  Begin: Package sources from dotnet-windowsdesktop -->
     <!--  End: Package sources from dotnet-windowsdesktop -->
diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
index 23ac61d347ae..9a60d356a9e2 100644
--- a/eng/Version.Details.xml
+++ b/eng/Version.Details.xml
@@ -483,22 +483,22 @@
     </Dependency>
   </ProductDependencies>
   <ToolsetDependencies>
-    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="8.0.0-beta.24266.3">
+    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="8.0.0-beta.24352.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>e6f70c7dd528f05cd28cec2a179d58c22e91d9ac</Sha>
+      <Sha>8b879da4e449c48d99f3f642fc429379a64e8fe8</Sha>
       <SourceBuild RepoName="arcade" ManagedOnly="true" />
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.Helix.Sdk" Version="8.0.0-beta.24266.3">
+    <Dependency Name="Microsoft.DotNet.Helix.Sdk" Version="8.0.0-beta.24352.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>e6f70c7dd528f05cd28cec2a179d58c22e91d9ac</Sha>
+      <Sha>8b879da4e449c48d99f3f642fc429379a64e8fe8</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.SignTool" Version="8.0.0-beta.24266.3">
+    <Dependency Name="Microsoft.DotNet.SignTool" Version="8.0.0-beta.24352.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>e6f70c7dd528f05cd28cec2a179d58c22e91d9ac</Sha>
+      <Sha>8b879da4e449c48d99f3f642fc429379a64e8fe8</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.XUnitExtensions" Version="8.0.0-beta.24266.3">
+    <Dependency Name="Microsoft.DotNet.XUnitExtensions" Version="8.0.0-beta.24352.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>e6f70c7dd528f05cd28cec2a179d58c22e91d9ac</Sha>
+      <Sha>8b879da4e449c48d99f3f642fc429379a64e8fe8</Sha>
     </Dependency>
     <Dependency Name="System.Reflection.MetadataLoadContext" Version="8.0.0">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
diff --git a/eng/Versions.props b/eng/Versions.props
index 5f6dd851d6bb..700215ca3185 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -33,7 +33,7 @@
     <SystemCollectionsImmutablePackageVersion>7.0.0</SystemCollectionsImmutablePackageVersion>
     <SystemDiagnosticsFileVersionInfoVersion>4.0.0</SystemDiagnosticsFileVersionInfoVersion>
     <SystemReflectionMetadataVersion>7.0.0</SystemReflectionMetadataVersion>
-    <MicrosoftDotNetSignToolVersion>8.0.0-beta.24266.3</MicrosoftDotNetSignToolVersion>
+    <MicrosoftDotNetSignToolVersion>8.0.0-beta.24352.1</MicrosoftDotNetSignToolVersion>
     <MicrosoftWebXdtPackageVersion>7.0.0-preview.22423.2</MicrosoftWebXdtPackageVersion>
     <SystemSecurityCryptographyProtectedDataPackageVersion>8.0.0</SystemSecurityCryptographyProtectedDataPackageVersion>
     <SystemCollectionsSpecializedPackageVersion>4.3.0</SystemCollectionsSpecializedPackageVersion>
@@ -206,7 +206,7 @@
   <PropertyGroup>
     <FluentAssertionsVersion>6.12.0</FluentAssertionsVersion>
     <FluentAssertionsJsonVersion>6.1.0</FluentAssertionsJsonVersion>
-    <MicrosoftDotNetXUnitExtensionsVersion>8.0.0-beta.24266.3</MicrosoftDotNetXUnitExtensionsVersion>
+    <MicrosoftDotNetXUnitExtensionsVersion>8.0.0-beta.24352.1</MicrosoftDotNetXUnitExtensionsVersion>
     <MoqPackageVersion>4.18.4</MoqPackageVersion>
     <XunitCombinatorialVersion>1.3.2</XunitCombinatorialVersion>
     <MicrosoftDotNetInstallerWindowsSecurityTestDataPackageVersion>8.0.0-beta.23607.1</MicrosoftDotNetInstallerWindowsSecurityTestDataPackageVersion>
diff --git a/eng/build-pr.yml b/eng/build-pr.yml
index 4a73ead09a65..8cc01a363611 100644
--- a/eng/build-pr.yml
+++ b/eng/build-pr.yml
@@ -56,7 +56,7 @@ jobs:
           - _OfficialBuildIdArgs: /p:OfficialBuildId=$(BUILD.BUILDNUMBER)
           - _SignArgs: /p:DotNetSignType=$(_SignType) /p:TeamName=$(_TeamName)
           - _PerfIterations: 25
-  
+
       steps:
       - ${{ if ne(variables['System.TeamProject'], 'public') }}:
         - task: PowerShell@2
@@ -66,6 +66,7 @@ jobs:
             arguments: -ConfigFile $(Build.SourcesDirectory)/NuGet.config -Password $Env:Token
           env:
             Token: $(dn-bot-dnceng-artifact-feeds-rw)
+      - template: /eng/common/templates/steps/enable-internal-runtimes.yml
       - ${{ if eq(parameters.agentOs, 'Windows_NT') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -98,7 +99,7 @@ jobs:
               SYSTEM_ACCESSTOKEN: $(System.AccessToken)
               HelixAccessToken: $(_HelixApiToken)
               RunAoTTests: 'false'
-  
+
       - ${{ if eq(parameters.agentOs, 'Windows_NT_FullFramework') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -130,7 +131,7 @@ jobs:
               TestFullMSBuild: 'true'
               SYSTEM_ACCESSTOKEN: $(System.AccessToken)
               HelixAccessToken: $(_HelixApiToken)
-  
+
       - ${{ if eq(parameters.agentOs, 'Windows_NT_TestAsTools') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -142,7 +143,7 @@ jobs:
           displayName: Build
           env:
             BuildConfig: $(_BuildConfig)
-  
+
       - ${{ if notIn(parameters.agentOs, 'Windows_NT', 'Windows_NT_FullFramework', 'Windows_NT_TestAsTools') }}:
         - script: eng/common/build.sh
                     $(_CIBuild)
@@ -173,34 +174,34 @@ jobs:
               RunAoTTests: 'false'
 
       - task: PublishTestResults@2
-        displayName: Publish Test Results	
-        inputs:	
-          testResultsFormat: xUnit	
-          testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'	
-          testRunTitle: '$(_AgentOSName)_$(Agent.JobName)'	
-          buildPlatform: '$(BuildPlatform)'	
-          buildConfiguration: '$(_BuildConfig)'	
+        displayName: Publish Test Results
+        inputs:
+          testResultsFormat: xUnit
+          testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'
+          testRunTitle: '$(_AgentOSName)_$(Agent.JobName)'
+          buildPlatform: '$(BuildPlatform)'
+          buildConfiguration: '$(_BuildConfig)'
         condition: always()
 
-      - task: CopyFiles@2	
-        displayName: Gather Logs	
-        inputs:	
-          SourceFolder: '$(Build.SourcesDirectory)/artifacts'	
-          Contents: |	
-           log/$(_BuildConfig)/**/*	
-           TestResults/$(_BuildConfig)/**/*	
+      - task: CopyFiles@2
+        displayName: Gather Logs
+        inputs:
+          SourceFolder: '$(Build.SourcesDirectory)/artifacts'
+          Contents: |
+           log/$(_BuildConfig)/**/*
+           TestResults/$(_BuildConfig)/**/*
            SymStore/$(_BuildConfig)/**/*
-          TargetFolder: '$(Build.ArtifactStagingDirectory)'	
-        continueOnError: true	
+          TargetFolder: '$(Build.ArtifactStagingDirectory)'
+        continueOnError: true
         condition: always()
-  
-      - task: PublishBuildArtifacts@1	
-        displayName: Publish Logs to VSTS	
-        inputs:	
-          PathtoPublish: '$(Build.ArtifactStagingDirectory)'	
-          ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'	
-          publishLocation: Container	
-        continueOnError: true	
+
+      - task: PublishBuildArtifacts@1
+        displayName: Publish Logs to VSTS
+        inputs:
+          PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+          ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'
+          publishLocation: Container
+        continueOnError: true
         condition: always()
 
 # AoT Jobs
@@ -246,6 +247,7 @@ jobs:
             arguments: -ConfigFile $(Build.SourcesDirectory)/NuGet.config -Password $Env:Token
           env:
             Token: $(dn-bot-dnceng-artifact-feeds-rw)
+      - template: /eng/common/templates/steps/enable-internal-runtimes.yml
       - ${{ if eq(parameters.agentOs, 'Windows_NT') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -313,25 +315,25 @@ jobs:
               RunAoTTests: 'true'
 
       - ${{ if in(parameters.agentOs, 'Windows_NT', 'Darwin') }}:
-        - task: CopyFiles@2	
-          displayName: Gather Logs	
-          inputs:	
-            SourceFolder: '$(Build.SourcesDirectory)/artifacts'	
-            Contents: |	
-              log/$(_BuildConfig)/**/*	
-              TestResults/$(_BuildConfig)/**/*	
+        - task: CopyFiles@2
+          displayName: Gather Logs
+          inputs:
+            SourceFolder: '$(Build.SourcesDirectory)/artifacts'
+            Contents: |
+              log/$(_BuildConfig)/**/*
+              TestResults/$(_BuildConfig)/**/*
               SymStore/$(_BuildConfig)/**/*
-            TargetFolder: '$(Build.ArtifactStagingDirectory)'	
-          continueOnError: true	
+            TargetFolder: '$(Build.ArtifactStagingDirectory)'
+          continueOnError: true
           condition: always()
 
-        - task: PublishBuildArtifacts@1	
-          displayName: Publish Logs to VSTS	
-          inputs:	
-            PathtoPublish: '$(Build.ArtifactStagingDirectory)'	
-            ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'	
-            publishLocation: Container	
-          continueOnError: true	
+        - task: PublishBuildArtifacts@1
+          displayName: Publish Logs to VSTS
+          inputs:
+            PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+            ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'
+            publishLocation: Container
+          continueOnError: true
           condition: always()
 
 # TemplateEngine Jobs
@@ -377,6 +379,7 @@ jobs:
             arguments: -ConfigFile $(Build.SourcesDirectory)/NuGet.config -Password $Env:Token
           env:
             Token: $(dn-bot-dnceng-artifact-feeds-rw)
+      - template: /eng/common/templates/steps/enable-internal-runtimes.yml
       - ${{ if contains(parameters.agentOs, 'Windows_NT') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -444,34 +447,34 @@ jobs:
                 /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/dotnet-new.IntegrationTests.binlog
                 $(_InternalRuntimeDownloadArgs)
           displayName: Run dotnet new Integration Tests
-  
+
       - task: PublishTestResults@2
-        displayName: Publish Test Results	
-        inputs:	
-          testResultsFormat: xUnit	
-          testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'	
-          testRunTitle: '$(_AgentOSName)_$(Agent.JobName)'	
-          buildPlatform: '$(BuildPlatform)'	
-          buildConfiguration: '$(_BuildConfig)'	
+        displayName: Publish Test Results
+        inputs:
+          testResultsFormat: xUnit
+          testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'
+          testRunTitle: '$(_AgentOSName)_$(Agent.JobName)'
+          buildPlatform: '$(BuildPlatform)'
+          buildConfiguration: '$(_BuildConfig)'
         condition: always()
-  
-      - task: CopyFiles@2	
-        displayName: Gather Logs	
-        inputs:	
-          SourceFolder: '$(Build.SourcesDirectory)/artifacts'	
-          Contents: |	
-           log/$(_BuildConfig)/**/*	
-           TestResults/$(_BuildConfig)/**/*	
+
+      - task: CopyFiles@2
+        displayName: Gather Logs
+        inputs:
+          SourceFolder: '$(Build.SourcesDirectory)/artifacts'
+          Contents: |
+           log/$(_BuildConfig)/**/*
+           TestResults/$(_BuildConfig)/**/*
            SymStore/$(_BuildConfig)/**/*
-          TargetFolder: '$(Build.ArtifactStagingDirectory)'	
-        continueOnError: true	
+          TargetFolder: '$(Build.ArtifactStagingDirectory)'
+        continueOnError: true
+        condition: always()
+
+      - task: PublishBuildArtifacts@1
+        displayName: Publish Logs to VSTS
+        inputs:
+          PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+          ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'
+          publishLocation: Container
+        continueOnError: true
         condition: always()
-  
-      - task: PublishBuildArtifacts@1	
-        displayName: Publish Logs to VSTS	
-        inputs:	
-          PathtoPublish: '$(Build.ArtifactStagingDirectory)'	
-          ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'	
-          publishLocation: Container	
-        continueOnError: true	
-        condition: always()
\ No newline at end of file
diff --git a/eng/build.yml b/eng/build.yml
index 8bef6707871a..89002d024451 100644
--- a/eng/build.yml
+++ b/eng/build.yml
@@ -67,7 +67,7 @@ jobs:
             value: /p:DotNetSignType=$(_SignType) /p:TeamName=$(_TeamName)
           - name: _PerfIterations
             value: 25
-  
+
       steps:
       - ${{ if ne(variables['System.TeamProject'], 'public') }}:
         - task: PowerShell@2
@@ -77,6 +77,7 @@ jobs:
             arguments: -ConfigFile $(Build.SourcesDirectory)/NuGet.config -Password $Env:Token
           env:
             Token: $(dn-bot-dnceng-artifact-feeds-rw)
+      - template: /eng/common/templates-official/steps/enable-internal-runtimes.yml
       - ${{ if eq(parameters.agentOs, 'Windows_NT') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -109,7 +110,7 @@ jobs:
               SYSTEM_ACCESSTOKEN: $(System.AccessToken)
               HelixAccessToken: $(_HelixApiToken)
               RunAoTTests: 'false'
-  
+
       - ${{ if eq(parameters.agentOs, 'Windows_NT_FullFramework') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -141,7 +142,7 @@ jobs:
               TestFullMSBuild: 'true'
               SYSTEM_ACCESSTOKEN: $(System.AccessToken)
               HelixAccessToken: $(_HelixApiToken)
-  
+
       - ${{ if eq(parameters.agentOs, 'Windows_NT_TestAsTools') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -153,7 +154,7 @@ jobs:
           displayName: Build
           env:
             BuildConfig: $(_BuildConfig)
-  
+
       - ${{ if notIn(parameters.agentOs, 'Windows_NT', 'Windows_NT_FullFramework', 'Windows_NT_TestAsTools') }}:
         - script: eng/common/build.sh
                     $(_CIBuild)
@@ -184,34 +185,34 @@ jobs:
               RunAoTTests: 'false'
 
       - task: PublishTestResults@2
-        displayName: Publish Test Results	
-        inputs:	
-          testResultsFormat: xUnit	
-          testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'	
-          testRunTitle: '$(_AgentOSName)_$(Agent.JobName)'	
-          buildPlatform: '$(BuildPlatform)'	
-          buildConfiguration: '$(_BuildConfig)'	
+        displayName: Publish Test Results
+        inputs:
+          testResultsFormat: xUnit
+          testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'
+          testRunTitle: '$(_AgentOSName)_$(Agent.JobName)'
+          buildPlatform: '$(BuildPlatform)'
+          buildConfiguration: '$(_BuildConfig)'
         condition: always()
 
-      - task: CopyFiles@2	
-        displayName: Gather Logs	
-        inputs:	
-          SourceFolder: '$(Build.SourcesDirectory)/artifacts'	
-          Contents: |	
-           log/$(_BuildConfig)/**/*	
-           TestResults/$(_BuildConfig)/**/*	
+      - task: CopyFiles@2
+        displayName: Gather Logs
+        inputs:
+          SourceFolder: '$(Build.SourcesDirectory)/artifacts'
+          Contents: |
+           log/$(_BuildConfig)/**/*
+           TestResults/$(_BuildConfig)/**/*
            SymStore/$(_BuildConfig)/**/*
-          TargetFolder: '$(Build.ArtifactStagingDirectory)'	
-        continueOnError: true	
+          TargetFolder: '$(Build.ArtifactStagingDirectory)'
+        continueOnError: true
         condition: always()
-  
-      - task: 1ES.PublishBuildArtifacts@1	
-        displayName: Publish Logs to VSTS	
-        inputs:	
-          PathtoPublish: '$(Build.ArtifactStagingDirectory)'	
-          ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'	
-          publishLocation: Container	
-        continueOnError: true	
+
+      - task: 1ES.PublishBuildArtifacts@1
+        displayName: Publish Logs to VSTS
+        inputs:
+          PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+          ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'
+          publishLocation: Container
+        continueOnError: true
         condition: always()
 
 # AoT Jobs
@@ -270,6 +271,7 @@ jobs:
             arguments: -ConfigFile $(Build.SourcesDirectory)/NuGet.config -Password $Env:Token
           env:
             Token: $(dn-bot-dnceng-artifact-feeds-rw)
+      - template: /eng/common/templates-official/steps/enable-internal-runtimes.yml
       - ${{ if eq(parameters.agentOs, 'Windows_NT') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -337,25 +339,25 @@ jobs:
               RunAoTTests: 'true'
 
       - ${{ if in(parameters.agentOs, 'Windows_NT', 'Darwin') }}:
-        - task: CopyFiles@2	
-          displayName: Gather Logs	
-          inputs:	
-            SourceFolder: '$(Build.SourcesDirectory)/artifacts'	
-            Contents: |	
-              log/$(_BuildConfig)/**/*	
-              TestResults/$(_BuildConfig)/**/*	
+        - task: CopyFiles@2
+          displayName: Gather Logs
+          inputs:
+            SourceFolder: '$(Build.SourcesDirectory)/artifacts'
+            Contents: |
+              log/$(_BuildConfig)/**/*
+              TestResults/$(_BuildConfig)/**/*
               SymStore/$(_BuildConfig)/**/*
-            TargetFolder: '$(Build.ArtifactStagingDirectory)'	
-          continueOnError: true	
+            TargetFolder: '$(Build.ArtifactStagingDirectory)'
+          continueOnError: true
           condition: always()
 
-        - task: 1ES.PublishBuildArtifacts@1	
-          displayName: Publish Logs to VSTS	
-          inputs:	
-            PathtoPublish: '$(Build.ArtifactStagingDirectory)'	
-            ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'	
-            publishLocation: Container	
-          continueOnError: true	
+        - task: 1ES.PublishBuildArtifacts@1
+          displayName: Publish Logs to VSTS
+          inputs:
+            PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+            ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'
+            publishLocation: Container
+          continueOnError: true
           condition: always()
 
 # TemplateEngine Jobs
@@ -414,6 +416,7 @@ jobs:
             arguments: -ConfigFile $(Build.SourcesDirectory)/NuGet.config -Password $Env:Token
           env:
             Token: $(dn-bot-dnceng-artifact-feeds-rw)
+      - template: /eng/common/templates-official/steps/enable-internal-runtimes.yml
       - ${{ if contains(parameters.agentOs, 'Windows_NT') }}:
         - powershell: eng\common\build.ps1
                     $(_CIBuild)
@@ -481,34 +484,34 @@ jobs:
                 /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/dotnet-new.IntegrationTests.binlog
                 $(_InternalRuntimeDownloadArgs)
           displayName: Run dotnet new Integration Tests
-  
+
       - task: PublishTestResults@2
-        displayName: Publish Test Results	
-        inputs:	
-          testResultsFormat: xUnit	
-          testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'	
-          testRunTitle: '$(_AgentOSName)_$(Agent.JobName)'	
-          buildPlatform: '$(BuildPlatform)'	
-          buildConfiguration: '$(_BuildConfig)'	
+        displayName: Publish Test Results
+        inputs:
+          testResultsFormat: xUnit
+          testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'
+          testRunTitle: '$(_AgentOSName)_$(Agent.JobName)'
+          buildPlatform: '$(BuildPlatform)'
+          buildConfiguration: '$(_BuildConfig)'
         condition: always()
-  
-      - task: CopyFiles@2	
-        displayName: Gather Logs	
-        inputs:	
-          SourceFolder: '$(Build.SourcesDirectory)/artifacts'	
-          Contents: |	
-           log/$(_BuildConfig)/**/*	
-           TestResults/$(_BuildConfig)/**/*	
+
+      - task: CopyFiles@2
+        displayName: Gather Logs
+        inputs:
+          SourceFolder: '$(Build.SourcesDirectory)/artifacts'
+          Contents: |
+           log/$(_BuildConfig)/**/*
+           TestResults/$(_BuildConfig)/**/*
            SymStore/$(_BuildConfig)/**/*
-          TargetFolder: '$(Build.ArtifactStagingDirectory)'	
-        continueOnError: true	
+          TargetFolder: '$(Build.ArtifactStagingDirectory)'
+        continueOnError: true
         condition: always()
-  
-      - task: 1ES.PublishBuildArtifacts@1	
-        displayName: Publish Logs to VSTS	
-        inputs:	
-          PathtoPublish: '$(Build.ArtifactStagingDirectory)'	
-          ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'	
-          publishLocation: Container	
-        continueOnError: true	
+
+      - task: 1ES.PublishBuildArtifacts@1
+        displayName: Publish Logs to VSTS
+        inputs:
+          PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+          ArtifactName: '$(_AgentOSName)_$(Agent.JobName)_$(Build.BuildNumber)'
+          publishLocation: Container
+        continueOnError: true
         condition: always()
diff --git a/eng/common/post-build/publish-using-darc.ps1 b/eng/common/post-build/publish-using-darc.ps1
index 5a3a32ea8d75..238945cb5ab4 100644
--- a/eng/common/post-build/publish-using-darc.ps1
+++ b/eng/common/post-build/publish-using-darc.ps1
@@ -2,7 +2,6 @@ param(
   [Parameter(Mandatory=$true)][int] $BuildId,
   [Parameter(Mandatory=$true)][int] $PublishingInfraVersion,
   [Parameter(Mandatory=$true)][string] $AzdoToken,
-  [Parameter(Mandatory=$true)][string] $MaestroToken,
   [Parameter(Mandatory=$false)][string] $MaestroApiEndPoint = 'https://maestro.dot.net',
   [Parameter(Mandatory=$true)][string] $WaitPublishingFinish,
   [Parameter(Mandatory=$false)][string] $ArtifactsPublishingAdditionalParameters,
@@ -31,13 +30,13 @@ try {
   }
 
   & $darc add-build-to-channel `
-  --id $buildId `
-  --publishing-infra-version $PublishingInfraVersion `
-  --default-channels `
-  --source-branch main `
-  --azdev-pat $AzdoToken `
-  --bar-uri $MaestroApiEndPoint `
-  --password $MaestroToken `
+    --id $buildId `
+    --publishing-infra-version $PublishingInfraVersion `
+    --default-channels `
+    --source-branch main `
+    --azdev-pat "$AzdoToken" `
+    --bar-uri "$MaestroApiEndPoint" `
+    --ci `
 	@optionalParams
 
   if ($LastExitCode -ne 0) {
diff --git a/eng/common/templates-official/job/publish-build-assets.yml b/eng/common/templates-official/job/publish-build-assets.yml
index 589ac80a18b7..d01739c12857 100644
--- a/eng/common/templates-official/job/publish-build-assets.yml
+++ b/eng/common/templates-official/job/publish-build-assets.yml
@@ -76,13 +76,16 @@ jobs:
     
     - task: NuGetAuthenticate@1
 
-    - task: PowerShell@2
+    - task: AzureCLI@2
       displayName: Publish Build Assets
       inputs:
-        filePath: eng\common\sdk-task.ps1
-        arguments: -task PublishBuildAssets -restore -msbuildEngine dotnet
+        azureSubscription: "Darc: Maestro Production"
+        scriptType: ps
+        scriptLocation: scriptPath
+        scriptPath: $(Build.SourcesDirectory)/eng/common/sdk-task.ps1
+        arguments: >
+          -task PublishBuildAssets -restore -msbuildEngine dotnet
           /p:ManifestsPath='$(Build.StagingDirectory)/Download/AssetManifests'
-          /p:BuildAssetRegistryToken=$(MaestroAccessToken)
           /p:MaestroApiEndpoint=https://maestro-prod.westus2.cloudapp.azure.com
           /p:PublishUsingPipelines=${{ parameters.publishUsingPipelines }}
           /p:OfficialBuildId=$(Build.BuildNumber)
@@ -144,7 +147,6 @@ jobs:
           arguments: -BuildId $(BARBuildId) 
             -PublishingInfraVersion 3
             -AzdoToken '$(publishing-dnceng-devdiv-code-r-build-re)'
-            -MaestroToken '$(MaestroApiAccessToken)'
             -WaitPublishingFinish true
             -ArtifactsPublishingAdditionalParameters '${{ parameters.artifactsPublishingAdditionalParameters }}'
             -SymbolPublishingAdditionalParameters '${{ parameters.symbolPublishingAdditionalParameters }}'
diff --git a/eng/common/templates-official/job/source-build.yml b/eng/common/templates-official/job/source-build.yml
index f193dfbe2366..f983033bb028 100644
--- a/eng/common/templates-official/job/source-build.yml
+++ b/eng/common/templates-official/job/source-build.yml
@@ -31,6 +31,12 @@ parameters:
   #   container and pool.
   platform: {}
 
+  # If set to true and running on a non-public project,
+  # Internal blob storage locations will be enabled.
+  # This is not enabled by default because many repositories do not need internal sources
+  # and do not need to have the required service connections approved in the pipeline.
+  enableInternalSources: false
+
 jobs:
 - job: ${{ parameters.jobNamePrefix }}_${{ parameters.platform.name }}
   displayName: Source-Build (${{ parameters.platform.name }})
@@ -62,6 +68,8 @@ jobs:
     clean: all
 
   steps:
+  - ${{ if eq(parameters.enableInternalSources, true) }}:
+    - template: /eng/common/templates-official/steps/enable-internal-runtimes.yml
   - template: /eng/common/templates-official/steps/source-build.yml
     parameters:
       platform: ${{ parameters.platform }}
diff --git a/eng/common/templates-official/job/source-index-stage1.yml b/eng/common/templates-official/job/source-index-stage1.yml
index 43ee0c202fc7..60dfb6b2d1c0 100644
--- a/eng/common/templates-official/job/source-index-stage1.yml
+++ b/eng/common/templates-official/job/source-index-stage1.yml
@@ -23,7 +23,7 @@ jobs:
     value: ${{ parameters.sourceIndexPackageSource }}
   - name: BinlogPath
     value: ${{ parameters.binlogPath }}
-  - template: /eng/common/templates/variables/pool-providers.yml
+  - template: /eng/common/templates-official/variables/pool-providers.yml
 
   ${{ if ne(parameters.pool, '') }}:
     pool: ${{ parameters.pool }}
@@ -34,7 +34,8 @@ jobs:
         demands: ImageOverride -equals windows.vs2019.amd64.open
       ${{ if eq(variables['System.TeamProject'], 'internal') }}:
         name: $(DncEngInternalBuildPool)
-        demands: ImageOverride -equals windows.vs2019.amd64
+        image: windows.vs2022.amd64
+        os: windows
 
   steps:
   - ${{ each preStep in parameters.preSteps }}:
@@ -70,16 +71,13 @@ jobs:
         scriptType: 'ps'
         scriptLocation: 'inlineScript'
         inlineScript: |
-          echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId"
-          echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$env:idToken"
-          echo "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId"
+          echo "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$env:servicePrincipalId"
+          echo "##vso[task.setvariable variable=ARM_ID_TOKEN;issecret=true]$env:idToken"
+          echo "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$env:tenantId"
 
     - script: |
-        echo "Client ID: $(ARM_CLIENT_ID)"
-        echo "ID Token: $(ARM_ID_TOKEN)"
-        echo "Tenant ID: $(ARM_TENANT_ID)"
         az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
       displayName: "Login to Azure"
 
     - script: $(Agent.TempDirectory)/.source-index/tools/UploadIndexStage1 -i .source-index/stage1output -n $(Build.Repository.Name) -s netsourceindexstage1 -b stage1
-      displayName: Upload stage1 artifacts to source index
\ No newline at end of file
+      displayName: Upload stage1 artifacts to source index
diff --git a/eng/common/templates-official/jobs/source-build.yml b/eng/common/templates-official/jobs/source-build.yml
index 08e5db9bb116..5cf6a269c0b6 100644
--- a/eng/common/templates-official/jobs/source-build.yml
+++ b/eng/common/templates-official/jobs/source-build.yml
@@ -21,6 +21,12 @@ parameters:
   # one job runs on 'defaultManagedPlatform'.
   platforms: []
 
+  # If set to true and running on a non-public project,
+  # Internal nuget and blob storage locations will be enabled.
+  # This is not enabled by default because many repositories do not need internal sources
+  # and do not need to have the required service connections approved in the pipeline.
+  enableInternalSources: false
+
 jobs:
 
 - ${{ if ne(parameters.allCompletedJobId, '') }}:
@@ -38,9 +44,11 @@ jobs:
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ platform }}
+      enableInternalSources: ${{ parameters.enableInternalSources }}
 
 - ${{ if eq(length(parameters.platforms), 0) }}:
   - template: /eng/common/templates-official/job/source-build.yml
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ parameters.defaultManagedPlatform }}
+      enableInternalSources: ${{ parameters.enableInternalSources }}
diff --git a/eng/common/templates-official/post-build/post-build.yml b/eng/common/templates-official/post-build/post-build.yml
index da1f40958b45..0dfa387e7b78 100644
--- a/eng/common/templates-official/post-build/post-build.yml
+++ b/eng/common/templates-official/post-build/post-build.yml
@@ -272,14 +272,16 @@ stages:
 
         - task: NuGetAuthenticate@1
 
-        - task: PowerShell@2
+        - task: AzureCLI@2
           displayName: Publish Using Darc
           inputs:
-            filePath: $(Build.SourcesDirectory)/eng/common/post-build/publish-using-darc.ps1
+            azureSubscription: "Darc: Maestro Production"
+            scriptType: ps
+            scriptLocation: scriptPath
+            scriptPath: $(Build.SourcesDirectory)/eng/common/post-build/publish-using-darc.ps1
             arguments: -BuildId $(BARBuildId) 
               -PublishingInfraVersion ${{ parameters.publishingInfraVersion }}
               -AzdoToken '$(publishing-dnceng-devdiv-code-r-build-re)'
-              -MaestroToken '$(MaestroApiAccessToken)'
               -WaitPublishingFinish true
               -ArtifactsPublishingAdditionalParameters '${{ parameters.artifactsPublishingAdditionalParameters }}'
               -SymbolPublishingAdditionalParameters '${{ parameters.symbolPublishingAdditionalParameters }}'
diff --git a/eng/common/templates-official/steps/enable-internal-runtimes.yml b/eng/common/templates-official/steps/enable-internal-runtimes.yml
new file mode 100644
index 000000000000..93a8394a666b
--- /dev/null
+++ b/eng/common/templates-official/steps/enable-internal-runtimes.yml
@@ -0,0 +1,28 @@
+# Obtains internal runtime download credentials and populates the 'dotnetbuilds-internal-container-read-token-base64'
+# variable with the base64-encoded SAS token, by default
+
+parameters:
+- name: federatedServiceConnection
+  type: string
+  default: 'dotnetbuilds-internal-read'
+- name: outputVariableName
+  type: string
+  default: 'dotnetbuilds-internal-container-read-token-base64'
+- name: expiryInHours
+  type: number
+  default: 1
+- name: base64Encode
+  type: boolean
+  default: true
+
+steps:
+- ${{ if ne(variables['System.TeamProject'], 'public') }}:
+  - template: /eng/common/templates-official/steps/get-delegation-sas.yml
+    parameters:
+      federatedServiceConnection: ${{ parameters.federatedServiceConnection }}
+      outputVariableName: ${{ parameters.outputVariableName }}
+      expiryInHours: ${{ parameters.expiryInHours }}
+      base64Encode: ${{ parameters.base64Encode }}
+      storageAccount: dotnetbuilds
+      container: internal
+      permissions: rl
diff --git a/eng/common/templates-official/steps/get-delegation-sas.yml b/eng/common/templates-official/steps/get-delegation-sas.yml
new file mode 100644
index 000000000000..c0e8f91317f0
--- /dev/null
+++ b/eng/common/templates-official/steps/get-delegation-sas.yml
@@ -0,0 +1,43 @@
+parameters:
+- name: federatedServiceConnection
+  type: string
+- name: outputVariableName
+  type: string
+- name: expiryInHours
+  type: number
+  default: 1
+- name: base64Encode
+  type: boolean
+  default: false
+- name: storageAccount
+  type: string
+- name: container
+  type: string
+- name: permissions
+  type: string
+  default: 'rl'
+
+steps:
+- task: AzureCLI@2
+  displayName: 'Generate delegation SAS Token for ${{ parameters.storageAccount }}/${{ parameters.container }}'
+  inputs:
+    azureSubscription: ${{ parameters.federatedServiceConnection }}
+    scriptType: 'pscore'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      # Calculate the expiration of the SAS token and convert to UTC
+      $expiry = (Get-Date).AddHours(${{ parameters.expiryInHours }}).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
+
+      $sas = az storage container generate-sas --account-name ${{ parameters.storageAccount }} --name ${{ parameters.container }} --permissions ${{ parameters.permissions }} --expiry $expiry --auth-mode login --as-user -o tsv
+
+      if ($LASTEXITCODE -ne 0) {
+        Write-Error "Failed to generate SAS token."
+        exit 1
+      }
+
+      if ('${{ parameters.base64Encode }}' -eq 'true') {
+        $sas = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($sas))
+      }
+
+      Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
+      Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$sas"
diff --git a/eng/common/templates-official/steps/get-federated-access-token.yml b/eng/common/templates-official/steps/get-federated-access-token.yml
new file mode 100644
index 000000000000..e3786cef6dfd
--- /dev/null
+++ b/eng/common/templates-official/steps/get-federated-access-token.yml
@@ -0,0 +1,28 @@
+parameters:
+- name: federatedServiceConnection
+  type: string
+- name: outputVariableName
+  type: string
+# Resource to get a token for. Common values include:
+# - '499b84ac-1321-427f-aa17-267ca6975798' for Azure DevOps
+# - 'https://storage.azure.com/' for storage
+# Defaults to Azure DevOps
+- name: resource
+  type: string
+  default: '499b84ac-1321-427f-aa17-267ca6975798'
+
+steps:
+- task: AzureCLI@2
+  displayName: 'Getting federated access token for feeds'
+  inputs:
+    azureSubscription: ${{ parameters.federatedServiceConnection }}
+    scriptType: 'pscore'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      $accessToken = az account get-access-token --query accessToken --resource ${{ parameters.resource }} --output tsv
+      if ($LASTEXITCODE -ne 0) {
+        Write-Error "Failed to get access token for resource '${{ parameters.resource }}'"
+        exit 1
+      }
+      Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
+      Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$accessToken"
diff --git a/eng/common/templates/job/publish-build-assets.yml b/eng/common/templates/job/publish-build-assets.yml
index 8ec0151def21..9fd69fa7c9b7 100644
--- a/eng/common/templates/job/publish-build-assets.yml
+++ b/eng/common/templates/job/publish-build-assets.yml
@@ -74,13 +74,16 @@ jobs:
 
     - task: NuGetAuthenticate@1
 
-    - task: PowerShell@2
+    - task: AzureCLI@2
       displayName: Publish Build Assets
       inputs:
-        filePath: eng\common\sdk-task.ps1
-        arguments: -task PublishBuildAssets -restore -msbuildEngine dotnet
+        azureSubscription: "Darc: Maestro Production"
+        scriptType: ps
+        scriptLocation: scriptPath
+        scriptPath: $(Build.SourcesDirectory)/eng/common/sdk-task.ps1
+        arguments: >
+          -task PublishBuildAssets -restore -msbuildEngine dotnet
           /p:ManifestsPath='$(Build.StagingDirectory)/Download/AssetManifests'
-          /p:BuildAssetRegistryToken=$(MaestroAccessToken)
           /p:MaestroApiEndpoint=https://maestro.dot.net
           /p:PublishUsingPipelines=${{ parameters.publishUsingPipelines }}
           /p:OfficialBuildId=$(Build.BuildNumber)
@@ -140,7 +143,6 @@ jobs:
           arguments: -BuildId $(BARBuildId)
             -PublishingInfraVersion 3
             -AzdoToken '$(publishing-dnceng-devdiv-code-r-build-re)'
-            -MaestroToken '$(MaestroApiAccessToken)'
             -WaitPublishingFinish true
             -ArtifactsPublishingAdditionalParameters '${{ parameters.artifactsPublishingAdditionalParameters }}'
             -SymbolPublishingAdditionalParameters '${{ parameters.symbolPublishingAdditionalParameters }}'
diff --git a/eng/common/templates/job/source-build.yml b/eng/common/templates/job/source-build.yml
index 8a3deef2b727..c0ff472b697b 100644
--- a/eng/common/templates/job/source-build.yml
+++ b/eng/common/templates/job/source-build.yml
@@ -31,6 +31,12 @@ parameters:
   #   container and pool.
   platform: {}
 
+  # If set to true and running on a non-public project,
+  # Internal blob storage locations will be enabled.
+  # This is not enabled by default because many repositories do not need internal sources
+  # and do not need to have the required service connections approved in the pipeline.
+  enableInternalSources: false
+
 jobs:
 - job: ${{ parameters.jobNamePrefix }}_${{ parameters.platform.name }}
   displayName: Source-Build (${{ parameters.platform.name }})
@@ -61,6 +67,8 @@ jobs:
     clean: all
 
   steps:
+  - ${{ if eq(parameters.enableInternalSources, true) }}:
+    - template: /eng/common/templates/steps/enable-internal-runtimes.yml
   - template: /eng/common/templates/steps/source-build.yml
     parameters:
       platform: ${{ parameters.platform }}
diff --git a/eng/common/templates/job/source-index-stage1.yml b/eng/common/templates/job/source-index-stage1.yml
index 43ee0c202fc7..0b6bb89dc78a 100644
--- a/eng/common/templates/job/source-index-stage1.yml
+++ b/eng/common/templates/job/source-index-stage1.yml
@@ -70,16 +70,13 @@ jobs:
         scriptType: 'ps'
         scriptLocation: 'inlineScript'
         inlineScript: |
-          echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId"
-          echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$env:idToken"
-          echo "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId"
+          echo "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$env:servicePrincipalId"
+          echo "##vso[task.setvariable variable=ARM_ID_TOKEN;issecret=true]$env:idToken"
+          echo "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$env:tenantId"
 
     - script: |
-        echo "Client ID: $(ARM_CLIENT_ID)"
-        echo "ID Token: $(ARM_ID_TOKEN)"
-        echo "Tenant ID: $(ARM_TENANT_ID)"
         az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
       displayName: "Login to Azure"
 
     - script: $(Agent.TempDirectory)/.source-index/tools/UploadIndexStage1 -i .source-index/stage1output -n $(Build.Repository.Name) -s netsourceindexstage1 -b stage1
-      displayName: Upload stage1 artifacts to source index
\ No newline at end of file
+      displayName: Upload stage1 artifacts to source index
diff --git a/eng/common/templates/jobs/source-build.yml b/eng/common/templates/jobs/source-build.yml
index a15b07eb51d9..5f46bfa895c1 100644
--- a/eng/common/templates/jobs/source-build.yml
+++ b/eng/common/templates/jobs/source-build.yml
@@ -21,6 +21,12 @@ parameters:
   # one job runs on 'defaultManagedPlatform'.
   platforms: []
 
+  # If set to true and running on a non-public project,
+  # Internal nuget and blob storage locations will be enabled.
+  # This is not enabled by default because many repositories do not need internal sources
+  # and do not need to have the required service connections approved in the pipeline.
+  enableInternalSources: false
+
 jobs:
 
 - ${{ if ne(parameters.allCompletedJobId, '') }}:
@@ -38,9 +44,11 @@ jobs:
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ platform }}
+      enableInternalSources: ${{ parameters.enableInternalSources }}
 
 - ${{ if eq(length(parameters.platforms), 0) }}:
   - template: /eng/common/templates/job/source-build.yml
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ parameters.defaultManagedPlatform }}
+      enableInternalSources: ${{ parameters.enableInternalSources }}
diff --git a/eng/common/templates/post-build/post-build.yml b/eng/common/templates/post-build/post-build.yml
index aba44a25a338..2db4933468fd 100644
--- a/eng/common/templates/post-build/post-build.yml
+++ b/eng/common/templates/post-build/post-build.yml
@@ -268,14 +268,16 @@ stages:
 
         - task: NuGetAuthenticate@1
 
-        - task: PowerShell@2
+        - task: AzureCLI@2
           displayName: Publish Using Darc
           inputs:
-            filePath: $(Build.SourcesDirectory)/eng/common/post-build/publish-using-darc.ps1
+            azureSubscription: "Darc: Maestro Production"
+            scriptType: ps
+            scriptLocation: scriptPath
+            scriptPath: $(Build.SourcesDirectory)/eng/common/post-build/publish-using-darc.ps1
             arguments: -BuildId $(BARBuildId)
               -PublishingInfraVersion ${{ parameters.publishingInfraVersion }}
               -AzdoToken '$(publishing-dnceng-devdiv-code-r-build-re)'
-              -MaestroToken '$(MaestroApiAccessToken)'
               -WaitPublishingFinish true
               -ArtifactsPublishingAdditionalParameters '${{ parameters.artifactsPublishingAdditionalParameters }}'
               -SymbolPublishingAdditionalParameters '${{ parameters.symbolPublishingAdditionalParameters }}'
diff --git a/eng/common/templates/post-build/setup-maestro-vars.yml b/eng/common/templates/post-build/setup-maestro-vars.yml
index 0c87f149a4ad..64b9abc68504 100644
--- a/eng/common/templates/post-build/setup-maestro-vars.yml
+++ b/eng/common/templates/post-build/setup-maestro-vars.yml
@@ -11,13 +11,14 @@ steps:
         artifactName: ReleaseConfigs
         checkDownloadedFiles: true
 
-  - task: PowerShell@2
+  - task: AzureCLI@2
     name: setReleaseVars
     displayName: Set Release Configs Vars
     inputs:
-      targetType: inline
-      pwsh: true
-      script: |
+      azureSubscription: "Darc: Maestro Production"
+      scriptType: pscore
+      scriptLocation: inlineScript
+      inlineScript: |
         try {
           if (!$Env:PromoteToMaestroChannels -or $Env:PromoteToMaestroChannels.Trim() -eq '') {
             $Content = Get-Content $(Build.StagingDirectory)/ReleaseConfigs/ReleaseConfigs.txt
@@ -31,15 +32,16 @@ steps:
             $AzureDevOpsBuildId = $Env:Build_BuildId
           }
           else {
-            $buildApiEndpoint = "${Env:MaestroApiEndPoint}/api/builds/${Env:BARBuildId}?api-version=${Env:MaestroApiVersion}"
+            . $(Build.SourcesDirectory)\eng\common\tools.ps1
+            $darc = Get-Darc
+            $buildInfo = & $darc get-build `
+              --id ${{ parameters.BARBuildId }} `
+              --extended `
+              --output-format json `
+              --ci `
+              | convertFrom-Json
 
-            $apiHeaders = New-Object 'System.Collections.Generic.Dictionary[[String],[String]]'
-            $apiHeaders.Add('Accept', 'application/json')
-            $apiHeaders.Add('Authorization',"Bearer ${Env:MAESTRO_API_TOKEN}")
-
-            $buildInfo = try { Invoke-WebRequest -Method Get -Uri $buildApiEndpoint -Headers $apiHeaders | ConvertFrom-Json } catch { Write-Host "Error: $_" }
-            
-            $BarId = $Env:BARBuildId
+            $BarId = ${{ parameters.BARBuildId }}
             $Channels = $Env:PromoteToMaestroChannels -split ","
             $Channels = $Channels -join "]["
             $Channels = "[$Channels]"
@@ -65,6 +67,4 @@ steps:
           exit 1
         }
     env:
-      MAESTRO_API_TOKEN: $(MaestroApiAccessToken)
-      BARBuildId: ${{ parameters.BARBuildId }}
       PromoteToMaestroChannels: ${{ parameters.PromoteToChannelIds }}
diff --git a/eng/common/templates/steps/enable-internal-runtimes.yml b/eng/common/templates/steps/enable-internal-runtimes.yml
new file mode 100644
index 000000000000..54dc9416c519
--- /dev/null
+++ b/eng/common/templates/steps/enable-internal-runtimes.yml
@@ -0,0 +1,28 @@
+# Obtains internal runtime download credentials and populates the 'dotnetbuilds-internal-container-read-token-base64'
+# variable with the base64-encoded SAS token, by default
+
+parameters:
+- name: federatedServiceConnection
+  type: string
+  default: 'dotnetbuilds-internal-read'
+- name: outputVariableName
+  type: string
+  default: 'dotnetbuilds-internal-container-read-token-base64'
+- name: expiryInHours
+  type: number
+  default: 1
+- name: base64Encode
+  type: boolean
+  default: true
+
+steps:
+- ${{ if ne(variables['System.TeamProject'], 'public') }}:
+  - template: /eng/common/templates/steps/get-delegation-sas.yml
+    parameters:
+      federatedServiceConnection: ${{ parameters.federatedServiceConnection }}
+      outputVariableName: ${{ parameters.outputVariableName }}
+      expiryInHours: ${{ parameters.expiryInHours }}
+      base64Encode: ${{ parameters.base64Encode }}
+      storageAccount: dotnetbuilds
+      container: internal
+      permissions: rl
diff --git a/eng/common/templates/steps/get-delegation-sas.yml b/eng/common/templates/steps/get-delegation-sas.yml
new file mode 100644
index 000000000000..c0e8f91317f0
--- /dev/null
+++ b/eng/common/templates/steps/get-delegation-sas.yml
@@ -0,0 +1,43 @@
+parameters:
+- name: federatedServiceConnection
+  type: string
+- name: outputVariableName
+  type: string
+- name: expiryInHours
+  type: number
+  default: 1
+- name: base64Encode
+  type: boolean
+  default: false
+- name: storageAccount
+  type: string
+- name: container
+  type: string
+- name: permissions
+  type: string
+  default: 'rl'
+
+steps:
+- task: AzureCLI@2
+  displayName: 'Generate delegation SAS Token for ${{ parameters.storageAccount }}/${{ parameters.container }}'
+  inputs:
+    azureSubscription: ${{ parameters.federatedServiceConnection }}
+    scriptType: 'pscore'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      # Calculate the expiration of the SAS token and convert to UTC
+      $expiry = (Get-Date).AddHours(${{ parameters.expiryInHours }}).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
+
+      $sas = az storage container generate-sas --account-name ${{ parameters.storageAccount }} --name ${{ parameters.container }} --permissions ${{ parameters.permissions }} --expiry $expiry --auth-mode login --as-user -o tsv
+
+      if ($LASTEXITCODE -ne 0) {
+        Write-Error "Failed to generate SAS token."
+        exit 1
+      }
+
+      if ('${{ parameters.base64Encode }}' -eq 'true') {
+        $sas = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($sas))
+      }
+
+      Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
+      Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$sas"
diff --git a/eng/common/templates/steps/get-federated-access-token.yml b/eng/common/templates/steps/get-federated-access-token.yml
new file mode 100644
index 000000000000..c8c49cc0e8f0
--- /dev/null
+++ b/eng/common/templates/steps/get-federated-access-token.yml
@@ -0,0 +1,28 @@
+parameters:
+- name: federatedServiceConnection
+  type: string
+- name: outputVariableName
+  type: string
+# Resource to get a token for. Common values include:
+# - '499b84ac-1321-427f-aa17-267ca6975798' for Azure DevOps
+# - 'https://storage.azure.com/' for storage
+# Defaults to Azure DevOps
+- name: resource
+  type: string
+  default: '499b84ac-1321-427f-aa17-267ca6975798'
+
+steps:
+- task: AzureCLI@2
+  displayName: 'Getting federated access token for feeds'
+  inputs:
+    azureSubscription: ${{ parameters.federatedServiceConnection }}
+    scriptType: 'pscore'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      $accessToken = az account get-access-token --query accessToken --resource ${{ parameters.resource }} --output tsv
+      if ($LASTEXITCODE -ne 0) {
+        Write-Error "Failed to get access token for resource '${{ parameters.resource }}'"
+        exit 1
+      }
+      Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
+      Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$accessToken"
\ No newline at end of file
diff --git a/global.json b/global.json
index 482d5fb11895..ddd87ad0324e 100644
--- a/global.json
+++ b/global.json
@@ -14,7 +14,7 @@
     }
   },
   "msbuild-sdks": {
-    "Microsoft.DotNet.Arcade.Sdk": "8.0.0-beta.24266.3",
-    "Microsoft.DotNet.Helix.Sdk": "8.0.0-beta.24266.3"
+    "Microsoft.DotNet.Arcade.Sdk": "8.0.0-beta.24352.1",
+    "Microsoft.DotNet.Helix.Sdk": "8.0.0-beta.24352.1"
   }
 }