diff --git a/Directory.Packages.props b/Directory.Packages.props
index 8f7bd4cce9..b65f247a57 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -4,7 +4,7 @@
     <AspNetAzureVersion>3.1.24</AspNetAzureVersion>
     <AspNetCoreVersion>6.0.26</AspNetCoreVersion>
     <MicrosoftExtensionsVersion>6.0.0</MicrosoftExtensionsVersion>
-    <AspireVersion>8.0.0-preview.5.24201.12</AspireVersion>
+    <AspireVersion>8.0.2</AspireVersion>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
     <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
   </PropertyGroup>
@@ -17,11 +17,11 @@
     <PackageVersion Include="Aspire.Hosting.AppHost" Version="$(AspireVersion)" />
     <PackageVersion Include="Aspire.Hosting.Azure.Storage" Version="$(AspireVersion)" />
     <PackageVersion Include="Aspire.Hosting.Azure" Version="$(AspireVersion)" />
-    <PackageVersion Include="Azure.Core" Version="1.39.0" />
+    <PackageVersion Include="Azure.Core" Version="1.40.0" />
     <PackageVersion Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.3.0" />
     <PackageVersion Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.2.3" />
     <PackageVersion Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.2.3" />
-    <PackageVersion Include="Azure.Identity" Version="1.11.4" />
+    <PackageVersion Include="Azure.Identity" Version="1.12.0" />
     <PackageVersion Include="Azure.Monitor.OpenTelemetry.AspNetCore" Version="1.0.0" />
     <PackageVersion Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.1.0" />
     <PackageVersion Include="Azure.Security.KeyVault.Keys" Version="4.6.0" />
diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
index 79d4e01ed6..7dc68415ee 100644
--- a/eng/Version.Details.xml
+++ b/eng/Version.Details.xml
@@ -91,29 +91,29 @@
     </Dependency>
   </ProductDependencies>
   <ToolsetDependencies>
-    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="8.0.0-beta.24360.5">
+    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="8.0.0-beta.24367.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>c9efa535175049eb9cba06cae1f8c3d5dbe768a9</Sha>
+      <Sha>fa3d544b066661522f1ec5d5e8cfd461a29b0f8a</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.SignTool" Version="8.0.0-beta.24360.5">
+    <Dependency Name="Microsoft.DotNet.SignTool" Version="8.0.0-beta.24367.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>c9efa535175049eb9cba06cae1f8c3d5dbe768a9</Sha>
+      <Sha>fa3d544b066661522f1ec5d5e8cfd461a29b0f8a</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.Build.Tasks.Feed" Version="8.0.0-beta.24360.5">
+    <Dependency Name="Microsoft.DotNet.Build.Tasks.Feed" Version="8.0.0-beta.24367.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>c9efa535175049eb9cba06cae1f8c3d5dbe768a9</Sha>
+      <Sha>fa3d544b066661522f1ec5d5e8cfd461a29b0f8a</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.SwaggerGenerator.MSBuild" Version="8.0.0-beta.24360.5">
+    <Dependency Name="Microsoft.DotNet.SwaggerGenerator.MSBuild" Version="8.0.0-beta.24367.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>c9efa535175049eb9cba06cae1f8c3d5dbe768a9</Sha>
+      <Sha>fa3d544b066661522f1ec5d5e8cfd461a29b0f8a</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.Git.IssueManager" Version="8.0.0-beta.24360.5">
+    <Dependency Name="Microsoft.DotNet.Git.IssueManager" Version="8.0.0-beta.24367.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>c9efa535175049eb9cba06cae1f8c3d5dbe768a9</Sha>
+      <Sha>fa3d544b066661522f1ec5d5e8cfd461a29b0f8a</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.VersionTools" Version="8.0.0-beta.24360.5">
+    <Dependency Name="Microsoft.DotNet.VersionTools" Version="8.0.0-beta.24367.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>c9efa535175049eb9cba06cae1f8c3d5dbe768a9</Sha>
+      <Sha>fa3d544b066661522f1ec5d5e8cfd461a29b0f8a</Sha>
     </Dependency>
     <Dependency Name="Microsoft.DncEng.SecretManager" Version="1.1.0-beta.24351.3">
       <Uri>https://github.com/dotnet/dnceng</Uri>
diff --git a/eng/Versions.props b/eng/Versions.props
index 13dce6766b..f55b21f3e5 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -9,11 +9,11 @@
     <UsingToolNetFrameworkReferenceAssemblies>true</UsingToolNetFrameworkReferenceAssemblies>
     <MicrosoftNetFrameworkReferenceAssembliesVersion>1.0.0-preview.1</MicrosoftNetFrameworkReferenceAssembliesVersion>
     <!-- Libs -->
-    <MicrosoftDotNetSignToolVersion>8.0.0-beta.24360.5</MicrosoftDotNetSignToolVersion>
-    <MicrosoftDotNetBuildTasksFeedVersion>8.0.0-beta.24360.5</MicrosoftDotNetBuildTasksFeedVersion>
-    <MicrosoftDotNetSwaggerGeneratorMSBuildVersion>8.0.0-beta.24360.5</MicrosoftDotNetSwaggerGeneratorMSBuildVersion>
-    <MicrosoftDotNetGitIssueManagerVersion>8.0.0-beta.24360.5</MicrosoftDotNetGitIssueManagerVersion>
-    <MicrosoftDotNetVersionToolsVersion>8.0.0-beta.24360.5</MicrosoftDotNetVersionToolsVersion>
+    <MicrosoftDotNetSignToolVersion>8.0.0-beta.24367.1</MicrosoftDotNetSignToolVersion>
+    <MicrosoftDotNetBuildTasksFeedVersion>8.0.0-beta.24367.1</MicrosoftDotNetBuildTasksFeedVersion>
+    <MicrosoftDotNetSwaggerGeneratorMSBuildVersion>8.0.0-beta.24367.1</MicrosoftDotNetSwaggerGeneratorMSBuildVersion>
+    <MicrosoftDotNetGitIssueManagerVersion>8.0.0-beta.24367.1</MicrosoftDotNetGitIssueManagerVersion>
+    <MicrosoftDotNetVersionToolsVersion>8.0.0-beta.24367.1</MicrosoftDotNetVersionToolsVersion>
     <MicrosoftNetTestSdkVersion>17.4.1</MicrosoftNetTestSdkVersion>
     <MicrosoftDotNetInternalLoggingVersion>1.1.0-beta.24359.1</MicrosoftDotNetInternalLoggingVersion>
     <MicrosoftAspNetCoreApiPaginationVersion>1.1.0-beta.24359.1</MicrosoftAspNetCoreApiPaginationVersion>
diff --git a/eng/common/sdl/NuGet.config b/eng/common/sdl/NuGet.config
index 3849bdb3cf..5bfbb02ef0 100644
--- a/eng/common/sdl/NuGet.config
+++ b/eng/common/sdl/NuGet.config
@@ -5,11 +5,11 @@
   </solution>
   <packageSources>
     <clear />
-    <add key="guardian" value="https://securitytools.pkgs.visualstudio.com/_packaging/Guardian/nuget/v3/index.json" />
+    <add key="guardian" value="https://pkgs.dev.azure.com/dnceng/_packaging/Guardian1ESPTUpstreamOrgFeed/nuget/v3/index.json" />
   </packageSources>
   <packageSourceMapping>
     <packageSource key="guardian">
-      <package pattern="microsoft.guardian.cli" />
+      <package pattern="Microsoft.Guardian.Cli.win-x64" />
     </packageSource>
   </packageSourceMapping>
   <disabledPackageSources>
diff --git a/eng/common/sdl/execute-all-sdl-tools.ps1 b/eng/common/sdl/execute-all-sdl-tools.ps1
index 4715d75e97..81ded5b7f4 100644
--- a/eng/common/sdl/execute-all-sdl-tools.ps1
+++ b/eng/common/sdl/execute-all-sdl-tools.ps1
@@ -6,7 +6,6 @@ Param(
   [string] $BranchName=$env:BUILD_SOURCEBRANCH,                                                  # Optional: name of branch or version of gdn settings; defaults to master
   [string] $SourceDirectory=$env:BUILD_SOURCESDIRECTORY,                                         # Required: the directory where source files are located
   [string] $ArtifactsDirectory = (Join-Path $env:BUILD_ARTIFACTSTAGINGDIRECTORY ('artifacts')),  # Required: the directory where build artifacts are located
-  [string] $AzureDevOpsAccessToken,                                                              # Required: access token for dnceng; should be provided via KeyVault
 
   # Optional: list of SDL tools to run on source code. See 'configure-sdl-tool.ps1' for tools list
   # format.
@@ -75,7 +74,7 @@ try {
   }
 
   Exec-BlockVerbosely {
-    & $(Join-Path $PSScriptRoot 'init-sdl.ps1') -GuardianCliLocation $guardianCliLocation -Repository $RepoName -BranchName $BranchName -WorkingDirectory $workingDirectory -AzureDevOpsAccessToken $AzureDevOpsAccessToken -GuardianLoggerLevel $GuardianLoggerLevel
+    & $(Join-Path $PSScriptRoot 'init-sdl.ps1') -GuardianCliLocation $guardianCliLocation -Repository $RepoName -BranchName $BranchName -WorkingDirectory $workingDirectory -GuardianLoggerLevel $GuardianLoggerLevel
   }
   $gdnFolder = Join-Path $workingDirectory '.gdn'
 
@@ -104,7 +103,6 @@ try {
           -TargetDirectory $targetDirectory `
           -GdnFolder $gdnFolder `
           -ToolsList $tools `
-          -AzureDevOpsAccessToken $AzureDevOpsAccessToken `
           -GuardianLoggerLevel $GuardianLoggerLevel `
           -CrScanAdditionalRunConfigParams $CrScanAdditionalRunConfigParams `
           -PoliCheckAdditionalRunConfigParams $PoliCheckAdditionalRunConfigParams `
diff --git a/eng/common/sdl/init-sdl.ps1 b/eng/common/sdl/init-sdl.ps1
index 3ac1d92b37..588ff8e22f 100644
--- a/eng/common/sdl/init-sdl.ps1
+++ b/eng/common/sdl/init-sdl.ps1
@@ -3,7 +3,6 @@ Param(
   [string] $Repository,
   [string] $BranchName='master',
   [string] $WorkingDirectory,
-  [string] $AzureDevOpsAccessToken,
   [string] $GuardianLoggerLevel='Standard'
 )
 
@@ -21,14 +20,7 @@ $ci = $true
 # Don't display the console progress UI - it's a huge perf hit
 $ProgressPreference = 'SilentlyContinue'
 
-# Construct basic auth from AzDO access token; construct URI to the repository's gdn folder stored in that repository; construct location of zip file
-$encodedPat = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$AzureDevOpsAccessToken"))
-$escapedRepository = [Uri]::EscapeDataString("/$Repository/$BranchName/.gdn")
-$uri = "https://dev.azure.com/dnceng/internal/_apis/git/repositories/sdl-tool-cfg/Items?path=$escapedRepository&versionDescriptor[versionOptions]=0&`$format=zip&api-version=5.0"
-$zipFile = "$WorkingDirectory/gdn.zip"
-
 Add-Type -AssemblyName System.IO.Compression.FileSystem
-$gdnFolder = (Join-Path $WorkingDirectory '.gdn')
 
 try {
   # if the folder does not exist, we'll do a guardian init and push it to the remote repository
diff --git a/eng/common/sdl/sdl.ps1 b/eng/common/sdl/sdl.ps1
index 648c5068d7..7fe603fe99 100644
--- a/eng/common/sdl/sdl.ps1
+++ b/eng/common/sdl/sdl.ps1
@@ -4,6 +4,8 @@ function Install-Gdn {
         [Parameter(Mandatory=$true)]
         [string]$Path,
 
+        [string]$Source = "https://pkgs.dev.azure.com/dnceng/_packaging/Guardian1ESPTUpstreamOrgFeed/nuget/v3/index.json",
+
         # If omitted, install the latest version of Guardian, otherwise install that specific version.
         [string]$Version
     )
@@ -19,7 +21,7 @@ function Install-Gdn {
     $ci = $true
     . $PSScriptRoot\..\tools.ps1
 
-    $argumentList = @("install", "Microsoft.Guardian.Cli", "-Source https://securitytools.pkgs.visualstudio.com/_packaging/Guardian/nuget/v3/index.json", "-OutputDirectory $Path", "-NonInteractive", "-NoCache")
+    $argumentList = @("install", "Microsoft.Guardian.Cli.win-x64", "-Source $Source", "-OutputDirectory $Path", "-NonInteractive", "-NoCache")
 
     if ($Version) {
         $argumentList += "-Version $Version"
diff --git a/eng/common/templates-official/steps/execute-sdl.yml b/eng/common/templates-official/steps/execute-sdl.yml
index 07426fde05..301d5c591e 100644
--- a/eng/common/templates-official/steps/execute-sdl.yml
+++ b/eng/common/templates-official/steps/execute-sdl.yml
@@ -9,8 +9,6 @@ parameters:
 
 steps:
 - task: NuGetAuthenticate@1
-  inputs:
-    nuGetServiceConnections: GuardianConnect
 
 - task: NuGetToolInstaller@1
   displayName: 'Install NuGet.exe'
diff --git a/eng/common/templates-official/steps/get-federated-access-token.yml b/eng/common/templates-official/steps/get-federated-access-token.yml
index e3786cef6d..55e33bd38f 100644
--- a/eng/common/templates-official/steps/get-federated-access-token.yml
+++ b/eng/common/templates-official/steps/get-federated-access-token.yml
@@ -3,6 +3,12 @@ parameters:
   type: string
 - name: outputVariableName
   type: string
+- name: stepName
+  type: string
+  default: 'getFederatedAccessToken'
+- name: condition
+  type: string
+  default: ''
 # Resource to get a token for. Common values include:
 # - '499b84ac-1321-427f-aa17-267ca6975798' for Azure DevOps
 # - 'https://storage.azure.com/' for storage
@@ -10,10 +16,16 @@ parameters:
 - name: resource
   type: string
   default: '499b84ac-1321-427f-aa17-267ca6975798'
+- name: isStepOutputVariable
+  type: boolean
+  default: false
 
 steps:
 - task: AzureCLI@2
   displayName: 'Getting federated access token for feeds'
+  name: ${{ parameters.stepName }}
+  ${{ if ne(parameters.condition, '') }}:
+    condition: ${{ parameters.condition }}
   inputs:
     azureSubscription: ${{ parameters.federatedServiceConnection }}
     scriptType: 'pscore'
@@ -25,4 +37,4 @@ steps:
         exit 1
       }
       Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
-      Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$accessToken"
+      Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true;isOutput=${{ parameters.isStepOutputVariable }}]$accessToken"
\ No newline at end of file
diff --git a/eng/common/templates/steps/execute-sdl.yml b/eng/common/templates/steps/execute-sdl.yml
index 07426fde05..fe0ebf8c90 100644
--- a/eng/common/templates/steps/execute-sdl.yml
+++ b/eng/common/templates/steps/execute-sdl.yml
@@ -9,8 +9,6 @@ parameters:
 
 steps:
 - task: NuGetAuthenticate@1
-  inputs:
-    nuGetServiceConnections: GuardianConnect
 
 - task: NuGetToolInstaller@1
   displayName: 'Install NuGet.exe'
@@ -36,16 +34,19 @@ steps:
     displayName: Execute SDL (Overridden)
     continueOnError: ${{ parameters.sdlContinueOnError }}
     condition: ${{ parameters.condition }}
+    env:
+      GUARDIAN_DEFAULT_PACKAGE_SOURCE_SECRET: $(System.AccessToken)
 
 - ${{ if eq(parameters.overrideParameters, '') }}:
   - powershell: ${{ parameters.executeAllSdlToolsScript }}
       -GuardianCliLocation $(GuardianCliLocation)
       -NugetPackageDirectory $(Build.SourcesDirectory)\.packages
-      -AzureDevOpsAccessToken $(dn-bot-dotnet-build-rw-code-rw)
       ${{ parameters.additionalParameters }}
     displayName: Execute SDL
     continueOnError: ${{ parameters.sdlContinueOnError }}
     condition: ${{ parameters.condition }}
+    env:
+      GUARDIAN_DEFAULT_PACKAGE_SOURCE_SECRET: $(System.AccessToken)
 
 - ${{ if ne(parameters.publishGuardianDirectoryToPipeline, 'false') }}:
   # We want to publish the Guardian results and configuration for easy diagnosis. However, the
diff --git a/eng/common/templates/steps/get-federated-access-token.yml b/eng/common/templates/steps/get-federated-access-token.yml
index c8c49cc0e8..55e33bd38f 100644
--- a/eng/common/templates/steps/get-federated-access-token.yml
+++ b/eng/common/templates/steps/get-federated-access-token.yml
@@ -3,6 +3,12 @@ parameters:
   type: string
 - name: outputVariableName
   type: string
+- name: stepName
+  type: string
+  default: 'getFederatedAccessToken'
+- name: condition
+  type: string
+  default: ''
 # Resource to get a token for. Common values include:
 # - '499b84ac-1321-427f-aa17-267ca6975798' for Azure DevOps
 # - 'https://storage.azure.com/' for storage
@@ -10,10 +16,16 @@ parameters:
 - name: resource
   type: string
   default: '499b84ac-1321-427f-aa17-267ca6975798'
+- name: isStepOutputVariable
+  type: boolean
+  default: false
 
 steps:
 - task: AzureCLI@2
   displayName: 'Getting federated access token for feeds'
+  name: ${{ parameters.stepName }}
+  ${{ if ne(parameters.condition, '') }}:
+    condition: ${{ parameters.condition }}
   inputs:
     azureSubscription: ${{ parameters.federatedServiceConnection }}
     scriptType: 'pscore'
@@ -25,4 +37,4 @@ steps:
         exit 1
       }
       Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
-      Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$accessToken"
\ No newline at end of file
+      Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true;isOutput=${{ parameters.isStepOutputVariable }}]$accessToken"
\ No newline at end of file
diff --git a/eng/templates/stages/deploy.yaml b/eng/templates/stages/deploy.yaml
index a15ec04f12..b366b7cdea 100644
--- a/eng/templates/stages/deploy.yaml
+++ b/eng/templates/stages/deploy.yaml
@@ -165,9 +165,7 @@ stages:
 
     - powershell: |
         mkdir darc
-        
-        $dotnetDir = cmd /c "where dotnet"
-        Invoke-Expression "& '$dotnetDir' tool install Microsoft.DotNet.Darc --prerelease --tool-path .\darc --add-source $(Pipeline.Workspace)\PackageArtifacts" 
+        .\.dotnet\dotnet tool install Microsoft.DotNet.Darc --prerelease --tool-path .\darc --add-source $(Pipeline.Workspace)\PackageArtifacts
       displayName: Install Darc
 
     - task: AzureCLI@2
diff --git a/global.json b/global.json
index 4256a85777..a902b8e8af 100644
--- a/global.json
+++ b/global.json
@@ -1,10 +1,10 @@
 {
   "sdk": {
-    "version": "8.0.204",
+    "version": "8.0.303",
     "rollForward": "minor"
   },
   "tools": {
-    "dotnet": "8.0.204",
+    "dotnet": "8.0.303",
     "runtimes": {
       "dotnet": [
         "6.0.29"
@@ -15,6 +15,6 @@
     }
   },
   "msbuild-sdks": {
-    "Microsoft.DotNet.Arcade.Sdk": "8.0.0-beta.24360.5"
+    "Microsoft.DotNet.Arcade.Sdk": "8.0.0-beta.24367.1"
   }
 }
diff --git a/src/Maestro/DependencyUpdater/Program.cs b/src/Maestro/DependencyUpdater/Program.cs
index 21a7a62d53..8c3793a118 100644
--- a/src/Maestro/DependencyUpdater/Program.cs
+++ b/src/Maestro/DependencyUpdater/Program.cs
@@ -51,7 +51,7 @@ public static void Configure(IServiceCollection services)
         services.AddGitHubTokenProvider();
 
         services.Configure<AzureDevOpsTokenProviderOptions>("AzureDevOps", (o, s) => s.Bind(o));
-        services.AddAzureDevOpsTokenProvider();
+        services.AddSingleton<IAzureDevOpsTokenProvider, AzureDevOpsTokenProvider>();
 
         // We do not use AddMemoryCache here. We use our own cache because we wish to
         // use a sized cache and some components, such as EFCore, do not implement their caching
diff --git a/src/Maestro/FeedCleanerService/Program.cs b/src/Maestro/FeedCleanerService/Program.cs
index 7a93562160..d5a9e27c64 100644
--- a/src/Maestro/FeedCleanerService/Program.cs
+++ b/src/Maestro/FeedCleanerService/Program.cs
@@ -9,6 +9,7 @@
 using Microsoft.DotNet.ServiceFabric.ServiceHost;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 
 namespace FeedCleanerService;
@@ -50,12 +51,10 @@ public static void Configure(IServiceCollection services)
             var config = provider.GetRequiredService<IConfiguration>();
             options.UseSqlServerWithRetry(config.GetSection("BuildAssetRegistry")["ConnectionString"]);
         });
-        services.AddAzureDevOpsTokenProvider();
+        services.AddSingleton<IAzureDevOpsTokenProvider, AzureDevOpsTokenProvider>();
         services.Configure<AzureDevOpsTokenProviderOptions>("AzureDevOps", (o, s) => s.Bind(o));
-        services.AddTransient<IAzureDevOpsClient, AzureDevOpsClient>();
-        services.AddTransient<IProcessManager>(sp =>
-            new ProcessManager(
-                sp.GetRequiredService<ILogger<ProcessManager>>(),
-                "git"));
+        services.TryAddTransient<IAzureDevOpsClient, AzureDevOpsClient>();
+        services.TryAddTransient<ILogger>(sp => sp.GetRequiredService<ILogger<FeedCleanerService>>());
+        services.TryAddTransient<IProcessManager>(sp => ActivatorUtilities.CreateInstance<ProcessManager>(sp, "git"));
     }
 }
diff --git a/src/Maestro/Maestro.Common/AzureDevOpsTokens/MaestroAzureDevOpsServiceCollectionExtensions.cs b/src/Maestro/Maestro.Common/AzureDevOpsTokens/MaestroAzureDevOpsServiceCollectionExtensions.cs
deleted file mode 100644
index 601659182c..0000000000
--- a/src/Maestro/Maestro.Common/AzureDevOpsTokens/MaestroAzureDevOpsServiceCollectionExtensions.cs
+++ /dev/null
@@ -1,25 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-using Microsoft.Extensions.DependencyInjection;
-
-namespace Maestro.Common.AzureDevOpsTokens;
-
-public static class MaestroAzureDevOpsServiceCollectionExtensions
-{
-    /// <summary>
-    /// Registers the Azure DevOps token provider.
-    /// </summary>
-    /// <param name="staticOptions">If provided, will initialize these options. Otherwise will try to monitor configuration.</param>
-    public static IServiceCollection AddAzureDevOpsTokenProvider(
-        this IServiceCollection services,
-        AzureDevOpsTokenProviderOptions? staticOptions = null)
-    {
-        if (staticOptions != null)
-        {
-            services.AddSingleton(staticOptions);
-        }
-
-        return services.AddSingleton<IAzureDevOpsTokenProvider, AzureDevOpsTokenProvider>();
-    }
-}
diff --git a/src/Maestro/Maestro.Web/Startup.cs b/src/Maestro/Maestro.Web/Startup.cs
index b869b446d8..2e4f2ce2a8 100644
--- a/src/Maestro/Maestro.Web/Startup.cs
+++ b/src/Maestro/Maestro.Web/Startup.cs
@@ -236,7 +236,7 @@ public override void ConfigureServices(IServiceCollection services)
         services.Configure<GitHubTokenProviderOptions>(Configuration.GetSection("GitHub"));
 
         services.Configure<AzureDevOpsTokenProviderOptions>(Configuration.GetSection("AzureDevOps"));
-        services.AddAzureDevOpsTokenProvider();
+        services.AddSingleton<IAzureDevOpsTokenProvider, AzureDevOpsTokenProvider>();
 
         services.AddKustoClientProvider("Kusto");
 
diff --git a/src/Maestro/SubscriptionActorService/Program.cs b/src/Maestro/SubscriptionActorService/Program.cs
index 6b94205759..9a92d6a496 100644
--- a/src/Maestro/SubscriptionActorService/Program.cs
+++ b/src/Maestro/SubscriptionActorService/Program.cs
@@ -52,7 +52,7 @@ public static void Configure(IServiceCollection services)
         services.AddTransient<IPullRequestBuilder, PullRequestBuilder>();
         services.AddSingleton<TemporaryFiles>();
         services.AddGitHubTokenProvider();
-        services.AddAzureDevOpsTokenProvider();
+        services.AddSingleton<IAzureDevOpsTokenProvider, AzureDevOpsTokenProvider>();
         services.AddTransient<IPullRequestPolicyFailureNotifier, PullRequestPolicyFailureNotifier>();
         // We do not use AddMemoryCache here. We use our own cache because we wish to
         // use a sized cache and some components, such as EFCore, do not implement their caching
diff --git a/src/Maestro/SubscriptionActorService/PullRequestActor.cs b/src/Maestro/SubscriptionActorService/PullRequestActor.cs
index 80bb81ef07..3f66247936 100644
--- a/src/Maestro/SubscriptionActorService/PullRequestActor.cs
+++ b/src/Maestro/SubscriptionActorService/PullRequestActor.cs
@@ -820,6 +820,13 @@ private async Task UpdatePullRequestAsync(InProgressPullRequest pr, List<UpdateA
             _logger.LogInformation("Found {count} required updates for Pull Request {url}", targetRepositoryUpdates.RequiredUpdates.Count, pr.Url);
 
             pr.RequiredUpdates = MergeExistingWithIncomingUpdates(pr.RequiredUpdates, targetRepositoryUpdates.RequiredUpdates);
+
+            if (pr.RequiredUpdates.Count < 1)
+            {
+                _logger.LogInformation("No new updates found for Pull Request {url}", pr.Url);
+                return;
+            }
+
             pr.CoherencyCheckSuccessful = targetRepositoryUpdates.CoherencyCheckSuccessful;
             pr.CoherencyErrors = targetRepositoryUpdates.CoherencyErrors;
 
diff --git a/src/Maestro/maestro-angular/src/app/app.component.html b/src/Maestro/maestro-angular/src/app/app.component.html
index 3e2bc1f1a5..277b2c6c07 100644
--- a/src/Maestro/maestro-angular/src/app/app.component.html
+++ b/src/Maestro/maestro-angular/src/app/app.component.html
@@ -11,7 +11,7 @@
 
 <div class="d-flex flex-column" style="height: 100%; width: 100%;">
   <div class="d-flex flex-row flex-grow-1" style="overflow: visible; min-height: 56px; max-height: 56px;">
-    <nav class="navbar navbar-expand-md navbar-light bg-light" style="min-height: 56px; width: 100%;" role="navigation">
+    <nav class="navbar navbar-expand-md navbar-light bg-light" style="min-height: 56px; width: 100%;" role="navigation" aria-label="Main menu">
       <a class="navbar-brand" href="/">{{brand}}</a>
       <button class="navbar-toggler" type="button" (click)="navbarOpen = !navbarOpen" [attr.aria-expanded]="navbarOpen"
         aria-controls="bs-navbar-collapse">
diff --git a/src/Maestro/maestro-angular/src/app/widget/side-bar/side-bar.component.html b/src/Maestro/maestro-angular/src/app/widget/side-bar/side-bar.component.html
index 9341e00e5f..cac62e9332 100644
--- a/src/Maestro/maestro-angular/src/app/widget/side-bar/side-bar.component.html
+++ b/src/Maestro/maestro-angular/src/app/widget/side-bar/side-bar.component.html
@@ -1,4 +1,4 @@
-<div style="overflow-y: scroll; width: 280px; height: 100%;" role="navigation">
+<div style="overflow-y: scroll; width: 280px; height: 100%;" role="navigation" aria-label="Channel selection">
   <ng-template #loadingChannels>
     <progress-ring [style]="{ 'width.px': 200, 'height.px': 200, margin: 'auto' }"></progress-ring>
   </ng-template>
diff --git a/src/Microsoft.DotNet.Darc/Darc/Helpers/LocalSettings.cs b/src/Microsoft.DotNet.Darc/Darc/Helpers/LocalSettings.cs
index 7d2b688ea1..b80f68c855 100644
--- a/src/Microsoft.DotNet.Darc/Darc/Helpers/LocalSettings.cs
+++ b/src/Microsoft.DotNet.Darc/Darc/Helpers/LocalSettings.cs
@@ -2,9 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System;
-using System.IO;
 using Microsoft.DotNet.Darc.Options;
-using Microsoft.DotNet.DarcLib;
 using Microsoft.DotNet.Maestro.Client;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
@@ -42,26 +40,6 @@ public static LocalSettings LoadSettingsFile()
         return JsonConvert.DeserializeObject<LocalSettings>(settings);
     }
 
-    private static LocalSettings LoadSettingsFile(ICommandLineOptions options)
-    {
-        try
-        {
-            return LoadSettingsFile();
-        }
-        catch (Exception exc) when (exc is DirectoryNotFoundException || exc is FileNotFoundException)
-        {
-            if (string.IsNullOrEmpty(options.AzureDevOpsPat) && string.IsNullOrEmpty(options.GitHubPat))
-            {
-                throw new DarcException("Please make sure to run darc authenticate and set" +
-                                        " 'github_token' or 'azure_devops_token' or append" +
-                                        "'-p <bar_token>' [--github-pat <github_token> | " +
-                                        "--azdev-pat <azure_devops_token>] to your command");
-            }
-        }
-
-        return null;
-    }
-
     /// <summary>
     /// Retrieve the settings from the combination of the command line
     /// options and the user's darc settings file.
@@ -75,7 +53,7 @@ public static LocalSettings GetSettings(ICommandLineOptions options, ILogger log
 
         try
         {
-            localSettings = LoadSettingsFile(options);
+            localSettings = LoadSettingsFile();
         }
         catch (Exception e)
         {
diff --git a/src/Microsoft.DotNet.Darc/Darc/Models/PopUps/AuthenticateEditorPopUp.cs b/src/Microsoft.DotNet.Darc/Darc/Models/PopUps/AuthenticateEditorPopUp.cs
index 539474e8d9..8414f3f6c1 100644
--- a/src/Microsoft.DotNet.Darc/Darc/Models/PopUps/AuthenticateEditorPopUp.cs
+++ b/src/Microsoft.DotNet.Darc/Darc/Models/PopUps/AuthenticateEditorPopUp.cs
@@ -6,7 +6,7 @@
 using Microsoft.DotNet.Darc.Helpers;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.DotNet.Darc.Models;
+namespace Microsoft.DotNet.Darc.Models.PopUps;
 
 internal class AuthenticateEditorPopUp : EditorPopUp
 {
@@ -21,6 +21,7 @@ public AuthenticateEditorPopUp(string path, ILogger logger)
         : base(path)
     {
         _logger = logger;
+
         try
         {
             // Load current settings
@@ -31,13 +32,15 @@ public AuthenticateEditorPopUp(string path, ILogger logger)
             // Failed to load the settings file.  Quite possible it just doesn't exist.
             // In this case, just initialize the settings to empty
             _logger.LogTrace($"Couldn't load or locate the settings file ({e.Message}). Initializing an empty settings file");
-            settings = new LocalSettings();
         }
 
+        settings ??= new LocalSettings();
+
         // Initialize line contents.
         Contents =
         [
-            new("[DEPRECATED] BAR tokens (formerly created at https://maestro.dot.net/Account/Tokens) are now deprecated.", isComment: true),
+            new("[DEPRECATED]", isComment: true),
+            new("BAR tokens (formerly created at https://maestro.dot.net/Account/Tokens) are now deprecated.", isComment: true),
             new("Interactive sign-in through a security group is now enabled.", isComment: true),
             new("See https://github.com/dotnet/arcade/blob/main/Documentation/Darc.md#setting-up-your-darc-client for more information.", isComment: true),
             new($"{BarPasswordElement}={GetCurrentSettingForDisplay(settings.BuildAssetRegistryToken, string.Empty, true)}"),
@@ -45,8 +48,11 @@ public AuthenticateEditorPopUp(string path, ILogger logger)
             new("Create new GitHub personal access tokens at https://github.com/settings/tokens (no scopes needed but needs SSO enabled on the PAT)", isComment: true),
             new($"{GithubTokenElement}={GetCurrentSettingForDisplay(settings.GitHubToken, string.Empty, true)}"),
             new(string.Empty),
-            new("Create new Azure Dev Ops tokens using the PatGeneratorTool https://dev.azure.com/dnceng/public/_artifacts/feed/dotnet-eng/NuGet/Microsoft.DncEng.PatGeneratorTool", isComment: true),
-            new("with the `dotnet pat-generator --scopes build_execute code --organizations dnceng devdiv --expires-in 180` command", isComment: true),
+            new("[OPTIONAL]", isComment: true),
+            new("Set an Azure DevOps token (or leave empty to use local credentials)", isComment: true),
+            new("Create an AzDO PAT with the Build.Execute and Code.Read scopes at ", isComment: true),
+            new("Or use the PatGeneratorTool https://dev.azure.com/dnceng/public/_artifacts/feed/dotnet-eng/NuGet/Microsoft.DncEng.PatGeneratorTool", isComment: true),
+            new("with the `dotnet pat-generator --scopes build_execute code --organizations dnceng devdiv --expires-in 7` command", isComment: true),
             new($"{AzureDevOpsTokenElement}={GetCurrentSettingForDisplay(settings.AzureDevOpsToken, string.Empty, true)}"),
             new(string.Empty),
             new($"{BarBaseUriElement}={GetCurrentSettingForDisplay(settings.BuildAssetRegistryBaseUri, "<alternate build asset registry uri if needed, otherwise leave as is>", false)}"),
@@ -61,7 +67,7 @@ public override int ProcessContents(IList<Line> contents)
     {
         foreach (Line line in contents)
         {
-            string[] keyValue = line.Text.Split("=");
+            var keyValue = line.Text.Split("=");
 
             switch (keyValue[0])
             {
diff --git a/src/Microsoft.DotNet.Darc/Darc/Operations/AddBuildToChannelOperation.cs b/src/Microsoft.DotNet.Darc/Darc/Operations/AddBuildToChannelOperation.cs
index 5f63fff42b..06d9081768 100644
--- a/src/Microsoft.DotNet.Darc/Darc/Operations/AddBuildToChannelOperation.cs
+++ b/src/Microsoft.DotNet.Darc/Darc/Operations/AddBuildToChannelOperation.cs
@@ -223,7 +223,7 @@ private async Task<int> PromoteBuildAsync(Build build, List<Channel> targetChann
             return Constants.ErrorCode;
         }
 
-        var azdoClient = Provider.GetRequiredService<AzureDevOpsClient>();
+        var azdoClient = Provider.GetRequiredService<IAzureDevOpsClient>();
 
         var targetAzdoBuildStatus = await ValidateAzDOBuildAsync(azdoClient, build.AzureDevOpsAccount, build.AzureDevOpsProject, build.AzureDevOpsBuildId.Value)
             .ConfigureAwait(false);
@@ -321,7 +321,7 @@ private async Task<int> PromoteBuildAsync(Build build, List<Channel> targetChann
         }
     }
 
-    private async Task<bool> ValidateAzDOBuildAsync(AzureDevOpsClient azdoClient, string azureDevOpsAccount, string azureDevOpsProject, int azureDevOpsBuildId)
+    private async Task<bool> ValidateAzDOBuildAsync(IAzureDevOpsClient azdoClient, string azureDevOpsAccount, string azureDevOpsProject, int azureDevOpsBuildId)
     {
         try
         {
diff --git a/src/Microsoft.DotNet.Darc/Darc/Operations/AuthenticateOperation.cs b/src/Microsoft.DotNet.Darc/Darc/Operations/AuthenticateOperation.cs
index e1b1c14fb2..dbe2dc6849 100644
--- a/src/Microsoft.DotNet.Darc/Darc/Operations/AuthenticateOperation.cs
+++ b/src/Microsoft.DotNet.Darc/Darc/Operations/AuthenticateOperation.cs
@@ -1,14 +1,14 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using Microsoft.DotNet.Darc.Helpers;
-using Microsoft.DotNet.Darc.Models;
-using Microsoft.DotNet.Darc.Options;
-using Microsoft.Extensions.Logging;
 using System;
 using System.IO;
 using System.Threading.Tasks;
 using Maestro.Common.AppCredentials;
+using Microsoft.DotNet.Darc.Helpers;
+using Microsoft.DotNet.Darc.Models.PopUps;
+using Microsoft.DotNet.Darc.Options;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.DotNet.Darc.Operations;
 
diff --git a/src/Microsoft.DotNet.Darc/Darc/Operations/Operation.cs b/src/Microsoft.DotNet.Darc/Darc/Operations/Operation.cs
index ec4b81b84a..dbf00aae9b 100644
--- a/src/Microsoft.DotNet.Darc/Darc/Operations/Operation.cs
+++ b/src/Microsoft.DotNet.Darc/Darc/Operations/Operation.cs
@@ -58,25 +58,10 @@ protected Operation(ICommandLineOptions options, IServiceCollection? services =
         services.TryAddSingleton<IBasicBarClient>(sp => sp.GetRequiredService<IBarApiClient>());
         services.TryAddTransient<ILogger>(sp => sp.GetRequiredService<ILogger<Operation>>());
         services.TryAddTransient<ITelemetryRecorder, NoTelemetryRecorder>();
-        services.Configure<AzureDevOpsTokenProviderOptions>(o =>
-        {
-            o["default"] = new AzureDevOpsCredentialResolverOptions
-            {
-                Token = options.AzureDevOpsPat,
-                FederatedToken = options.FederatedToken,
-                DisableInteractiveAuth = options.IsCi,
-            };
-        });
-        services.TryAddSingleton<IAzureDevOpsTokenProvider, AzureDevOpsTokenProvider>();
-        services.TryAddSingleton(s =>
-            new AzureDevOpsClient(
-                s.GetRequiredService<IAzureDevOpsTokenProvider>(),
-                s.GetRequiredService<IProcessManager>(),
-                s.GetRequiredService<ILogger>())
-        );
-        services.TryAddSingleton<IAzureDevOpsClient>(s =>
-            s.GetRequiredService<AzureDevOpsClient>()
-        );
+        services.TryAddSingleton<IAzureDevOpsClient, AzureDevOpsClient>();
+        services.TryAddSingleton<AzureDevOpsClient>();
+        services.TryAddTransient<ILogger>(sp => sp.GetRequiredService<ILogger<Operation>>());
+        services.AddSingleton<IAzureDevOpsTokenProvider>(_ => options.GetAzdoTokenProvider());
         services.TryAddSingleton<IRemoteTokenProvider>(_ => new RemoteTokenProvider(options.AzureDevOpsPat, options.GitHubPat));
 
         Provider = services.BuildServiceProvider();
diff --git a/src/Microsoft.DotNet.Darc/Darc/Options/CommandLineOptions.cs b/src/Microsoft.DotNet.Darc/Darc/Options/CommandLineOptions.cs
index cfb1f56b3a..c8bd4b10c7 100644
--- a/src/Microsoft.DotNet.Darc/Darc/Options/CommandLineOptions.cs
+++ b/src/Microsoft.DotNet.Darc/Darc/Options/CommandLineOptions.cs
@@ -27,7 +27,7 @@ public abstract class CommandLineOptions : ICommandLineOptions
     [RedactFromLogging]
     public string GitHubPat { get; set; }
 
-    [Option("azdev-pat", HelpText = "Token used to authenticate to Azure DevOps.")]
+    [Option("azdev-pat", HelpText = "Optional token used to authenticate to Azure DevOps. When not provided, local credentials are used.")]
     [RedactFromLogging]
     public string AzureDevOpsPat { get; set; }
 
@@ -67,7 +67,6 @@ public IAzureDevOpsTokenProvider GetAzdoTokenProvider()
             ["default"] = new AzureDevOpsCredentialResolverOptions
             {
                 Token = AzureDevOpsPat,
-                FederatedToken = FederatedToken,
                 DisableInteractiveAuth = IsCi,
             }
         };
diff --git a/src/Microsoft.DotNet.Darc/DarcLib/AzureDevOpsClient.cs b/src/Microsoft.DotNet.Darc/DarcLib/AzureDevOpsClient.cs
index 701e667f04..d154ce7019 100644
--- a/src/Microsoft.DotNet.Darc/DarcLib/AzureDevOpsClient.cs
+++ b/src/Microsoft.DotNet.Darc/DarcLib/AzureDevOpsClient.cs
@@ -59,11 +59,6 @@ public AzureDevOpsClient(IAzureDevOpsTokenProvider tokenProvider, IProcessManage
     {
     }
 
-    public AzureDevOpsClient(IAzureDevOpsTokenProvider tokenProvider, IProcessManager processManager, ILogger<AzureDevOpsClient> logger)
-        : this(tokenProvider, processManager, (ILogger)logger)
-    {
-    }
-
     public AzureDevOpsClient(IAzureDevOpsTokenProvider tokenProvider, IProcessManager processManager, ILogger logger, string temporaryRepositoryPath)
         : base(tokenProvider, processManager, temporaryRepositoryPath, null, logger)
     {
diff --git a/src/Microsoft.DotNet.Darc/DarcLib/IAzureDevOpsClient.cs b/src/Microsoft.DotNet.Darc/DarcLib/IAzureDevOpsClient.cs
index b7d3374c86..03bae3b0d1 100644
--- a/src/Microsoft.DotNet.Darc/DarcLib/IAzureDevOpsClient.cs
+++ b/src/Microsoft.DotNet.Darc/DarcLib/IAzureDevOpsClient.cs
@@ -54,6 +54,15 @@ public interface IAzureDevOpsClient
     /// <returns>AzureDevOpsBuild</returns>
     Task<AzureDevOpsBuild> GetBuildAsync(string accountName, string projectName, long buildId);
 
+    /// <summary>
+    ///   Fetches artifacts belonging to a given AzDO build.
+    /// </summary>
+    /// <param name="accountName">Azure DevOps account name</param>
+    /// <param name="projectName">Project name</param>
+    /// <param name="buildId">Id of the build to be retrieved</param>
+    /// <returns>List of build artifacts</returns>
+    Task<List<AzureDevOpsBuildArtifact>> GetBuildArtifactsAsync(string accountName, string projectName, int buildId, int maxRetries = 15);
+
     /// <summary>
     ///   Gets a specified Artifact feed with their pacckages in an Azure DevOps account.
     /// </summary>
@@ -120,8 +129,27 @@ public interface IAzureDevOpsClient
     Task<AzureDevOpsReleaseDefinition> GetReleaseDefinitionAsync(string accountName, string projectName, long releaseDefinitionId);
 
     /// <summary>
-    ///     Trigger a new release using the release definition informed. No change is performed
-    ///     on the release definition - it is used as is.
+    ///   Queue a new build on the specified build definition with the given queue time variables.
+    /// </summary>
+    /// <param name="accountName">Account where the project is hosted.</param>
+    /// <param name="projectName">Project where the build definition is.</param>
+    /// <param name="buildDefinitionId">ID of the build definition where a build should be queued.</param>
+    /// <param name="queueTimeVariables">Queue time variables as a Dictionary of (variable name, value).</param>
+    /// <param name="templateParameters">Template parameters as a Dictionary of (variable name, value).</param>
+    /// <param name="pipelineResources">Pipeline resources as a Dictionary of (pipeline resource name, build number).</param>
+    Task<int> StartNewBuildAsync(
+        string accountName,
+        string projectName,
+        int buildDefinitionId,
+        string sourceBranch,
+        string sourceVersion,
+        Dictionary<string, string> queueTimeVariables = null,
+        Dictionary<string, string> templateParameters = null,
+        Dictionary<string, string> pipelineResources = null);
+
+    /// <summary>
+    ///   Trigger a new release using the release definition informed. No change is performed
+    ///   on the release definition - it is used as is.
     /// </summary>
     /// <param name="accountName">Azure DevOps account name</param>
     /// <param name="projectName">Project name</param>
diff --git a/src/ProductConstructionService/ProductConstructionService.Api/appsettings.Development.json b/src/ProductConstructionService/ProductConstructionService.Api/appsettings.Development.json
index c73303efd3..d0ba399962 100644
--- a/src/ProductConstructionService/ProductConstructionService.Api/appsettings.Development.json
+++ b/src/ProductConstructionService/ProductConstructionService.Api/appsettings.Development.json
@@ -25,5 +25,8 @@
         "Database": "engineeringdata",
         "KustoClusterUri": "https://engdata.westus2.kusto.windows.net",
         "UseAzCliAuthentication": true
+    },
+    "AzureDevOps": {
+        "default": {}
     }
 }
diff --git a/test/FeedCleaner.Tests/FeedCleanerServiceTests.cs b/test/FeedCleaner.Tests/FeedCleanerServiceTests.cs
index 96d19266a8..fdc7379b31 100644
--- a/test/FeedCleaner.Tests/FeedCleanerServiceTests.cs
+++ b/test/FeedCleaner.Tests/FeedCleanerServiceTests.cs
@@ -63,7 +63,7 @@ public void FeedCleanerServiceTests_SetUp()
                 ];
             }
         );
-        services.AddAzureDevOpsTokenProvider();
+        services.AddSingleton<IAzureDevOpsTokenProvider, AzureDevOpsTokenProvider>();
         services.Configure<AzureDevOpsTokenProviderOptions>(
             (options) =>
             {