From 8f6a1002e9791aa30ac0c0afeab82cfffd795f87 Mon Sep 17 00:00:00 2001
From: Danny van Velzen <dannyvv@microsoft.com>
Date: Tue, 20 Jan 2026 15:24:59 -0800
Subject: [PATCH] SFI ES2.6 Migrate from service accounts to Managed Identities
 (#15559)

---
 .ado/publish.yml                                   |  6 ++----
 .ado/release.yml                                   | 14 ++++----------
 ...uthenticate-office-react-native-windows-bot.yml | 11 +++++++++++
 3 files changed, 17 insertions(+), 14 deletions(-)
 create mode 100644 .ado/templates/authenticate-office-react-native-windows-bot.yml

diff --git a/.ado/publish.yml b/.ado/publish.yml
index d7d5fc3576b..22f0333842a 100644
--- a/.ado/publish.yml
+++ b/.ado/publish.yml
@@ -140,10 +140,6 @@ variables:
     value: false
   - name: EnableCodesign
     value: false
-  - name: ArtifactServices.Symbol.AccountName
-    value: microsoft
-  - name: ArtifactServices.Symbol.PAT
-    value: $(pat-symbols-publish-microsoft)
   - name: SourceBranchWithFolders
     value: $[ replace(variables['Build.SourceBranch'], 'refs/heads/', '') ]
 
@@ -451,6 +447,8 @@ extends:
             # Make symbols available through http://symweb.
             - task: PublishSymbols@2
               displayName: Publish symbols
+              env:
+                ARTIFACTSERVICES_SYMBOL_ACCOUNTNAME: microsoft
               inputs:
                 SearchPattern: vnext/target/**/*.pdb
                 SymbolServerType: TeamServices
diff --git a/.ado/release.yml b/.ado/release.yml
index 1ea74d65666..6312de40138 100644
--- a/.ado/release.yml
+++ b/.ado/release.yml
@@ -43,14 +43,11 @@ extends:
         - checkout: none
         - task: NuGetToolInstaller@1
           displayName: 'Use NuGet '
-        - task: NuGetAuthenticate@1
-          displayName: NuGet Authenticate
-          inputs:
-            nuGetServiceConnections: ms/react-native ADO Feed
+        - template: .ado/templates/authenticate-office-react-native-windows-bot.yml@self
         - task: CmdLine@2
           displayName: NuGet push (react-native)
           inputs:
-            script: nuget.exe push *.nupkg -ApiKey AzureArtifacts -Source https://pkgs.dev.azure.com/ms/_packaging/react-native/nuget/v3/index.json -NonInteractive -Verbosity Detailed -SkipDuplicate -NoSymbols
+            script: nuget.exe push *.nupkg -ApiKey $(oficeReactnativeWindowsBotAadAuthToken) -Source https://pkgs.dev.azure.com/ms/_packaging/react-native/nuget/v3/index.json -NonInteractive -Verbosity Detailed -SkipDuplicate -NoSymbols
             workingDirectory: $(Pipeline.Workspace)/ReactWindows-final-nuget
     - stage: PushToPublicAdoStage
       displayName: ADO - react-native-public
@@ -69,14 +66,11 @@ extends:
         - checkout: none
         - task: NuGetToolInstaller@1
           displayName: 'Use NuGet '
-        - task: NuGetAuthenticate@1
-          displayName: NuGet Authenticate
-          inputs:
-            nuGetServiceConnections: ms/react-native-public ADO Feed
+        - template: .ado/templates/authenticate-office-react-native-windows-bot.yml@self
         - task: CmdLine@2
           displayName: NuGet push (react-native-public)
           inputs:
-            script: nuget.exe push *.nupkg -ApiKey AzureArtifacts -Source https://pkgs.dev.azure.com/ms/react-native/_packaging/react-native-public/nuget/v3/index.json -NonInteractive -Verbosity Detailed -SkipDuplicate -NoSymbols
+            script: nuget.exe push *.nupkg -ApiKey $(oficeReactnativeWindowsBotAadAuthToken) -Source https://pkgs.dev.azure.com/ms/react-native/_packaging/react-native-public/nuget/v3/index.json -NonInteractive -Verbosity Detailed -SkipDuplicate -NoSymbols
             workingDirectory: $(Pipeline.Workspace)/ReactWindows-final-nuget
     - stage: PushToNuGetStage
       displayName: nuget.org - Push nuget packages
diff --git a/.ado/templates/authenticate-office-react-native-windows-bot.yml b/.ado/templates/authenticate-office-react-native-windows-bot.yml
new file mode 100644
index 00000000000..ab43399a15d
--- /dev/null
+++ b/.ado/templates/authenticate-office-react-native-windows-bot.yml
@@ -0,0 +1,11 @@
+steps:
+  - task: AzureCLI@2
+    inputs:
+      azureSubscription: 'Office-React-Native-Windows-Bot'
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+          # Note that the resource is specified to limit the token to Azure DevOps
+          aadToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv)
+          echo "##vso[task.setvariable variable=oficeReactnativeWindowsBotAadAuthToken;issecret=true]$aadToken"
+    displayName: 'Generate oficeReactnativeWindowsBotAadAuthToken AAD token using Azure CLI'
\ No newline at end of file