diff --git a/.exp-insertions.yml b/.exp-insertions.yml
index acee0786cb..40aa1dda37 100644
--- a/.exp-insertions.yml
+++ b/.exp-insertions.yml
@@ -155,6 +155,21 @@ jobs:
       nugetConfigPath: '$(Build.SourcesDirectory)\NuGet.config'
       restoreDirectory: '$(Build.SourcesDirectory)\.packages'
 
+  # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance#authentication-from-pipelines
+  # Requires Azure client 2.x
+  - task: AzureCLI@2
+    displayName: 'Set AzDO.DotnetPerfStarToken'
+    enabled: true
+    inputs:
+      azureSubscription: 'dotnet-perfstar at app.vssps.visualstudio.com'   # Azure DevOps service connection
+      scriptType: 'pscore'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        # '499b84ac-1321-427f-aa17-267ca6975798' for Azure DevOps
+        $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+        Write-Host "Setting AzDO.DotnetPerfStarToken"
+        Write-Host "##vso[task.setvariable variable=AzDO.DotnetPerfStarToken]${token}"
+
   - powershell: |
       mkdir "$(Pipeline.Workspace)/artifacts"
 
@@ -166,7 +181,7 @@ jobs:
       Write-Host "Detected drop.exe path: $dropExePath"
 
       Write-Host "Downloading VS msbuild"
-      $patAuthEnvVar = "SYSTEM_ACCESSTOKEN"
+      $patAuthEnvVar = "patVariable"
       & "$dropExePath" get --patAuthEnvVar $patAuthEnvVar -u "$(MSBuildDropPath)\$(VSVersion)" -d "$(System.ArtifactsDirectory)/VSMSBuildDrop"
       Write-Host "Download of VS msbuild finished"
 
@@ -175,7 +190,7 @@ jobs:
       Write-Host "Copy of VS msbuild finished"
     displayName: Download msbuild vs drop
     env:
-      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+      patVariable: $(AzDO.DotnetPerfStarToken)
 
   - task: DownloadBuildArtifacts@1
     inputs: