diff --git a/src/AccountDeleter/Configuration/AccountDeleteConfiguration.cs b/src/AccountDeleter/Configuration/AccountDeleteConfiguration.cs
index 32b4f3fa91..ec256101af 100644
--- a/src/AccountDeleter/Configuration/AccountDeleteConfiguration.cs
+++ b/src/AccountDeleter/Configuration/AccountDeleteConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Collections.Generic;
@@ -27,6 +27,7 @@ public class AccountDeleteConfiguration
         /// </summary>
         public Dictionary<string, string> TemplateReplacements { get; set; }
 
+
         /// <summary>
         /// Storage container connection string where gallery content can be found
         /// </summary>
@@ -50,4 +51,4 @@ public SourceConfiguration GetSourceConfiguration(string source)
             throw new UnknownSourceException();
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/AccountDeleter/EmptyFeatureFlagService.cs b/src/AccountDeleter/EmptyFeatureFlagService.cs
index 4b1cdb7ad2..db300232c8 100644
--- a/src/AccountDeleter/EmptyFeatureFlagService.cs
+++ b/src/AccountDeleter/EmptyFeatureFlagService.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using NuGet.Services.Entities;
@@ -323,5 +323,10 @@ public bool IsAdvancedFrameworkFilteringEnabled(User user)
         {
             throw new NotImplementedException();
         }
+
+        public bool CanUseFederatedCredentials(User user)
+        {
+            throw new NotImplementedException();
+        }
     }
 }
diff --git a/src/AccountDeleter/Job.cs b/src/AccountDeleter/Job.cs
index fec9f07d6f..a3c2b3d0fa 100644
--- a/src/AccountDeleter/Job.cs
+++ b/src/AccountDeleter/Job.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -27,6 +27,7 @@
 using NuGetGallery.Features;
 using NuGetGallery.Infrastructure.Authentication;
 using NuGetGallery.Security;
+using ConfigConstants = NuGet.Services.Configuration.Constants;
 
 namespace NuGetGallery.AccountDeleter
 {
@@ -104,6 +105,13 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
             services.AddScoped<ITelemetryClient, TelemetryClientWrapper>(
                 sp => TelemetryClientWrapper.UseTelemetryConfiguration(ApplicationInsightsConfiguration.TelemetryConfiguration));
 
+            services.AddScoped<ICloudBlobClient>(serviceProvider =>
+            {
+                var options = serviceProvider.GetRequiredService<IOptionsSnapshot<AccountDeleteConfiguration>>();
+                return CloudBlobClientWrapper.UsingMsi(options.Value.GalleryStorageConnectionString,
+                    configurationRoot[ConfigConstants.StorageManagedIdentityClientIdPropertyName]);
+            });
+
             ConfigureGalleryServices(services);
         }
 
@@ -160,14 +168,6 @@ protected void ConfigureGalleryServices(IServiceCollection services)
                     return new SupportRequestDbContext(connection);
                 });
 
-                services.AddScoped<ICloudBlobClient>(sp =>
-                {
-                    var options = sp.GetRequiredService<IOptionsSnapshot<AccountDeleteConfiguration>>();
-                    var optionsSnapshot = options.Value;
-
-                    return new CloudBlobClientWrapper(optionsSnapshot.GalleryStorageConnectionString, readAccessGeoRedundant: true);
-                });
-
                 services.AddScoped<ITelemetryService, TelemetryService>();
                 services.AddScoped<ISecurityPolicyService, SecurityPolicyService>();
                 services.AddScoped<IAppConfiguration, GalleryConfiguration>();
diff --git a/src/Catalog/Dnx/DnxCatalogCollector.cs b/src/Catalog/Dnx/DnxCatalogCollector.cs
index 8bcb042fee..d297ec382b 100644
--- a/src/Catalog/Dnx/DnxCatalogCollector.cs
+++ b/src/Catalog/Dnx/DnxCatalogCollector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -193,7 +193,7 @@ await catalogEntries.ForEachAsync(_maxConcurrentCommitItemsWithinBatch, async ca
             return processedCatalogEntries;
         }
 
-        private async Task<bool> AreRequiredPropertiesPresentAsync(Storage destinationStorage, Uri destinationUri)
+        private async Task<bool> AreRequiredPropertiesPresentAsync(Persistence.Storage destinationStorage, Uri destinationUri)
         {
             var azureStorage = destinationStorage as IAzureStorage;
 
@@ -561,4 +561,4 @@ internal static CatalogEntry Create(CatalogCommitItem item)
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Catalog/Dnx/DnxMaker.cs b/src/Catalog/Dnx/DnxMaker.cs
index 15c317bbcf..faac38d389 100644
--- a/src/Catalog/Dnx/DnxMaker.cs
+++ b/src/Catalog/Dnx/DnxMaker.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -16,6 +16,7 @@
 using NuGet.Versioning;
 
 using ILogger = Microsoft.Extensions.Logging.ILogger;
+using CatalogStorage = NuGet.Services.Metadata.Catalog.Persistence.Storage;
 
 namespace NuGet.Services.Metadata.Catalog.Dnx
 {
@@ -154,7 +155,7 @@ public async Task DeletePackageAsync(string id, string version, CancellationToke
             await DeleteNupkgAsync(storage, id, normalizedVersion, cancellationToken);
         }
 
-        public async Task<bool> HasPackageInIndexAsync(Storage storage, string id, string version, CancellationToken cancellationToken)
+        public async Task<bool> HasPackageInIndexAsync(CatalogStorage storage, string id, string version, CancellationToken cancellationToken)
         {
             if (storage == null)
             {
@@ -179,7 +180,7 @@ public async Task<bool> HasPackageInIndexAsync(Storage storage, string id, strin
             return versionsContext.Versions.Contains(parsedVersion);
         }
 
-        private async Task<Uri> SaveNuspecAsync(Storage storage, string id, string version, string nuspec, CancellationToken cancellationToken)
+        private async Task<Uri> SaveNuspecAsync(CatalogStorage storage, string id, string version, string nuspec, CancellationToken cancellationToken)
         {
             var relativeAddress = GetRelativeAddressNuspec(id, version);
             var nuspecUri = new Uri(storage.BaseAddress, relativeAddress);
@@ -230,7 +231,7 @@ public async Task UpdatePackageVersionIndexAsync(string id, Action<HashSet<NuGet
             }
         }
 
-        private async Task<VersionsResult> GetVersionsAsync(Storage storage, CancellationToken cancellationToken)
+        private async Task<VersionsResult> GetVersionsAsync(CatalogStorage storage, CancellationToken cancellationToken)
         {
             var relativeAddress = "index.json";
             var resourceUri = new Uri(storage.BaseAddress, relativeAddress);
@@ -265,7 +266,7 @@ private StorageContent CreateContent(IEnumerable<string> versions)
             return new StringStorageContent(obj.ToString(), "application/json", Constants.NoStoreCacheControl);
         }
 
-        private async Task<Uri> SaveNupkgAsync(Stream nupkgStream, Storage storage, string id, string version, CancellationToken cancellationToken)
+        private async Task<Uri> SaveNupkgAsync(Stream nupkgStream, CatalogStorage storage, string id, string version, CancellationToken cancellationToken)
         {
             Uri nupkgUri = new Uri(storage.BaseAddress, GetRelativeAddressNupkg(id, version));
             var content = new StreamStorageContent(
@@ -280,7 +281,7 @@ private async Task<Uri> SaveNupkgAsync(Stream nupkgStream, Storage storage, stri
 
         private async Task<Uri> CopyNupkgAsync(
             IStorage sourceStorage,
-            Storage destinationStorage,
+            CatalogStorage destinationStorage,
             string id, string version, CancellationToken cancellationToken)
         {
             var packageFileName = PackageUtility.GetPackageFileName(id, version);
@@ -300,7 +301,7 @@ await sourceStorage.CopyAsync(
 
         private async Task CopyIconFromAzureStorageIfExistAsync(
             IAzureStorage sourceStorage,
-            Storage destinationStorage,
+            CatalogStorage destinationStorage,
             string packageId,
             string normalizedPackageVersion,
             string iconFilename,
@@ -321,7 +322,7 @@ await CopyIconAsync(
         private async Task CopyIconFromNupkgStreamAsync(
             Stream nupkgStream,
             string iconFilename,
-            Storage destinationStorage,
+            CatalogStorage destinationStorage,
             string packageId,
             string normalizedPackageVersion,
             CancellationToken cancellationToken)
@@ -338,7 +339,7 @@ await CopyIconAsync(
         private async Task CopyIconAsync(
             Stream packageStream,
             string iconFilename,
-            Storage destinationStorage,
+            CatalogStorage destinationStorage,
             string packageId,
             string normalizedPackageVersion,
             CancellationToken cancellationToken)
@@ -366,7 +367,7 @@ await ExtractAndStoreIconAsync(
         private async Task ExtractAndStoreIconAsync(
             Stream packageStream,
             string iconPath,
-            Storage destinationStorage,
+            CatalogStorage destinationStorage,
             Uri destinationUri,
             CancellationToken cancellationToken,
             string packageId,
@@ -406,7 +407,7 @@ private async Task<Stream> GetPackageStreamAsync(
             return await packageSourceBlob.GetStreamAsync(cancellationToken);
         }
 
-        private async Task DeleteNuspecAsync(Storage storage, string id, string version, CancellationToken cancellationToken)
+        private async Task DeleteNuspecAsync(CatalogStorage storage, string id, string version, CancellationToken cancellationToken)
         {
             string relativeAddress = GetRelativeAddressNuspec(id, version);
             Uri nuspecUri = new Uri(storage.BaseAddress, relativeAddress);
@@ -416,7 +417,7 @@ private async Task DeleteNuspecAsync(Storage storage, string id, string version,
             }
         }
 
-        private async Task DeleteNupkgAsync(Storage storage, string id, string version, CancellationToken cancellationToken)
+        private async Task DeleteNupkgAsync(CatalogStorage storage, string id, string version, CancellationToken cancellationToken)
         {
             string relativeAddress = GetRelativeAddressNupkg(id, version);
             Uri nupkgUri = new Uri(storage.BaseAddress, relativeAddress);
@@ -426,7 +427,7 @@ private async Task DeleteNupkgAsync(Storage storage, string id, string version,
             }
         }
 
-        private async Task DeleteIconAsync(Storage storage, string id, string version, CancellationToken cancellationToken)
+        private async Task DeleteIconAsync(CatalogStorage storage, string id, string version, CancellationToken cancellationToken)
         {
             string relativeAddress = GetRelativeAddressIcon(id, version);
             Uri iconUri = new Uri(storage.BaseAddress, relativeAddress);
@@ -479,4 +480,4 @@ public VersionsResult(string relativeAddress, Uri resourceUri, HashSet<NuGetVers
             public HashSet<NuGetVersion> Versions { get; }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Catalog/DurableCursor.cs b/src/Catalog/DurableCursor.cs
index 4c3d4f2c9a..ddb881157a 100644
--- a/src/Catalog/DurableCursor.cs
+++ b/src/Catalog/DurableCursor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -12,10 +12,10 @@ namespace NuGet.Services.Metadata.Catalog
     public class DurableCursor : ReadWriteCursor
     {
         Uri _address;
-        Storage _storage;
+        Persistence.Storage _storage;
         DateTime _defaultValue;
 
-        public DurableCursor(Uri address, Storage storage, DateTime defaultValue)
+        public DurableCursor(Uri address, Persistence.Storage storage, DateTime defaultValue)
         {
             _address = address;
             _storage = storage;
@@ -43,4 +43,4 @@ public override async Task LoadAsync(CancellationToken cancellationToken)
             Value = obj["value"].ToObject<DateTime>();
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Catalog/Helpers/DeletionAuditEntry.cs b/src/Catalog/Helpers/DeletionAuditEntry.cs
index 0d70e264e5..b5687c3a00 100644
--- a/src/Catalog/Helpers/DeletionAuditEntry.cs
+++ b/src/Catalog/Helpers/DeletionAuditEntry.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -163,7 +163,7 @@ public static Task<IEnumerable<DeletionAuditEntry>> GetAsync(
             DateTime? maxTime = null,
             ILogger logger = null)
         {
-            Storage storage = auditingStorageFactory.Create(package != null ? GetAuditRecordPrefixFromPackage(package) : null);
+            Persistence.Storage storage = auditingStorageFactory.Create(package != null ? GetAuditRecordPrefixFromPackage(package) : null);
             return GetAsync(storage, cancellationToken, minTime, maxTime, logger);
         }
 
@@ -258,4 +258,4 @@ private static bool IsPackageDelete(StorageListItem auditRecord)
             return FileNameSuffixes.Any(suffix => fileName.EndsWith(suffix));
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Catalog/Icons/CatalogLeafDataProcessor.cs b/src/Catalog/Icons/CatalogLeafDataProcessor.cs
index eae467c069..4e99d91c6e 100644
--- a/src/Catalog/Icons/CatalogLeafDataProcessor.cs
+++ b/src/Catalog/Icons/CatalogLeafDataProcessor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -12,6 +12,8 @@
 using NuGet.Services.Metadata.Catalog.Helpers;
 using NuGet.Services.Metadata.Catalog.Persistence;
 
+using CatalogStorage = NuGet.Services.Metadata.Catalog.Persistence.Storage;
+
 namespace NuGet.Services.Metadata.Catalog.Icons
 {
     public class CatalogLeafDataProcessor : ICatalogLeafDataProcessor
@@ -42,7 +44,7 @@ public CatalogLeafDataProcessor(
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
         }
 
-        public async Task ProcessPackageDeleteLeafAsync(Storage storage, CatalogCommitItem item, CancellationToken cancellationToken)
+        public async Task ProcessPackageDeleteLeafAsync(CatalogStorage storage, CatalogCommitItem item, CancellationToken cancellationToken)
         {
             var targetStoragePath = GetTargetStorageIconPath(item);
             await _iconProcessor.DeleteIconAsync(storage, targetStoragePath, cancellationToken, item.PackageIdentity.Id, item.PackageIdentity.Version.ToNormalizedString());
diff --git a/src/Catalog/Icons/ICatalogLeafDataProcessor.cs b/src/Catalog/Icons/ICatalogLeafDataProcessor.cs
index 090d5fc6e1..1f340a7399 100644
--- a/src/Catalog/Icons/ICatalogLeafDataProcessor.cs
+++ b/src/Catalog/Icons/ICatalogLeafDataProcessor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Threading;
@@ -9,7 +9,7 @@ namespace NuGet.Services.Metadata.Catalog.Icons
 {
     public interface ICatalogLeafDataProcessor
     {
-        Task ProcessPackageDeleteLeafAsync(Storage storage, CatalogCommitItem item, CancellationToken cancellationToken);
+        Task ProcessPackageDeleteLeafAsync(Persistence.Storage storage, CatalogCommitItem item, CancellationToken cancellationToken);
         Task ProcessPackageDetailsLeafAsync(IStorage destinationStorage, IStorage iconCacheStorage, CatalogCommitItem item, string iconUrlString, string iconFile, CancellationToken cancellationToken);
     }
-}
\ No newline at end of file
+}
diff --git a/src/Catalog/NuGet.Services.Metadata.Catalog.csproj b/src/Catalog/NuGet.Services.Metadata.Catalog.csproj
index 5b3066e319..2032ddb367 100644
--- a/src/Catalog/NuGet.Services.Metadata.Catalog.csproj
+++ b/src/Catalog/NuGet.Services.Metadata.Catalog.csproj
@@ -76,6 +76,7 @@
     <ProjectReference Include="..\NuGet.Services.Configuration\NuGet.Services.Configuration.csproj" />
     <ProjectReference Include="..\NuGet.Services.Logging\NuGet.Services.Logging.csproj" />
     <ProjectReference Include="..\NuGet.Services.Sql\NuGet.Services.Sql.csproj" />
+    <ProjectReference Include="..\NuGet.Services.Storage\NuGet.Services.Storage.csproj" />
     <ProjectReference Include="..\NuGetGallery.Core\NuGetGallery.Core.csproj" />
   </ItemGroup>
 
diff --git a/src/Catalog/Persistence/AzureStorage.cs b/src/Catalog/Persistence/AzureStorage.cs
index 39198cf50b..91bfea2038 100644
--- a/src/Catalog/Persistence/AzureStorage.cs
+++ b/src/Catalog/Persistence/AzureStorage.cs
@@ -11,11 +11,13 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Azure;
+using Azure.Identity;
 using Azure.Storage.Blobs;
 using Azure.Storage.Blobs.Models;
 using Azure.Storage.Blobs.Specialized;
 using NuGet.Protocol;
 using NuGet.Services.Metadata.Catalog.Extensions;
+using NuGet.Services.Storage;
 using NuGetGallery;
 
 namespace NuGet.Services.Metadata.Catalog.Persistence
@@ -33,7 +35,7 @@ public class AzureStorage : Storage, IAzureStorage
         public static readonly TimeSpan DefaultMaxExecutionTime = TimeSpan.FromMinutes(10);
 
         public AzureStorage(
-            BlobServiceClient blobServiceClient,
+            IBlobServiceClientFactory blobServiceClient,
             string containerName,
             string path,
             Uri baseAddress,
@@ -92,7 +94,7 @@ private static ICloudBlobDirectory GetCloudBlobDirectoryUri(Uri storageBaseUri)
 
             var blobEndpoint = new Uri(storageBaseUri.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped));
             // Create BlobServiceClient with anonymous credentials
-            var blobServiceClient = new BlobServiceClient(blobEndpoint);
+            var blobServiceClient = new BlobServiceClientFactory(blobEndpoint);
 
             string containerName = pathSegments[0];
             string pathInContainer = string.Join("/", pathSegments.Skip(1));
diff --git a/src/Catalog/Persistence/AzureStorageFactory.cs b/src/Catalog/Persistence/AzureStorageFactory.cs
index 1c6e68342c..2d9f222338 100644
--- a/src/Catalog/Persistence/AzureStorageFactory.cs
+++ b/src/Catalog/Persistence/AzureStorageFactory.cs
@@ -1,15 +1,16 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using Azure.Storage.Blobs;
 using NuGet.Protocol;
+using NuGet.Services.Storage;
 
 namespace NuGet.Services.Metadata.Catalog.Persistence
 {
     public class AzureStorageFactory : StorageFactory
     {
-        private readonly BlobServiceClient _blobServiceClient;
+        private readonly IBlobServiceClientFactory _blobServiceClient;
         private readonly string _containerName;
         private readonly string _path;
         private readonly Uri _differentBaseAddress = null;
@@ -19,7 +20,7 @@ public class AzureStorageFactory : StorageFactory
         private readonly bool _initializeContainer;
 
         public AzureStorageFactory(
-            BlobServiceClient blobServiceClient,
+            IBlobServiceClientFactory blobServiceClient,
             string containerName,
             TimeSpan maxExecutionTime,
             TimeSpan serverTimeout,
@@ -107,4 +108,4 @@ public override Storage Create(string name = null)
                 Throttle);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Catalog/Persistence/CloudBlobDirectoryWrapper.cs b/src/Catalog/Persistence/CloudBlobDirectoryWrapper.cs
index d276306f54..437982c856 100644
--- a/src/Catalog/Persistence/CloudBlobDirectoryWrapper.cs
+++ b/src/Catalog/Persistence/CloudBlobDirectoryWrapper.cs
@@ -5,27 +5,32 @@
 using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Core.Pipeline;
 using Azure.Storage.Blobs;
 using Azure.Storage.Blobs.Models;
 using Azure.Storage.Blobs.Specialized;
+using NuGet.Services.Storage;
 
 namespace NuGet.Services.Metadata.Catalog.Persistence
 {
     public class CloudBlobDirectoryWrapper : ICloudBlobDirectory
     {
+        private readonly IBlobServiceClientFactory _blobServiceClientFactory;
         private readonly BlobContainerClient _containerClient;
         private readonly string _directoryPrefix;
         private readonly IBlobContainerClientWrapper _blobContainerClientWrapper;
         private readonly BlobClientOptions _defaultClientOptions;
 
-        public BlobServiceClient ServiceClient => _containerClient.GetParentBlobServiceClient();
+        public IBlobServiceClientFactory ServiceClient => new SimpleBlobServiceClientFactory(_containerClient.GetParentBlobServiceClient());
         public Uri Uri { get; }
         public string DirectoryPrefix => _directoryPrefix;
         public BlobClientOptions ContainerOptions => _defaultClientOptions;
         public IBlobContainerClientWrapper ContainerClientWrapper => _blobContainerClientWrapper;
 
-        public CloudBlobDirectoryWrapper(BlobServiceClient serviceClient, string containerName, string directoryPrefix, BlobClientOptions blobClientOptions = null)
+        public CloudBlobDirectoryWrapper(IBlobServiceClientFactory serviceClientFactory, string containerName, string directoryPrefix, BlobClientOptions blobClientOptions = null)
         {
+            _blobServiceClientFactory = serviceClientFactory ?? throw new ArgumentNullException(nameof(serviceClientFactory));
             _directoryPrefix = directoryPrefix ?? throw new ArgumentNullException(nameof(directoryPrefix));
 
             if (string.IsNullOrWhiteSpace(containerName))
@@ -35,19 +40,9 @@ public CloudBlobDirectoryWrapper(BlobServiceClient serviceClient, string contain
 
             _defaultClientOptions = blobClientOptions ?? new BlobClientOptions();
 
-            // Create the container client using the provided or default options
-            if (blobClientOptions != null)
-            {
-                // Extract necessary information
-                Uri serviceUri = serviceClient.Uri;
-                // Create a new BlobServiceClient instance with the new options
-                var newServiceClient = new BlobServiceClient(serviceUri, _defaultClientOptions);
-                _containerClient = newServiceClient.GetBlobContainerClient(containerName);
-            }
-            else
-            {
-                _containerClient = serviceClient.GetBlobContainerClient(containerName);
-            }
+            // Request a new BlobServiceClient instance with the current BlobClientOptions
+            var serviceClient = _blobServiceClientFactory.GetBlobServiceClient(blobClientOptions);
+            _containerClient = serviceClient.GetBlobContainerClient(containerName);
 
             Uri = new Uri(Storage.RemoveQueryString(_containerClient.Uri).TrimEnd('/') + "/" + _directoryPrefix);
 
diff --git a/src/Catalog/Persistence/ICloudBlobDirectory.cs b/src/Catalog/Persistence/ICloudBlobDirectory.cs
index f43cc09a81..8f48f1f657 100644
--- a/src/Catalog/Persistence/ICloudBlobDirectory.cs
+++ b/src/Catalog/Persistence/ICloudBlobDirectory.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -8,12 +8,13 @@
 using Azure.Storage.Blobs;
 using Azure.Storage.Blobs.Models;
 using Azure.Storage.Blobs.Specialized;
+using NuGet.Services.Storage;
 
 namespace NuGet.Services.Metadata.Catalog.Persistence
 {
     public interface ICloudBlobDirectory
     {
-        BlobServiceClient ServiceClient { get; }
+        IBlobServiceClientFactory ServiceClient { get; }
         IBlobContainerClientWrapper ContainerClientWrapper { get; }
         string DirectoryPrefix { get; }
         Uri Uri { get; }
diff --git a/src/Gallery.CredentialExpiration/Job.cs b/src/Gallery.CredentialExpiration/Job.cs
index 7d35a08ffa..5fcd03f6c7 100644
--- a/src/Gallery.CredentialExpiration/Job.cs
+++ b/src/Gallery.CredentialExpiration/Job.cs
@@ -52,7 +52,7 @@ public override void Init(IServiceContainer serviceContainer, IDictionary<string
 
             FromAddress = new MailAddress(InitializationConfiguration.MailFrom);
             
-            var storageAccount = new BlobServiceClient(AzureStorageFactory.PrepareConnectionString(InitializationConfiguration.DataStorageAccount));
+            var storageAccount = new BlobServiceClientFactory(AzureStorageFactory.PrepareConnectionString(InitializationConfiguration.DataStorageAccount));
             var storageFactory = new AzureStorageFactory(
                 storageAccount,
                 InitializationConfiguration.ContainerName,
diff --git a/src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs b/src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs
index 612fe7bac9..776be62af0 100644
--- a/src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs
+++ b/src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -324,5 +324,10 @@ public bool IsAdvancedFrameworkFilteringEnabled(User user)
         {
             throw new NotImplementedException();
         }
+
+        public bool CanUseFederatedCredentials(User user)
+        {
+            throw new NotImplementedException();
+        }
     }
 }
diff --git a/src/GitHubVulnerabilities2Db/Job.cs b/src/GitHubVulnerabilities2Db/Job.cs
index 2059afeecf..793c6e91d0 100644
--- a/src/GitHubVulnerabilities2Db/Job.cs
+++ b/src/GitHubVulnerabilities2Db/Job.cs
@@ -6,6 +6,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Autofac;
+using Azure.Identity;
 using Azure.Storage.Blobs;
 using GitHubVulnerabilities2Db.Configuration;
 using GitHubVulnerabilities2Db.Fakes;
@@ -31,13 +32,14 @@ namespace GitHubVulnerabilities2Db
 {
     public class Job : JsonConfigurationJob, IDisposable
     {
+        private const string ManagedIdentityClientIdKey = "UserManagedIdentityClientId";
         private readonly HttpClient _client = new HttpClient();
 
         public override async Task Run()
         {
             var collector = _serviceProvider.GetRequiredService<IAdvisoryCollector>();
-            while (await collector.ProcessAsync(CancellationToken.None));
-            
+            while (await collector.ProcessAsync(CancellationToken.None)) ;
+
         }
 
         protected override void ConfigureJobServices(IServiceCollection services, IConfigurationRoot configurationRoot)
@@ -59,7 +61,7 @@ protected override void ConfigureAutofacServices(ContainerBuilder containerBuild
 
             ConfigureQueryServices(containerBuilder);
             ConfigureIngestionServices(containerBuilder);
-            ConfigureCollectorServices(containerBuilder);
+            ConfigureCollectorServices(containerBuilder, configurationRoot);
         }
 
         protected void ConfigureIngestionServices(ContainerBuilder containerBuilder)
@@ -159,22 +161,22 @@ protected void ConfigureQueryServices(ContainerBuilder containerBuilder)
                 .As<IAdvisoryQueryService>();
         }
 
-        protected void ConfigureCollectorServices(ContainerBuilder containerBuilder)
+        protected void ConfigureCollectorServices(ContainerBuilder containerBuilder, IConfigurationRoot configurationRoot)
         {
             containerBuilder
                 .Register(ctx =>
                 {
                     var config = ctx.Resolve<GitHubVulnerabilities2DbConfiguration>();
-                    var connectionString = AzureStorageFactory.PrepareConnectionString(config.StorageConnectionString);
-                    return new BlobServiceClient(connectionString);
+                    var credential = new ManagedIdentityCredential(configurationRoot[ManagedIdentityClientIdKey]);
+                    return new BlobServiceClientFactory(new Uri(config.StorageConnectionString), credential);
                 })
-                .As<BlobServiceClient>();
+                .As<BlobServiceClientFactory>();
 
             containerBuilder
                 .Register(ctx =>
                 {
                     return new AzureStorageFactory(
-                        ctx.Resolve<BlobServiceClient>(),
+                        ctx.Resolve<BlobServiceClientFactory>(),
                         ctx.Resolve<GitHubVulnerabilities2DbConfiguration>().CursorContainerName,
                         enablePublicAccess: true,
                         ctx.Resolve<ILogger<AzureStorage>>());
diff --git a/src/GitHubVulnerabilities2v3/Job.cs b/src/GitHubVulnerabilities2v3/Job.cs
index d4f5a3d0ec..42ebfdf742 100644
--- a/src/GitHubVulnerabilities2v3/Job.cs
+++ b/src/GitHubVulnerabilities2v3/Job.cs
@@ -7,6 +7,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Autofac;
+using Azure.Identity;
 using Azure.Storage.Blobs;
 using GitHubVulnerabilities2v3.Configuration;
 using GitHubVulnerabilities2v3.Extensions;
@@ -16,6 +17,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using NuGet.Jobs;
+using NuGet.Services.Configuration;
 using NuGet.Services.Cursor;
 using NuGet.Services.GitHub.Collector;
 using NuGet.Services.GitHub.Configuration;
@@ -68,7 +70,7 @@ protected override void ConfigureAutofacServices(ContainerBuilder containerBuild
 
             ConfigureQueryServices(containerBuilder);
             ConfigureIngestionServices(containerBuilder);
-            ConfigureCollectorServices(containerBuilder);
+            ConfigureCollectorServices(containerBuilder, configurationRoot);
         }
 
         protected void ConfigureIngestionServices(ContainerBuilder containerBuilder)
@@ -111,22 +113,22 @@ protected void ConfigureQueryServices(ContainerBuilder containerBuilder)
                 .As<IAdvisoryQueryService>();
         }
 
-        protected void ConfigureCollectorServices(ContainerBuilder containerBuilder)
+        protected void ConfigureCollectorServices(ContainerBuilder containerBuilder, IConfigurationRoot configurationRoot)
         {
             containerBuilder
                 .Register(ctx =>
                 {
                     var config = ctx.Resolve<GitHubVulnerabilities2v3Configuration>();
-                    var connectionString = AzureStorageFactory.PrepareConnectionString(config.StorageConnectionString);
-                    return new BlobServiceClient(connectionString);
+                    var credential = new ManagedIdentityCredential(configurationRoot[Constants.ManagedIdentityClientIdKey]);
+                    return new BlobServiceClientFactory(new Uri(config.StorageConnectionString), credential);
                 })
-                .As<BlobServiceClient>();
+                .As<BlobServiceClientFactory>();
 
             containerBuilder
                 .Register(ctx =>
                 {
                     return new AzureStorageFactory(
-                        ctx.Resolve<BlobServiceClient>(),
+                        ctx.Resolve<BlobServiceClientFactory>(),
                         ctx.Resolve<GitHubVulnerabilities2v3Configuration>().V3VulnerabilityContainerName,
                         enablePublicAccess: true,
                         ctx.Resolve<ILogger<AzureStorage>>());
diff --git a/src/Ng/Arguments.cs b/src/Ng/Arguments.cs
index 280ffc4561..e9cd3cf944 100644
--- a/src/Ng/Arguments.cs
+++ b/src/Ng/Arguments.cs
@@ -39,6 +39,7 @@ public static class Arguments
         public const string StoragePath = "storagePath";
         public const string StorageQueueName = "storageQueueName";
         public const string StorageType = "storageType";
+        public const string StorageUseManagedIdentity = "storageUseManagedIdentity";
 
         public const string StorageSuffix = "storageSuffix";
         public const string StorageOperationMaxExecutionTimeInSeconds = "storageOperationMaxExecutionTimeInSeconds";
diff --git a/src/Ng/CommandHelpers.cs b/src/Ng/CommandHelpers.cs
index 18390a3db4..298a900d5a 100644
--- a/src/Ng/CommandHelpers.cs
+++ b/src/Ng/CommandHelpers.cs
@@ -11,9 +11,11 @@
 using Azure;
 using Azure.Core;
 using Azure.Identity;
+using Azure.Storage;
 using Azure.Storage.Blobs;
 using Azure.Storage.Queues;
 using Microsoft.Extensions.Logging;
+using NuGet.Jobs;
 using NuGet.Protocol;
 using NuGet.Services.Configuration;
 using NuGet.Services.KeyVault;
@@ -39,6 +41,8 @@ public static class CommandHelpers
         };
         private static readonly IDictionary<string, string> ArgumentNames = new Dictionary<string, string>
         {
+            { Arguments.UseManagedIdentity, Arguments.UseManagedIdentity },
+            { Arguments.ClientId, Arguments.ClientId},
             { Arguments.StorageBaseAddress, Arguments.StorageBaseAddress },
             { Arguments.StorageAccountName, Arguments.StorageAccountName },
             { Arguments.StorageKeyValue, Arguments.StorageKeyValue },
@@ -46,6 +50,7 @@ public static class CommandHelpers
             { Arguments.StorageContainer, Arguments.StorageContainer },
             { Arguments.StoragePath, Arguments.StoragePath },
             { Arguments.StorageSuffix, Arguments.StorageSuffix },
+            { Arguments.StorageUseManagedIdentity, Arguments.StorageUseManagedIdentity },
             { Arguments.StorageUseServerSideCopy, Arguments.StorageUseServerSideCopy },
             { Arguments.StorageOperationMaxExecutionTimeInSeconds, Arguments.StorageOperationMaxExecutionTimeInSeconds },
             { Arguments.StorageServerTimeoutInSeconds, Arguments.StorageServerTimeoutInSeconds },
@@ -115,7 +120,7 @@ private static ICachingSecretInjector GetSecretInjector(IDictionary<string, stri
                     keyVaultConfig = new KeyVaultConfiguration(
                         vaultName,
                         tenantId,
-                        clientId, 
+                        clientId,
                         keyVaultCertificate,
                         sendX5c);
                 }
@@ -161,8 +166,11 @@ public static CatalogStorageFactory CreateSuffixedStorageFactory(
 
             IDictionary<string, string> names = new Dictionary<string, string>
             {
+                { Arguments.UseManagedIdentity, Arguments.UseManagedIdentity },
+                { Arguments.ClientId, Arguments.ClientId},
                 { Arguments.StorageBaseAddress, Arguments.StorageBaseAddress + suffix },
                 { Arguments.StorageAccountName, Arguments.StorageAccountName + suffix },
+                { Arguments.StorageUseManagedIdentity, Arguments.StorageUseManagedIdentity + suffix },
                 { Arguments.StorageKeyValue, Arguments.StorageKeyValue + suffix },
                 { Arguments.StorageSasValue, Arguments.StorageSasValue + suffix },
                 { Arguments.StorageContainer, Arguments.StorageContainer + suffix },
@@ -194,7 +202,6 @@ private static CatalogStorageFactory CreateStorageFactoryImpl(
             if (!string.IsNullOrEmpty(storageBaseAddressStr))
             {
                 storageBaseAddressStr = storageBaseAddressStr.TrimEnd('/') + "/";
-
                 storageBaseAddress = new Uri(storageBaseAddressStr);
             }
 
@@ -222,7 +229,7 @@ private static CatalogStorageFactory CreateStorageFactoryImpl(
                 var storageUseServerSideCopy = arguments.GetOrDefault<bool>(argumentNameMap[Arguments.StorageUseServerSideCopy]);
                 var storageInitializeContainer = arguments.GetOrDefault(argumentNameMap[Arguments.StorageInitializeContainer], defaultValue: true);
 
-                BlobServiceClient account = GetBlobServiceClient(arguments, argumentNameMap);
+                IBlobServiceClientFactory account = GetBlobServiceClient(arguments, argumentNameMap);
 
                 return new CatalogAzureStorageFactory(
                     account,
@@ -418,18 +425,57 @@ public static IStorageQueue<T> CreateStorageQueue<T>(IDictionary<string, string>
             }
         }
 
-        private static BlobServiceClient GetBlobServiceClient(
+        private static IBlobServiceClientFactory GetBlobServiceClient(
             IDictionary<string, string> arguments,
             IDictionary<string, string> argumentNameMap)
         {
+            bool storageUseManagedIdentity = arguments.GetOrDefault(argumentNameMap[Arguments.StorageUseManagedIdentity], defaultValue: false);
+            bool useManagedIdentity = storageUseManagedIdentity || arguments.GetOrDefault(argumentNameMap[Arguments.UseManagedIdentity], defaultValue: false);
+
+            var storageKeyValue = arguments.GetOrDefault<string>(argumentNameMap[Arguments.StorageKeyValue]);
+            var storageSasValue = arguments.GetOrDefault<string>(argumentNameMap[Arguments.StorageSasValue]);
+
+            bool hasStorageKeyOrSas = !string.IsNullOrEmpty(storageKeyValue) || !string.IsNullOrEmpty(storageSasValue);
+
+            // This comparison is due to some jobs using both global and china storages in a single instance.
+            // They require MSI auth for global storage and SAS/SAK auth for china storage.
+            if (useManagedIdentity && !hasStorageKeyOrSas)
+            {
+                var managedIdentityClientId = arguments.GetOrThrow<string>(argumentNameMap[Arguments.ClientId]);
+                var identity = new ManagedIdentityCredential(managedIdentityClientId);
+                var serviceUri = GetServiceUri(arguments, argumentNameMap, "blob");
+                return new BlobServiceClientFactory(serviceUri, identity);
+            }
+
             string connectionString = GetConnectionString(arguments, argumentNameMap, "BlobEndpoint", "blob");
-            return new BlobServiceClient(connectionString);
+            return new BlobServiceClientFactory(connectionString);
         }
 
         private static QueueServiceClient GetQueueServiceClient(
             IDictionary<string, string> arguments,
             IDictionary<string, string> argumentNameMap)
         {
+            bool storageUseManagedIdentity = arguments.GetOrDefault(argumentNameMap[Arguments.StorageUseManagedIdentity], defaultValue: false);
+            bool useManagedIdentity = storageUseManagedIdentity || arguments.GetOrDefault(argumentNameMap[Arguments.UseManagedIdentity], defaultValue: false);
+
+            var storageKeyValue = arguments.GetOrDefault<string>(argumentNameMap[Arguments.StorageKeyValue]);
+            var storageSasValue = arguments.GetOrDefault<string>(argumentNameMap[Arguments.StorageSasValue]);
+
+            bool hasStorageKeyOrSas = !string.IsNullOrEmpty(storageKeyValue) || !string.IsNullOrEmpty(storageSasValue);
+
+            // This comparison is due to some jobs using both global and china storages in a single instance.
+            // They require MSI auth for global storage and SAS/SAK auth for china storage.
+            if (useManagedIdentity && !hasStorageKeyOrSas)
+            {
+                var managedIdentityClientId = arguments.GetOrThrow<string>(argumentNameMap[Arguments.ClientId]);
+                var identity = new ManagedIdentityCredential(managedIdentityClientId);
+                var serviceUri = GetServiceUri(arguments, argumentNameMap, "queue");
+                return new QueueServiceClient(serviceUri, identity, new QueueClientOptions
+                {
+                    MessageEncoding = QueueMessageEncoding.Base64,
+                });
+            }
+
             string connectionString = GetConnectionString(arguments, argumentNameMap, "QueueEndpoint", "queue");
             return new QueueServiceClient(connectionString, new QueueClientOptions
             {
@@ -468,5 +514,17 @@ private static string GetConnectionString(
 
             return connectionString;
         }
+
+        private static Uri GetServiceUri(
+            IDictionary<string, string> arguments,
+            IDictionary<string, string> argumentNameMap,
+            string endpointDomain)
+        {
+            var storageAccountName = arguments.GetOrThrow<string>(argumentNameMap[Arguments.StorageAccountName]);
+            var storageSuffix = arguments.GetOrDefault(argumentNameMap[Arguments.StorageSuffix], DefaultStorageSuffix);
+
+            string serviceUri = $"https://{storageAccountName}.{endpointDomain}.{storageSuffix}/";
+            return new Uri(serviceUri);
+        }
     }
 }
diff --git a/src/Ng/Jobs/Catalog2DnxJob.cs b/src/Ng/Jobs/Catalog2DnxJob.cs
index 30c7c6def8..adc18ea6cb 100644
--- a/src/Ng/Jobs/Catalog2DnxJob.cs
+++ b/src/Ng/Jobs/Catalog2DnxJob.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -45,7 +45,7 @@ public override string GetUsage()
                    + $"-{Arguments.StoragePath} <path> "
                    + $"[-{Arguments.VaultName} <keyvault-name> "
                    + $"-{Arguments.UseManagedIdentity} true|false "
-                   + $"-{Arguments.ClientId} <keyvault-client-id> Should not be set if {Arguments.UseManagedIdentity} is true"
+                   + $"-{Arguments.ClientId} <client-id> If {Arguments.UseManagedIdentity} is true this is used for managed identity authentication, if false, is used for KeyVault certificate authentication"
                    + $"-{Arguments.CertificateThumbprint} <keyvault-certificate-thumbprint> Should not be set if {Arguments.UseManagedIdentity} is true"
                    + $"[-{Arguments.ValidateCertificate} true|false]]] "
                    + $"[-{Arguments.Verbose} true|false] "
@@ -122,4 +122,4 @@ protected override async Task RunInternalAsync(CancellationToken cancellationTok
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Ng/Jobs/Db2CatalogJob.cs b/src/Ng/Jobs/Db2CatalogJob.cs
index f4463e8b68..5457a6c0fc 100644
--- a/src/Ng/Jobs/Db2CatalogJob.cs
+++ b/src/Ng/Jobs/Db2CatalogJob.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -63,7 +63,7 @@ public override string GetUsage()
                    + $"-{Arguments.StoragePath} <path> "
                    + $"[-{Arguments.VaultName} <keyvault-name> "
                    + $"-{Arguments.UseManagedIdentity} true|false "
-                   + $"-{Arguments.ClientId} <keyvault-client-id> Should not be set if {Arguments.UseManagedIdentity} is true"
+                   + $"-{Arguments.ClientId} <client-id> If {Arguments.UseManagedIdentity} is true this is used for managed identity authentication, if false, is used for KeyVault certificate authentication"
                    + $"-{Arguments.CertificateThumbprint} <keyvault-certificate-thumbprint> Should not be set if {Arguments.UseManagedIdentity} is true"
                    + $"[-{Arguments.ValidateCertificate} true|false]]] "
                    + $"-{Arguments.StorageTypeAuditing} file|azure "
@@ -413,4 +413,4 @@ private async Task<DateTime> Deletes2Catalog(
             return lastDeleted;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Ng/Jobs/Db2MonitoringJob.cs b/src/Ng/Jobs/Db2MonitoringJob.cs
index 6dbcae7ede..a4cca066da 100644
--- a/src/Ng/Jobs/Db2MonitoringJob.cs
+++ b/src/Ng/Jobs/Db2MonitoringJob.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Ng/Jobs/FixCatalogCachingJob.cs b/src/Ng/Jobs/FixCatalogCachingJob.cs
index 762e23a503..428e39e0e0 100644
--- a/src/Ng/Jobs/FixCatalogCachingJob.cs
+++ b/src/Ng/Jobs/FixCatalogCachingJob.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -52,7 +52,7 @@ public override string GetUsage()
                    + $"-{Arguments.StoragePath} <path> "
                    + $"[-{Arguments.VaultName} <keyvault-name> "
                    + $"-{Arguments.UseManagedIdentity} true|false "
-                   + $"-{Arguments.ClientId} <keyvault-client-id> Should not be set if {Arguments.UseManagedIdentity} is true"
+                   + $"-{Arguments.ClientId} <client-id> If {Arguments.UseManagedIdentity} is true this is used for managed identity authentication, if false, is used for KeyVault certificate authentication"
                    + $"-{Arguments.CertificateThumbprint} <keyvault-certificate-thumbprint> Should not be set if {Arguments.UseManagedIdentity} is true"
                    + $"[-{Arguments.ValidateCertificate} true|false ]]";
         }
diff --git a/src/Ng/Jobs/LightningJob.cs b/src/Ng/Jobs/LightningJob.cs
index f71a259c5b..399ed2f2e7 100644
--- a/src/Ng/Jobs/LightningJob.cs
+++ b/src/Ng/Jobs/LightningJob.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -400,8 +400,10 @@ private void AddStorageCredentialArgument(StringBuilder argument, string sasToke
             {
                 AppendArgument(argument, sasTokenArgument);
             }
-
-            AppendArgument(argument, storageKeyArgument);
+            else if (!string.IsNullOrEmpty(_arguments.GetOrDefault<string>(storageKeyArgument)))
+            {
+                AppendArgument(argument, storageKeyArgument);
+            }
         }
 
         private async Task StrikeAsync()
@@ -504,32 +506,55 @@ private IContainer GetAutofacContainer()
 
             services.Configure<Catalog2RegistrationConfiguration>(config =>
             {
+                config.StorageUseManagedIdentity = _arguments.GetOrDefault<bool>(Arguments.UseManagedIdentity);
+                config.StorageManagedIdentityClientId = _arguments.GetOrDefault<string>(Arguments.ClientId);
+
                 config.LegacyBaseUrl = _arguments.GetOrDefault<string>(Arguments.StorageBaseAddress);
                 config.LegacyStorageContainer = _arguments.GetOrDefault<string>(Arguments.StorageContainer);
-                config.StorageConnectionString = GetConnectionString(
-                    config.StorageConnectionString,
-                    Arguments.StorageAccountName,
-                    Arguments.StorageKeyValue,
-                    Arguments.StorageSasValue,
-                    Arguments.StorageSuffix);
 
                 config.GzippedBaseUrl = _arguments.GetOrDefault<string>(Arguments.CompressedStorageBaseAddress);
                 config.GzippedStorageContainer = _arguments.GetOrDefault<string>(Arguments.CompressedStorageContainer);
-                config.StorageConnectionString = GetConnectionString(
-                   config.StorageConnectionString,
-                   Arguments.CompressedStorageAccountName,
-                   Arguments.CompressedStorageKeyValue,
-                   Arguments.CompressedStorageSasValue,
-                   Arguments.StorageSuffix);
 
                 config.SemVer2BaseUrl = _arguments.GetOrDefault<string>(Arguments.SemVer2StorageBaseAddress);
                 config.SemVer2StorageContainer = _arguments.GetOrDefault<string>(Arguments.SemVer2StorageContainer);
-                config.StorageConnectionString = GetConnectionString(
-                   config.StorageConnectionString,
-                   Arguments.SemVer2StorageAccountName,
-                   Arguments.SemVer2StorageKeyValue,
-                   Arguments.SemVer2StorageSasValue,
-                   Arguments.StorageSuffix);
+
+                config.HasSasToken = new List<string>()
+                {
+                    _arguments.GetOrDefault<string>(Arguments.StorageSasValue),
+                    _arguments.GetOrDefault<string>(Arguments.CompressedStorageSasValue),
+                    _arguments.GetOrDefault<string>(Arguments.SemVer2StorageSasValue)
+                }
+                .All(t => !string.IsNullOrEmpty(t));
+
+                if (config.StorageUseManagedIdentity && !config.HasSasToken)
+                {
+                    var storageAccountName = _arguments.GetOrDefault<string>(Arguments.StorageAccountName);
+                    var storageSuffix = _arguments.GetOrDefault(Arguments.StorageSuffix, "core.windows.net");
+
+                    config.StorageServiceUrl = $"https://{storageAccountName}.blob.{storageSuffix}";
+                    config.StorageConnectionString = $"BlobEndpoint={config.StorageServiceUrl}";
+                }
+                else
+                {
+                    config.StorageConnectionString = GetConnectionString(
+                        config.StorageConnectionString,
+                        Arguments.StorageAccountName,
+                        Arguments.StorageKeyValue,
+                        Arguments.StorageSasValue,
+                        Arguments.StorageSuffix);
+                    config.StorageConnectionString = GetConnectionString(
+                       config.StorageConnectionString,
+                       Arguments.CompressedStorageAccountName,
+                       Arguments.CompressedStorageKeyValue,
+                       Arguments.CompressedStorageSasValue,
+                       Arguments.StorageSuffix);
+                    config.StorageConnectionString = GetConnectionString(
+                       config.StorageConnectionString,
+                       Arguments.SemVer2StorageAccountName,
+                       Arguments.SemVer2StorageKeyValue,
+                       Arguments.SemVer2StorageSasValue,
+                       Arguments.StorageSuffix);
+                }
 
                 config.GalleryBaseUrl = _arguments.GetOrThrow<string>(Arguments.GalleryBaseAddress);
                 var contentBaseAddress = _arguments.GetOrThrow<string>(Arguments.ContentBaseAddress);
@@ -568,7 +593,13 @@ private string GetConnectionString(
             }
             else
             {
-                builder.AppendFormat("SharedAccessSignature={0};", _arguments.GetOrThrow<string>(accountSasArgument));
+                var sasToken = _arguments.GetOrThrow<string>(accountSasArgument);
+                // workaround for https://github.com/Azure/azure-sdk-for-net/issues/44373
+                if (sasToken.StartsWith("?"))
+                {
+                    sasToken = sasToken.Substring(1);
+                }
+                builder.AppendFormat("SharedAccessSignature={0};", sasToken);
             }
 
             builder.AppendFormat("EndpointSuffix={0}", _arguments.GetOrDefault(endpointSuffixArgument, "core.windows.net"));
diff --git a/src/Ng/Jobs/NgJob.cs b/src/Ng/Jobs/NgJob.cs
index 8fd2b7b779..a22e94f7b8 100644
--- a/src/Ng/Jobs/NgJob.cs
+++ b/src/Ng/Jobs/NgJob.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -51,7 +51,7 @@ public static string GetUsageBase()
             return "Usage: ng [" + string.Join("|", NgJobFactory.JobMap.Keys) + "] "
                    + $"[-{Arguments.VaultName} <keyvault-name> "
                    + $"-{Arguments.UseManagedIdentity} true|false "
-                   + $"-{Arguments.ClientId} <keyvault-client-id> Should not be set if {Arguments.UseManagedIdentity} is true"
+                   + $"-{Arguments.ClientId} <client-id> If {Arguments.UseManagedIdentity} is true this is used for managed identity authentication, if false, is used for KeyVault certificate authentication"
                    + $"-{Arguments.CertificateThumbprint} <keyvault-certificate-thumbprint> Should not be set if {Arguments.UseManagedIdentity} is true"
                    + $"[-{Arguments.ValidateCertificate} true|false]]";
         }
@@ -76,4 +76,4 @@ public virtual async Task RunAsync(IDictionary<string, string> arguments, Cancel
             await RunInternalAsync(cancellationToken);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/NuGet.Jobs.Catalog2Registration/Catalog2RegistrationConfiguration.cs b/src/NuGet.Jobs.Catalog2Registration/Catalog2RegistrationConfiguration.cs
index a81b458633..1146d96f0a 100644
--- a/src/NuGet.Jobs.Catalog2Registration/Catalog2RegistrationConfiguration.cs
+++ b/src/NuGet.Jobs.Catalog2Registration/Catalog2RegistrationConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -11,6 +11,26 @@ public class Catalog2RegistrationConfiguration : ICommitCollectorConfiguration
     {
         private static readonly int DefaultMaxConcurrentHivesPerId = Enum.GetValues(typeof(HiveType)).Length;
 
+        /// <summary>
+        /// Whether or not managed identity will be used as credential.
+        /// </summary>
+        public bool StorageUseManagedIdentity { get; set; }
+
+        /// <summary>
+        /// Specific manage identity client id.
+        /// </summary>
+        public string StorageManagedIdentityClientId { get; set; }
+
+        /// <summary>
+        /// Whether or not any storage contains a sas token.
+        /// </summary>
+        public bool HasSasToken { get; set; }
+
+        /// <summary>
+        /// Azure storage service uri. e.g. https://<storage>.blob.core.windows.net
+        /// </summary>
+        public string StorageServiceUrl { get; set; }
+
         /// <summary>
         /// The connection string used to connect to an Azure Blob Storage account. The connection string specifies
         /// the account name, the endpoint suffix (e.g. Azure vs. Azure China), and authentication credential (e.g. storage
diff --git a/src/NuGet.Jobs.Catalog2Registration/DependencyInjectionExtensions.cs b/src/NuGet.Jobs.Catalog2Registration/DependencyInjectionExtensions.cs
index 5fd54310d9..dbd96ba094 100644
--- a/src/NuGet.Jobs.Catalog2Registration/DependencyInjectionExtensions.cs
+++ b/src/NuGet.Jobs.Catalog2Registration/DependencyInjectionExtensions.cs
@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Net.Http;
 using Autofac;
+using Azure.Identity;
 using Azure.Storage.Blobs;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -12,9 +13,14 @@
 using Microsoft.Extensions.Options;
 using NuGet.Protocol;
 using NuGet.Services.Metadata.Catalog.Persistence;
+using NuGet.Services.Storage;
 using NuGet.Services.V3;
 using NuGetGallery;
 
+using AzureStorage = NuGet.Services.Metadata.Catalog.Persistence.AzureStorage;
+using AzureStorageFactory = NuGet.Services.Metadata.Catalog.Persistence.AzureStorageFactory;
+using IStorageFactory = NuGet.Services.Metadata.Catalog.Persistence.IStorageFactory;
+
 namespace NuGet.Jobs.Catalog2Registration
 {
     public static class DependencyInjectionExtensions
@@ -26,10 +32,20 @@ public static ContainerBuilder AddCatalog2Registration(this ContainerBuilder con
             containerBuilder.AddV3();
 
             RegisterCursorStorage(containerBuilder);
-
             containerBuilder
-                .RegisterStorageAccount<Catalog2RegistrationConfiguration>(c => c.StorageConnectionString, requestTimeout: DefaultBlobRequestOptions.ServerTimeout)
-                .As<ICloudBlobClient>();
+                .Register<ICloudBlobClient>(c =>
+                {
+                    var options = c.Resolve<IOptionsSnapshot<Catalog2RegistrationConfiguration>>();
+
+                    if (options.Value.StorageUseManagedIdentity && !options.Value.HasSasToken)
+                    {
+                        return CloudBlobClientWrapper.UsingMsi(options.Value.StorageConnectionString, clientId: options.Value.StorageManagedIdentityClientId, requestTimeout: DefaultBlobRequestOptions.ServerTimeout);
+                    }
+
+                    return new CloudBlobClientWrapper(
+                        options.Value.StorageConnectionString,
+                        requestTimeout: DefaultBlobRequestOptions.ServerTimeout);
+                });
 
             containerBuilder.Register(c => new Catalog2RegistrationCommand(
                 c.Resolve<ICollector>(),
@@ -52,12 +68,17 @@ private static void RegisterCursorStorage(ContainerBuilder containerBuilder)
                 {
                     var options = c.Resolve<IOptionsSnapshot<Catalog2RegistrationConfiguration>>();
 
-                    // workaround for https://github.com/Azure/azure-sdk-for-net/issues/44373
+                    if (options.Value.StorageUseManagedIdentity && !options.Value.HasSasToken)
+                    {
+                        var credential = new ManagedIdentityCredential(options.Value.StorageManagedIdentityClientId);
+
+                        return new BlobServiceClientFactory(new Uri(options.Value.StorageServiceUrl), credential);
+                    }
                     var connectionString = options.Value.StorageConnectionString.Replace("SharedAccessSignature=?", "SharedAccessSignature=");
 
-                    return new BlobServiceClient(connectionString);
+                    return new BlobServiceClientFactory(connectionString);
                 })
-                .Keyed<BlobServiceClient>(CursorBindingKey);
+                .Keyed<IBlobServiceClientFactory>(CursorBindingKey);
 
             containerBuilder
                 .Register<IStorageFactory>(c =>
@@ -65,7 +86,7 @@ private static void RegisterCursorStorage(ContainerBuilder containerBuilder)
                     var options = c.Resolve<IOptionsSnapshot<Catalog2RegistrationConfiguration>>();
 
                     return new AzureStorageFactory(
-                        c.ResolveKeyed<BlobServiceClient>(CursorBindingKey),
+                        c.ResolveKeyed<IBlobServiceClientFactory>(CursorBindingKey),
                         options.Value.LegacyStorageContainer,
                         maxExecutionTime: AzureStorage.DefaultMaxExecutionTime,
                         serverTimeout: AzureStorage.DefaultServerTimeout,
diff --git a/src/NuGet.Jobs.Catalog2Registration/Job.cs b/src/NuGet.Jobs.Catalog2Registration/Job.cs
index 7084f227df..d340d261b4 100644
--- a/src/NuGet.Jobs.Catalog2Registration/Job.cs
+++ b/src/NuGet.Jobs.Catalog2Registration/Job.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Net;
@@ -7,6 +7,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using NuGet.Jobs.Catalog2Registration;
+using NuGet.Services.Configuration;
 using NuGet.Services.V3;
 
 namespace NuGet.Jobs
@@ -33,6 +34,20 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
             services.AddCatalog2Registration(GlobalTelemetryDimensions, configurationRoot);
 
             services.Configure<Catalog2RegistrationConfiguration>(configurationRoot.GetSection(ConfigurationSectionName));
+            services.Configure<Catalog2RegistrationConfiguration>((config) =>
+            {
+                config.StorageUseManagedIdentity = configurationRoot.GetValue(Constants.StorageUseManagedIdentityPropertyName, false);
+                config.StorageManagedIdentityClientId = configurationRoot.GetValue(Constants.ManagedIdentityClientIdKey, string.Empty);
+
+                if(config.StorageConnectionString.Contains("SharedAccessSignature"))
+                {
+                    config.HasSasToken = true;
+                }
+                else
+                {
+                    config.StorageServiceUrl = config.StorageConnectionString.Replace("BlobEndpoint=", "");
+                }
+            });
             services.Configure<CommitCollectorConfiguration>(configurationRoot.GetSection(ConfigurationSectionName));
         }
     }
diff --git a/src/NuGet.Jobs.Common/JsonConfigurationJob.cs b/src/NuGet.Jobs.Common/JsonConfigurationJob.cs
index 0c46143f5b..c24bde77a7 100644
--- a/src/NuGet.Jobs.Common/JsonConfigurationJob.cs
+++ b/src/NuGet.Jobs.Common/JsonConfigurationJob.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -205,7 +205,8 @@ public static void ConfigureFeatureFlagAutofacServices(ContainerBuilder containe
                 .Register(c => new CloudBlobCoreFileStorageService(
                     c.ResolveKeyed<ICloudBlobClient>(FeatureFlagBindingKey),
                     c.Resolve<IDiagnosticsService>(),
-                    c.Resolve<ICloudBlobContainerInformationProvider>()))
+                    c.Resolve<ICloudBlobContainerInformationProvider>(),
+                    initializeContainer: false))
                 .Keyed<ICoreFileStorageService>(FeatureFlagBindingKey);
 
             containerBuilder
diff --git a/src/NuGet.Jobs.Common/StorageAccountExtensions.cs b/src/NuGet.Jobs.Common/StorageAccountExtensions.cs
index 1dc4f08eb0..71d545853e 100644
--- a/src/NuGet.Jobs.Common/StorageAccountExtensions.cs
+++ b/src/NuGet.Jobs.Common/StorageAccountExtensions.cs
@@ -224,6 +224,39 @@ public static BlobServiceClient CreateBlobServiceClient(
             }
         }
 
+        public static BlobServiceClientFactory CreateBlobServiceClientFactory(
+            StorageMsiConfiguration storageMsiConfiguration,
+            string storageConnectionString)
+        {
+            if (storageMsiConfiguration.UseManagedIdentity)
+            {
+                Uri blobEndpointUri = AzureStorage.GetPrimaryServiceUri(storageConnectionString);
+
+                if (string.IsNullOrWhiteSpace(storageMsiConfiguration.ManagedIdentityClientId))
+                {
+                    // 1. Using MSI with DefaultAzureCredential (local debugging)
+                    return new BlobServiceClientFactory(
+                        blobEndpointUri,
+                        new DefaultAzureCredential());
+                }
+                else
+                {
+                    // 2. Using MSI with ClientId
+                    return new BlobServiceClientFactory(
+                        blobEndpointUri,
+                        new ManagedIdentityCredential(storageMsiConfiguration.ManagedIdentityClientId));
+                }
+            }
+            else
+            {
+                // 3. Using SAS token
+                // workaround for https://github.com/Azure/azure-sdk-for-net/issues/44373
+                var connectionString = storageConnectionString.Replace("SharedAccessSignature=?", "SharedAccessSignature=");
+
+                return new BlobServiceClientFactory(connectionString);
+            }
+        }
+
         private static TableServiceClient CreateTableServiceClientClient(
             StorageMsiConfiguration msiConfiguration,
             string tableStorageConnectionString)
diff --git a/src/NuGet.Services.AzureSearch/DependencyInjectionExtensions.cs b/src/NuGet.Services.AzureSearch/DependencyInjectionExtensions.cs
index ad754b8906..16ff1d9d60 100644
--- a/src/NuGet.Services.AzureSearch/DependencyInjectionExtensions.cs
+++ b/src/NuGet.Services.AzureSearch/DependencyInjectionExtensions.cs
@@ -28,8 +28,10 @@
 using NuGet.Services.AzureSearch.SearchService;
 using NuGet.Services.AzureSearch.Wrappers;
 using NuGet.Services.Metadata.Catalog.Persistence;
+using NuGet.Services.Storage;
 using NuGet.Services.V3;
 using NuGetGallery;
+using IStorageFactory = NuGet.Services.Metadata.Catalog.Persistence.IStorageFactory;
 
 namespace NuGet.Services.AzureSearch
 {
@@ -122,25 +124,33 @@ private static void RegisterAzureSearchStorageServices(ContainerBuilder containe
                 .Register(c =>
                 {
                     var options = c.Resolve<IOptionsSnapshot<AzureSearchConfiguration>>();
-                    
-                    // https://github.com/Azure/azure-sdk-for-net/issues/44373
-                    options.Value.StorageConnectionString = options.Value.StorageConnectionString.Replace("SharedAccessSignature=?", "SharedAccessSignature=");
-                    
-                    return new BlobServiceClient(options.Value.StorageConnectionString);
+                    var storageMsiConfiguration = c.Resolve<IOptionsSnapshot<StorageMsiConfiguration>>();
+
+                    return StorageAccountHelper.CreateBlobServiceClient(storageMsiConfiguration.Value, options.Value.StorageConnectionString);
                 })
                 .Keyed<BlobServiceClient>(key);
 
+            containerBuilder
+                .Register(c =>
+                {
+                    var options = c.Resolve<IOptionsSnapshot<AzureSearchConfiguration>>();
+                    var storageMsiConfiguration = c.Resolve<IOptionsSnapshot<StorageMsiConfiguration>>();
+
+                    return StorageAccountHelper.CreateBlobServiceClientFactory(storageMsiConfiguration.Value, options.Value.StorageConnectionString);
+                })
+                .Keyed<BlobServiceClientFactory>(key);
+
 #if NETFRAMEWORK
             containerBuilder
                 .Register<IStorageFactory>(c =>
                 {
                     var options = c.Resolve<IOptionsSnapshot<AzureSearchConfiguration>>();
-                    BlobServiceClient blobServiceClient = c.ResolveKeyed<BlobServiceClient>(key);
-                    return new AzureStorageFactory(
-                        blobServiceClient,
+                    BlobServiceClientFactory blobServiceClientFactory = c.ResolveKeyed<BlobServiceClientFactory>(key);
+                    return new Metadata.Catalog.Persistence.AzureStorageFactory(
+                        blobServiceClientFactory,
                         options.Value.StorageContainer,
-                        maxExecutionTime: AzureStorage.DefaultMaxExecutionTime,
-                        serverTimeout: AzureStorage.DefaultServerTimeout,
+                        maxExecutionTime: Metadata.Catalog.Persistence.AzureStorage.DefaultMaxExecutionTime,
+                        serverTimeout: Metadata.Catalog.Persistence.AzureStorage.DefaultServerTimeout,
                         path: options.Value.NormalizeStoragePath(),
                         baseAddress: null,
                         useServerSideCopy: true,
diff --git a/src/NuGet.Services.Entities/FederatedCredential.cs b/src/NuGet.Services.Entities/FederatedCredential.cs
new file mode 100644
index 0000000000..3f0e141a7e
--- /dev/null
+++ b/src/NuGet.Services.Entities/FederatedCredential.cs
@@ -0,0 +1,51 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace NuGet.Services.Entities
+{
+    /// <summary>
+    /// The record of a federated credential that was accepted by a federated credential policy.
+    /// </summary>
+    public class FederatedCredential : IEntity
+    {
+        /// <summary>
+        /// The unique key for this federated credential. Generated by the database.
+        /// </summary>
+        public int Key { get; set; }
+
+        /// <summary>
+        /// A type enum of the <see cref="FederatedCredentialPolicy.Type"/> that accepted this federated credential.
+        /// </summary>
+        [Required]
+        [Column("TypeKey")]
+        public FederatedCredentialType Type { get; set; }
+
+        /// <summary>
+        /// The key of the federated credential policy that accepted this federated credential. This does not have a
+        /// foreign key constraint because the policy may be deleted, but the credential record should remain to ensure
+        /// the <see cref="Identity"/> unique constraint is enforced (to prevent replay).
+        /// </summary>
+        public int FederatedCredentialPolicyKey { get; set; }
+
+        /// <summary>
+        /// A unique identifier for the federated credential used to create this credential record. For OIDC tokens,
+        /// this is the "jti" or "uti" claim. This must be unique to ensure tokens are not replayed.
+        /// </summary>
+        [StringLength(maximumLength: 64)]
+        public string Identity { get; set; }
+
+        /// <summary>
+        /// When this record was first created. The timestamp is in UTC.
+        /// </summary>
+        public DateTime Created { get; set; }
+
+        /// <summary>
+        /// When the federated credential expires. For OIDC tokens, this will be the "exp" claim. The timestamp is in UTC.
+        /// </summary>
+        public DateTime Expires { get; set; }
+    }
+}
diff --git a/src/NuGet.Services.Entities/FederatedCredentialPolicy.cs b/src/NuGet.Services.Entities/FederatedCredentialPolicy.cs
new file mode 100644
index 0000000000..51bb35e9e4
--- /dev/null
+++ b/src/NuGet.Services.Entities/FederatedCredentialPolicy.cs
@@ -0,0 +1,86 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace NuGet.Services.Entities
+{
+    /// <summary>
+    /// This entity defines which federated credentials can operate on behalf of a user. The policy is used to evaluate
+    /// an incoming federated credential and define what actions can be taken on behalf of the user.
+    /// </summary>
+    public class FederatedCredentialPolicy : IEntity
+    {
+        /// <summary>
+        /// The unique key for this federated credential policy. Generated by the database.
+        /// </summary>
+        public int Key { get; set; }
+
+        /// <summary>
+        /// When this entity was first created. The timestamp is in UTC.
+        /// </summary>
+        public DateTime Created { get; set; }
+
+        /// <summary>
+        /// When this policy was last evaluated against an external credential and it matched. The timestamp is in UTC.
+        /// </summary>
+        public DateTime? LastMatched { get; set; }
+
+        /// <summary>
+        /// A type enum to determine how the <see cref="Criteria"/> field should be interpreted.
+        ///
+        /// Think of this field as a category of federated credential, where a given type value is specific to a
+        /// particular identity provider (e.g. Entra ID) and specific type of credential provided by that identity
+        /// provider (e.g. OpenID Connect token for a service principal in the app-only flow).
+        ///
+        /// The type should be one of the values defined in <see cref="FederatedCredentialType"/>.
+        ///
+        /// This column name ends in "Key" to allow a future where this is normalized into its own table, much like
+        /// <see cref="Package.PackageStatusKey"/> and <see cref="Package.SemVerLevelKey"/>.
+        /// </summary>
+        [Required]
+        [Column("TypeKey")]
+        public FederatedCredentialType Type { get; set; }
+
+        /// <summary>
+        /// A JSON object used to evaluate whether a token matches a user-provided pattern. Some criteria may be
+        /// implied by the <see cref="System.Type"/> and may not be explicitly states in this field. Only criteria that varies
+        /// from user to user or between individual cases should be expressed in this JSON object.
+        ///
+        /// The maximum length is defined by the application and has an unbounded length in the database.
+        /// </summary>
+        [Required]
+        public string Criteria { get; set; }
+
+        /// <summary>
+        /// The key of the user that created this policy. If this policy was created by a site admin, this key will
+        /// point to the user record that the site admin was acting on behalf of, not the site admin themselves.
+        /// </summary>
+        public int CreatedByUserKey { get; set; }
+
+        /// <summary>
+        /// The key of the owner user or owner organization that this policy will create API keys scoped for. This is
+        /// the user or organization that the user referred to by <see cref="UserKey"/> is acting on behalf of. This
+        /// value will be used in resulting short-lived API keys in the <see cref="Scope.OwnerKey"/> value.
+        /// </summary>
+        public int PackageOwnerUserKey { get; set; }
+
+        /// <summary>
+        /// The navigation property for the user that created the policy, defined by <see cref="CreatedByUserKey"/>.
+        /// </summary>
+        public virtual User CreatedBy { get; set; }
+
+        /// <summary>
+        /// The navigation property for the package owner user, defined by <see cref="PackageOwnerUserKey"/>.
+        /// </summary>
+        public virtual User PackageOwner { get; set; }
+
+        /// <summary>
+        /// The navigation property for the credentials that were allowed and created by this policy.
+        /// </summary>
+        public virtual ICollection<Credential> Credentials { get; set; }
+    }
+}
diff --git a/src/NuGet.Services.Entities/FederatedCredentialType.cs b/src/NuGet.Services.Entities/FederatedCredentialType.cs
new file mode 100644
index 0000000000..a63b8107cf
--- /dev/null
+++ b/src/NuGet.Services.Entities/FederatedCredentialType.cs
@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace NuGet.Services.Entities
+{
+    /// <summary>
+    /// The types of federated credentials criteria that can be used to validate external credentials. This
+    /// enum is used for the <see cref="FederatedCredentialPolicy.Type"/> property.
+    /// </summary>
+    public enum FederatedCredentialType
+    {
+        /// <summary>
+        /// This credential type applies to Microsoft Entra ID OpenID Connect (OIDC) tokens, issued for a specific
+        /// service principal. The service principal is identified by a tenant (directory ID) and an object ID (object
+        /// ID). The application (client) ID is not used because the object ID uniquely identifies the service principal
+        /// within the tenant. An object ID is required to show the service principal is provisioned within the tenant.
+        ///
+        /// Additional validation is done on the token claims which are the same for all Entra ID tokens, such as
+        /// subject and expiration claims.
+        /// </summary>
+        EntraIdServicePrincipal = 1,
+    }
+}
diff --git a/src/NuGet.Services.KeyVault/NuGet.Services.KeyVault.csproj b/src/NuGet.Services.KeyVault/NuGet.Services.KeyVault.csproj
index ca3ff13de2..3d3dd92b53 100644
--- a/src/NuGet.Services.KeyVault/NuGet.Services.KeyVault.csproj
+++ b/src/NuGet.Services.KeyVault/NuGet.Services.KeyVault.csproj
@@ -7,6 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Core" />
     <PackageReference Include="Azure.Identity" />
     <PackageReference Include="Azure.Security.KeyVault.Secrets" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
diff --git a/src/NuGet.Services.Messaging.Email/NuGet.Services.Messaging.Email.csproj b/src/NuGet.Services.Messaging.Email/NuGet.Services.Messaging.Email.csproj
index 6b01084374..ba94648354 100644
--- a/src/NuGet.Services.Messaging.Email/NuGet.Services.Messaging.Email.csproj
+++ b/src/NuGet.Services.Messaging.Email/NuGet.Services.Messaging.Email.csproj
@@ -11,6 +11,7 @@
   </ItemGroup>  
   
   <ItemGroup>
+    <PackageReference Include="Azure.Core" />
     <PackageReference Include="Markdig.Signed" />
   </ItemGroup>
 
diff --git a/src/NuGet.Services.Messaging/NuGet.Services.Messaging.csproj b/src/NuGet.Services.Messaging/NuGet.Services.Messaging.csproj
index 3fa8f84e4f..7d34dbb6a8 100644
--- a/src/NuGet.Services.Messaging/NuGet.Services.Messaging.csproj
+++ b/src/NuGet.Services.Messaging/NuGet.Services.Messaging.csproj
@@ -7,6 +7,7 @@
   </PropertyGroup>
         
   <ItemGroup>
+    <PackageReference Include="Azure.Core" />
     <PackageReference Include="Microsoft.Extensions.Logging" />
   </ItemGroup>
 
diff --git a/src/NuGet.Services.SearchService.Core/Startup.cs b/src/NuGet.Services.SearchService.Core/Startup.cs
index 08fa185a88..7371c5afff 100644
--- a/src/NuGet.Services.SearchService.Core/Startup.cs
+++ b/src/NuGet.Services.SearchService.Core/Startup.cs
@@ -13,6 +13,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.PackageManagement.Search.Web;
+using NuGet.Jobs;
 using NuGet.Services.AzureSearch;
 using NuGet.Services.AzureSearch.SearchService;
 using NuGet.Services.Logging;
@@ -36,6 +37,8 @@ public void ConfigureServices(IServiceCollection services)
         {
             var refreshableConfig = StartupHelper.GetSecretInjectedConfiguration(Configuration);
             Configuration = refreshableConfig.Root;
+
+            services.ConfigureStorageMsi(Configuration);
             services.AddSingleton(refreshableConfig.SecretReaderFactory);
 
             services
diff --git a/src/NuGet.Services.ServiceBus/NuGet.Services.ServiceBus.csproj b/src/NuGet.Services.ServiceBus/NuGet.Services.ServiceBus.csproj
index 266826ef1a..adc5cc629e 100644
--- a/src/NuGet.Services.ServiceBus/NuGet.Services.ServiceBus.csproj
+++ b/src/NuGet.Services.ServiceBus/NuGet.Services.ServiceBus.csproj
@@ -7,6 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Core" />
     <PackageReference Include="Azure.Identity" />
     <PackageReference Include="Azure.Messaging.ServiceBus" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
diff --git a/src/NuGet.Services.Storage/AzureStorage.cs b/src/NuGet.Services.Storage/AzureStorage.cs
index 1e43ca3bde..8e54874625 100644
--- a/src/NuGet.Services.Storage/AzureStorage.cs
+++ b/src/NuGet.Services.Storage/AzureStorage.cs
@@ -23,7 +23,7 @@ public class AzureStorage : Storage
         private readonly string _path;
 
         public AzureStorage(
-            BlobServiceClient account,
+            BlobServiceClientFactory account,
             string containerName,
             string path,
             Uri baseAddress,
@@ -31,7 +31,7 @@ public AzureStorage(
             bool enablePublicAccess,
             ILogger<AzureStorage> logger)
             : this(
-                  account.GetBlobContainerClient(containerName),
+                  account.GetBlobServiceClient().GetBlobContainerClient(containerName),
                   baseAddress,
                   initializeContainer,
                   enablePublicAccess,
diff --git a/src/NuGet.Services.Storage/AzureStorageFactory.cs b/src/NuGet.Services.Storage/AzureStorageFactory.cs
index 78e227c068..4aba8de0a4 100644
--- a/src/NuGet.Services.Storage/AzureStorageFactory.cs
+++ b/src/NuGet.Services.Storage/AzureStorageFactory.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -9,7 +9,7 @@ namespace NuGet.Services.Storage
 {
     public class AzureStorageFactory : StorageFactory
     {
-        BlobServiceClient _account;
+        BlobServiceClientFactory _account;
         string _containerName;
         private readonly bool _enablePublicAccess;
         string _path;
@@ -26,7 +26,7 @@ public static string PrepareConnectionString(string connectionString)
         }
 
         public AzureStorageFactory(
-            BlobServiceClient account,
+            BlobServiceClientFactory account,
             string containerName,
             bool enablePublicAccess,
             ILogger<AzureStorage> azureStorageLogger,
diff --git a/src/NuGet.Services.Storage/BlobServiceClientAuthType.cs b/src/NuGet.Services.Storage/BlobServiceClientAuthType.cs
new file mode 100644
index 0000000000..f4cb3591e2
--- /dev/null
+++ b/src/NuGet.Services.Storage/BlobServiceClientAuthType.cs
@@ -0,0 +1,12 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace NuGet.Services.Storage
+{
+    enum BlobServiceClientAuthType
+    {
+        Anonymous,
+        TokenCredential,
+        ConnectionString
+    }
+}
diff --git a/src/NuGet.Services.Storage/BlobServiceClientFactory.cs b/src/NuGet.Services.Storage/BlobServiceClientFactory.cs
new file mode 100644
index 0000000000..1e8706e031
--- /dev/null
+++ b/src/NuGet.Services.Storage/BlobServiceClientFactory.cs
@@ -0,0 +1,70 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Identity;
+using Azure.Storage.Blobs;
+
+namespace NuGet.Services.Storage
+{
+    public class BlobServiceClientFactory : IBlobServiceClientFactory
+    {
+        private readonly BlobServiceClientAuthType? _authType;
+        private TokenCredential _credential;
+        private string _connectionString = "";
+
+        public virtual Uri Uri { get; set; }
+
+        protected BlobServiceClientFactory() { }
+
+        public BlobServiceClientFactory(string connectionString)
+        {
+            if (string.IsNullOrEmpty(connectionString))
+            {
+                throw new ArgumentNullException(nameof(connectionString));
+            }
+
+            _connectionString = connectionString;
+            this.Uri = new BlobServiceClient(connectionString).Uri;
+            _authType = BlobServiceClientAuthType.ConnectionString;
+        }
+
+        public BlobServiceClientFactory(Uri serviceUri, TokenCredential credential = null)
+        {
+            this.Uri = serviceUri ?? throw new ArgumentNullException(nameof(serviceUri));
+
+            if (credential != null)
+            {
+                _credential = credential;
+                _authType = BlobServiceClientAuthType.TokenCredential;
+            }
+            else
+            {
+                _authType = BlobServiceClientAuthType.Anonymous;
+            }
+        }
+
+        public virtual BlobServiceClient GetBlobServiceClient(BlobClientOptions blobClientOptions = null)
+        {
+            if (_authType.HasValue)
+            {
+                switch (_authType)
+                {
+                    case BlobServiceClientAuthType.TokenCredential:
+                        return new BlobServiceClient(this.Uri, _credential, blobClientOptions);
+                    case BlobServiceClientAuthType.ConnectionString:
+                        return new BlobServiceClient(_connectionString, blobClientOptions);
+                    case BlobServiceClientAuthType.Anonymous:
+                        return new BlobServiceClient(this.Uri, blobClientOptions);
+                }
+            }
+
+            throw new Exception("No authentication type configured");
+        }
+    }
+}
diff --git a/src/NuGet.Services.Storage/IBlobServiceClientFactory.cs b/src/NuGet.Services.Storage/IBlobServiceClientFactory.cs
new file mode 100644
index 0000000000..a62c6df402
--- /dev/null
+++ b/src/NuGet.Services.Storage/IBlobServiceClientFactory.cs
@@ -0,0 +1,15 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Azure.Storage.Blobs;
+
+namespace NuGet.Services.Storage
+{
+    public interface IBlobServiceClientFactory
+    {
+        public Uri Uri { get; }
+
+        public BlobServiceClient GetBlobServiceClient(BlobClientOptions blobClientOptions);
+    }
+}
diff --git a/src/NuGet.Services.Storage/NuGet.Services.Storage.csproj b/src/NuGet.Services.Storage/NuGet.Services.Storage.csproj
index d37773dfe4..34a7854f54 100644
--- a/src/NuGet.Services.Storage/NuGet.Services.Storage.csproj
+++ b/src/NuGet.Services.Storage/NuGet.Services.Storage.csproj
@@ -7,6 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
     <PackageReference Include="Azure.Storage.Blobs" />
     <PackageReference Include="Azure.Storage.Queues" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
diff --git a/src/NuGet.Services.Storage/SimpleBlobServiceClientFactory.cs b/src/NuGet.Services.Storage/SimpleBlobServiceClientFactory.cs
new file mode 100644
index 0000000000..a8f2b30256
--- /dev/null
+++ b/src/NuGet.Services.Storage/SimpleBlobServiceClientFactory.cs
@@ -0,0 +1,31 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Azure.Storage.Blobs;
+
+namespace NuGet.Services.Storage
+{
+    // This class is a simple wrapper around a BlobServiceClient to enable backwards compatibility
+    // and avoid use cases where we would create unnecessary instances of BlobServiceClient
+    public class SimpleBlobServiceClientFactory : IBlobServiceClientFactory
+    {
+        private BlobServiceClient _blobServiceClient;
+
+        public Uri Uri => _blobServiceClient.Uri;
+
+        public SimpleBlobServiceClientFactory(BlobServiceClient blobServiceClient)
+        {
+            _blobServiceClient = blobServiceClient ?? throw new ArgumentNullException(nameof(blobServiceClient));
+        }
+
+        public BlobServiceClient GetBlobServiceClient(BlobClientOptions blobClientOptions = null)
+        {
+            return _blobServiceClient;
+        }
+    }
+}
diff --git a/src/NuGet.Services.Validation/NuGet.Services.Validation.csproj b/src/NuGet.Services.Validation/NuGet.Services.Validation.csproj
index c25afd4f4a..b5f07f06a5 100644
--- a/src/NuGet.Services.Validation/NuGet.Services.Validation.csproj
+++ b/src/NuGet.Services.Validation/NuGet.Services.Validation.csproj
@@ -14,6 +14,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Core" />
     <PackageReference Include="EntityFramework" />
     <PackageReference Include="NuGet.Versioning" />
   </ItemGroup>
diff --git a/src/NuGetGallery.Core/Auditing/CredentialAuditRecord.cs b/src/NuGetGallery.Core/Auditing/CredentialAuditRecord.cs
index f2f5f36027..0f9a1e1fd5 100644
--- a/src/NuGetGallery.Core/Auditing/CredentialAuditRecord.cs
+++ b/src/NuGetGallery.Core/Auditing/CredentialAuditRecord.cs
@@ -21,7 +21,7 @@ public class CredentialAuditRecord
         public string TenantId { get; }
         public string RevocationSource { get; }
 
-        public CredentialAuditRecord(Credential credential, bool removedOrRevoked)
+        public CredentialAuditRecord(Credential credential)
         {
             if (credential == null)
             {
@@ -34,23 +34,12 @@ public CredentialAuditRecord(Credential credential, bool removedOrRevoked)
             Identity = credential.Identity;
             TenantId = credential.TenantId;
 
-            // Track the value for credentials that are external (object id) or definitely revocable (API Key, etc.) and have been removed
+            // Track the value for credentials that are external (object id)
+            // Do not track the credential valid for API keys or passwords, even if they are revoked.
             if (credential.IsExternal())
             {
                 Value = credential.Value;
             }
-            else if (removedOrRevoked)
-            {
-                if (Type == null)
-                {
-                    throw new ArgumentNullException(nameof(credential.Type));
-                }
-
-                if (!credential.IsPassword())
-                {
-                    Value = credential.Value;
-                }
-            }
 
             Created = credential.Created;
             Expires = credential.Expires;
@@ -65,10 +54,10 @@ public CredentialAuditRecord(Credential credential, bool removedOrRevoked)
             }
         }
 
-        public CredentialAuditRecord(Credential credential, bool removedOrRevoked, string revocationSource)
-                : this(credential, removedOrRevoked)
+        public CredentialAuditRecord(Credential credential, string revocationSource)
+                : this(credential)
         {
             RevocationSource = revocationSource;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/NuGetGallery.Core/Auditing/FailedAuthenticatedOperationAuditRecord.cs b/src/NuGetGallery.Core/Auditing/FailedAuthenticatedOperationAuditRecord.cs
index 5dca831102..d4c3413eae 100644
--- a/src/NuGetGallery.Core/Auditing/FailedAuthenticatedOperationAuditRecord.cs
+++ b/src/NuGetGallery.Core/Auditing/FailedAuthenticatedOperationAuditRecord.cs
@@ -31,7 +31,7 @@ public FailedAuthenticatedOperationAuditRecord(
 
             if (attemptedCredential != null)
             {
-                AttemptedCredential = new CredentialAuditRecord(attemptedCredential, removedOrRevoked: false);
+                AttemptedCredential = new CredentialAuditRecord(attemptedCredential);
             }
         }
 
@@ -40,4 +40,4 @@ public override string GetPath()
             return Path; // store in <auditpath>/failedauthenticatedoperation/all
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/NuGetGallery.Core/Auditing/UserAuditRecord.cs b/src/NuGetGallery.Core/Auditing/UserAuditRecord.cs
index 1c05d96431..6b679fb534 100644
--- a/src/NuGetGallery.Core/Auditing/UserAuditRecord.cs
+++ b/src/NuGetGallery.Core/Auditing/UserAuditRecord.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -56,7 +56,7 @@ public UserAuditRecord(User user, AuditedUserAction action)
             Roles = user.Roles.Select(r => r.Name).ToArray();
 
             Credentials = user.Credentials.Where(CredentialTypes.IsSupportedCredential)
-                                          .Select(c => new CredentialAuditRecord(c, removedOrRevoked: false)).ToArray();
+                                          .Select(c => new CredentialAuditRecord(c)).ToArray();
 
             AffectedCredential = Array.Empty<CredentialAuditRecord>();
             AffectedPolicies = Array.Empty<AuditedUserSecurityPolicy>();
@@ -70,8 +70,7 @@ public UserAuditRecord(User user, AuditedUserAction action, Credential affected,
         public UserAuditRecord(User user, AuditedUserAction action, IEnumerable<Credential> affected, string revocationSource)
             : this(user, action)
         {
-            AffectedCredential = affected.Select(c => new CredentialAuditRecord(c,
-                removedOrRevoked: action == AuditedUserAction.RemoveCredential || action == AuditedUserAction.RevokeCredential, revocationSource: revocationSource)).ToArray();
+            AffectedCredential = affected.Select(c => new CredentialAuditRecord(c, revocationSource: revocationSource)).ToArray();
         }
 
         public UserAuditRecord(User user, AuditedUserAction action, Credential affected)
@@ -82,8 +81,7 @@ public UserAuditRecord(User user, AuditedUserAction action, Credential affected)
         public UserAuditRecord(User user, AuditedUserAction action, IEnumerable<Credential> affected)
             : this(user, action)
         {
-            AffectedCredential = affected.Select(c => new CredentialAuditRecord(c,
-                removedOrRevoked: action == AuditedUserAction.RemoveCredential || action == AuditedUserAction.RevokeCredential)).ToArray();
+            AffectedCredential = affected.Select(c => new CredentialAuditRecord(c)).ToArray();
         }
 
         public UserAuditRecord(User user, AuditedUserAction action, string affectedEmailAddress)
diff --git a/src/NuGetGallery.Core/Frameworks/SupportedFrameworks.cs b/src/NuGetGallery.Core/Frameworks/SupportedFrameworks.cs
index 523cae8dda..4cb0fc96f8 100644
--- a/src/NuGetGallery.Core/Frameworks/SupportedFrameworks.cs
+++ b/src/NuGetGallery.Core/Frameworks/SupportedFrameworks.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -27,35 +27,51 @@ public static class SupportedFrameworks
         public static readonly NuGetFramework Net3 = new NuGetFramework(FrameworkIdentifiers.Net, new Version(3, 0, 0, 0));
         public static readonly NuGetFramework Net48 = new NuGetFramework(FrameworkIdentifiers.Net, new Version(4, 8, 0, 0));
         public static readonly NuGetFramework Net481 = new NuGetFramework(FrameworkIdentifiers.Net, new Version(4, 8, 1, 0));
+        public static readonly NuGetFramework NetCore = new NuGetFramework(FrameworkIdentifiers.NetCore, EmptyVersion);
+        public static readonly NuGetFramework NetMf = new NuGetFramework(FrameworkIdentifiers.NetMicro, EmptyVersion);
+        public static readonly NuGetFramework UAP = new NuGetFramework(FrameworkIdentifiers.UAP, EmptyVersion);
+        public static readonly NuGetFramework WP = new NuGetFramework(FrameworkIdentifiers.WindowsPhone, EmptyVersion);
+        public static readonly NuGetFramework XamarinIOs = new NuGetFramework(FrameworkIdentifiers.XamarinIOs, EmptyVersion);
+        public static readonly NuGetFramework XamarinMac = new NuGetFramework(FrameworkIdentifiers.XamarinMac, EmptyVersion);
+        public static readonly NuGetFramework XamarinTvOs = new NuGetFramework(FrameworkIdentifiers.XamarinTVOS, EmptyVersion);
+        public static readonly NuGetFramework XamarinWatchOs = new NuGetFramework(FrameworkIdentifiers.XamarinWatchOS, EmptyVersion);
+
         public static readonly NuGetFramework Net50Windows = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version5, "windows", EmptyVersion);
+
         public static readonly NuGetFramework Net60Android = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version6, "android", EmptyVersion);
         public static readonly NuGetFramework Net60Ios = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version6, "ios", EmptyVersion);
-        public static readonly NuGetFramework Net60MacOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version6, "macos", EmptyVersion);
         public static readonly NuGetFramework Net60MacCatalyst = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version6, "maccatalyst", EmptyVersion);
+        public static readonly NuGetFramework Net60MacOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version6, "macos", EmptyVersion);
         public static readonly NuGetFramework Net60TvOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version6, "tvos", EmptyVersion);
         public static readonly NuGetFramework Net60Windows = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version6, "windows", EmptyVersion);
+
         public static readonly NuGetFramework Net70Android = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version7, "android", EmptyVersion);
         public static readonly NuGetFramework Net70Ios = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version7, "ios", EmptyVersion);
-        public static readonly NuGetFramework Net70MacOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version7, "macos", EmptyVersion);
         public static readonly NuGetFramework Net70MacCatalyst = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version7, "maccatalyst", EmptyVersion);
+        public static readonly NuGetFramework Net70MacOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version7, "macos", EmptyVersion);
         public static readonly NuGetFramework Net70TvOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version7, "tvos", EmptyVersion);
         public static readonly NuGetFramework Net70Windows = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version7, "windows", EmptyVersion);
+
         public static readonly NuGetFramework Net80Android = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version8, "android", EmptyVersion);
         public static readonly NuGetFramework Net80Browser = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version8, "browser", EmptyVersion);
         public static readonly NuGetFramework Net80Ios = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version8, "ios", EmptyVersion);
-        public static readonly NuGetFramework Net80MacOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version8, "macos", EmptyVersion);
         public static readonly NuGetFramework Net80MacCatalyst = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version8, "maccatalyst", EmptyVersion);
+        public static readonly NuGetFramework Net80MacOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version8, "macos", EmptyVersion);
         public static readonly NuGetFramework Net80TvOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version8, "tvos", EmptyVersion);
         public static readonly NuGetFramework Net80Windows = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version8, "windows", EmptyVersion);
-        public static readonly NuGetFramework NetCore = new NuGetFramework(FrameworkIdentifiers.NetCore, EmptyVersion);
-        public static readonly NuGetFramework NetMf = new NuGetFramework(FrameworkIdentifiers.NetMicro, EmptyVersion);
-        public static readonly NuGetFramework UAP = new NuGetFramework(FrameworkIdentifiers.UAP, EmptyVersion);
-        public static readonly NuGetFramework WP = new NuGetFramework(FrameworkIdentifiers.WindowsPhone, EmptyVersion);
-        public static readonly NuGetFramework XamarinIOs = new NuGetFramework(FrameworkIdentifiers.XamarinIOs, EmptyVersion);
-        public static readonly NuGetFramework XamarinMac = new NuGetFramework(FrameworkIdentifiers.XamarinMac, EmptyVersion);
-        public static readonly NuGetFramework XamarinTvOs = new NuGetFramework(FrameworkIdentifiers.XamarinTVOS, EmptyVersion);
-        public static readonly NuGetFramework XamarinWatchOs = new NuGetFramework(FrameworkIdentifiers.XamarinWatchOS, EmptyVersion);
-        
+
+        // These 2 constants can be removed once they have been added to NuGet.Frameworks.FrameworkConstants - https://github.com/NuGet/Engineering/issues/5676
+        public static readonly Version Version9 = new Version(9, 0, 0, 0);
+        public static readonly NuGetFramework Net90 = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version9);
+
+        public static readonly NuGetFramework Net90Android = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version9, "android", EmptyVersion);
+        public static readonly NuGetFramework Net90Browser = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version9, "browser", EmptyVersion);
+        public static readonly NuGetFramework Net90Ios = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version9, "ios", EmptyVersion);
+        public static readonly NuGetFramework Net90MacCatalyst = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version9, "maccatalyst", EmptyVersion);
+        public static readonly NuGetFramework Net90MacOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version9, "macos", EmptyVersion);
+        public static readonly NuGetFramework Net90TvOs = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version9, "tvos", EmptyVersion);
+        public static readonly NuGetFramework Net90Windows = new NuGetFramework(FrameworkIdentifiers.NetCoreApp, Version9, "windows", EmptyVersion);
+
         public static readonly IReadOnlyList<NuGetFramework> AllSupportedNuGetFrameworks;
 
         static SupportedFrameworks()
@@ -68,7 +84,8 @@ static SupportedFrameworks()
                 Net50, Net50Windows,
                 Net60, Net60Android, Net60Ios, Net60MacCatalyst, Net60MacOs, Net60TvOs, Net60Windows,
                 Net70, Net70Android, Net70Ios, Net70MacCatalyst, Net70MacOs, Net70TvOs, Net70Windows,
-                Net80, Net80Android, Net80Ios, Net80MacCatalyst, Net80MacOs, Net80TvOs, Net80Windows, Net80Browser,
+                Net80, Net80Android, Net80Browser, Net80Ios, Net80MacCatalyst, Net80MacOs, Net80TvOs, Net80Windows,
+                Net90, Net90Android, Net90Browser, Net90Ios, Net90MacCatalyst, Net90MacOs, Net90TvOs, Net90Windows,
                 NetCore, NetCore45, NetCore451,
                 NetCoreApp10, NetCoreApp11, NetCoreApp20, NetCoreApp21, NetCoreApp22, NetCoreApp30, NetCoreApp31,
                 NetMf,
@@ -137,4 +154,4 @@ public static class TfmFilters {
             };
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/NuGetGallery.Core/Services/CloudBlobCoreFileStorageService.cs b/src/NuGetGallery.Core/Services/CloudBlobCoreFileStorageService.cs
index f3797983e7..1a5c2a1483 100644
--- a/src/NuGetGallery.Core/Services/CloudBlobCoreFileStorageService.cs
+++ b/src/NuGetGallery.Core/Services/CloudBlobCoreFileStorageService.cs
@@ -30,15 +30,18 @@ public class CloudBlobCoreFileStorageService : ICoreFileStorageService
         protected readonly IDiagnosticsSource _trace;
         protected readonly ICloudBlobContainerInformationProvider _cloudBlobFolderInformationProvider;
         protected readonly ConcurrentDictionary<string, ICloudBlobContainer> _containers = new ConcurrentDictionary<string, ICloudBlobContainer>();
+        protected readonly bool _initializeContainer;
 
         public CloudBlobCoreFileStorageService(
             ICloudBlobClient client,
             IDiagnosticsService diagnosticsService,
-            ICloudBlobContainerInformationProvider cloudBlobFolderInformationProvider)
+            ICloudBlobContainerInformationProvider cloudBlobFolderInformationProvider,
+            bool initializeContainer = true)
         {
             _client = client ?? throw new ArgumentNullException(nameof(client));
             _trace = diagnosticsService?.SafeGetSource(nameof(CloudBlobCoreFileStorageService)) ?? throw new ArgumentNullException(nameof(diagnosticsService));
             _cloudBlobFolderInformationProvider = cloudBlobFolderInformationProvider ?? throw new ArgumentNullException(nameof(cloudBlobFolderInformationProvider));
+            _initializeContainer = initializeContainer;
         }
 
         public async Task DeleteFileAsync(string folderName, string fileName)
@@ -598,7 +601,11 @@ private string GetCacheControl(string folderName)
         private async Task<ICloudBlobContainer> PrepareContainer(string folderName, bool isPublic)
         {
             var container = _client.GetContainerReference(folderName);
-            await container.CreateIfNotExistAsync(isPublic);
+
+            if (_initializeContainer)
+            {
+                await container.CreateIfNotExistAsync(isPublic);
+            }
 
             return container;
         }
diff --git a/src/NuGetGallery.Services/Authentication/AuthenticationService.cs b/src/NuGetGallery.Services/Authentication/AuthenticationService.cs
index 2065a465d6..54529a8fab 100644
--- a/src/NuGetGallery.Services/Authentication/AuthenticationService.cs
+++ b/src/NuGetGallery.Services/Authentication/AuthenticationService.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -714,7 +714,7 @@ public virtual async Task RemoveCredential(User user, Credential cred, bool comm
 
         public virtual async Task EditCredentialScopes(User user, Credential cred, ICollection<Scope> newScopes)
         {
-            foreach (var oldScope in cred.Scopes)
+            foreach (var oldScope in cred.Scopes.ToList())
             {
                 Entities.Scopes.Remove(oldScope);
             }
@@ -1053,4 +1053,4 @@ private async Task MigrateCredentials(User user, List<Credential> creds, string
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/NuGetGallery.Services/Authentication/CredentialBuilder.cs b/src/NuGetGallery.Services/Authentication/CredentialBuilder.cs
index 81c42780e9..ea7f96d542 100644
--- a/src/NuGetGallery.Services/Authentication/CredentialBuilder.cs
+++ b/src/NuGetGallery.Services/Authentication/CredentialBuilder.cs
@@ -6,6 +6,7 @@
 using System.Linq;
 using NuGet.Services.Entities;
 using NuGetGallery.Authentication;
+using NuGetGallery.Services.Authentication;
 
 namespace NuGetGallery.Infrastructure.Authentication
 {
@@ -28,6 +29,28 @@ public Credential CreatePasswordCredential(string plaintextPassword)
                 V3Hasher.GenerateHash(plaintextPassword));
         }
 
+        public Credential CreateShortLivedApiKey(TimeSpan expiration, FederatedCredentialPolicy policy, out string plaintextApiKey)
+        {
+            if (policy.PackageOwner is null)
+            {
+                throw new ArgumentException($"The {nameof(policy.PackageOwner)} property on the policy must not be null.");
+            }
+
+            if (expiration <= TimeSpan.Zero || expiration > TimeSpan.FromHours(1))
+            {
+                throw new ArgumentOutOfRangeException(nameof(expiration));
+            }
+
+            // TODO: introduce a new API key type for short-lived API keys
+            // Tracking: https://github.com/NuGet/NuGetGallery/issues/10212
+            var credential = CreateApiKey(expiration, out plaintextApiKey);
+
+            credential.Description = "Short-lived API key generated via a federated credential";
+            credential.Scopes = [new Scope(policy.PackageOwner, NuGetPackagePattern.AllInclusivePattern, NuGetScopes.All)];
+
+            return credential;
+        }
+
         public Credential CreateApiKey(TimeSpan? expiration, out string plaintextApiKey)
         {
             var apiKey = ApiKeyV4.Create();
diff --git a/src/NuGetGallery.Services/Authentication/Federated/EntraIdTokenValidator.cs b/src/NuGetGallery.Services/Authentication/Federated/EntraIdTokenValidator.cs
new file mode 100644
index 0000000000..3dd6ec2b6b
--- /dev/null
+++ b/src/NuGetGallery.Services/Authentication/Federated/EntraIdTokenValidator.cs
@@ -0,0 +1,73 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Tokens;
+using Microsoft.IdentityModel.Validators;
+
+#nullable enable
+
+namespace NuGetGallery.Services.Authentication
+{
+    /// <summary>
+    /// This interface is used to ensure a given token is issued by Entra ID.
+    /// </summary>
+    public interface IEntraIdTokenValidator
+    {
+        /// <summary>
+        /// Perform minimal validation of the token to ensure it was issued by Entra ID. Validations:
+        /// - Expected issuer (Entra ID)
+        /// - Expected audience
+        /// - Valid signature
+        /// - Not expired
+        /// </summary>
+        /// <param name="token">The parsed JWT</param>
+        /// <returns>The token validation result, check the <see cref="TokenValidationResult.IsValid"/> for success or failure.</returns>
+        Task<TokenValidationResult> ValidateAsync(JsonWebToken token);
+    }
+
+    public class EntraIdTokenValidator : IEntraIdTokenValidator
+    {
+        private static string EntraIdAuthority { get; } = "https://login.microsoftonline.com/common/v2.0";
+        public static string MetadataAddress { get; } = $"{EntraIdAuthority}/.well-known/openid-configuration";
+
+        private readonly ConfigurationManager<OpenIdConnectConfiguration> _oidcConfigManager;
+        private readonly JsonWebTokenHandler _jsonWebTokenHandler;
+        private readonly IFederatedCredentialConfiguration _configuration;
+
+        public EntraIdTokenValidator(
+            ConfigurationManager<OpenIdConnectConfiguration> oidcConfigManager,
+            JsonWebTokenHandler jsonWebTokenHandler,
+            IFederatedCredentialConfiguration configuration)
+        {
+            _oidcConfigManager = oidcConfigManager ?? throw new ArgumentNullException(nameof(oidcConfigManager));
+            _jsonWebTokenHandler = jsonWebTokenHandler ?? throw new ArgumentNullException(nameof(jsonWebTokenHandler));
+            _configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
+        }
+
+        public async Task<TokenValidationResult> ValidateAsync(JsonWebToken token)
+        {
+            if (string.IsNullOrWhiteSpace(_configuration.EntraIdAudience))
+            {
+                throw new InvalidOperationException("Unable to validate Entra ID token. Entra ID audience is not configured.");
+            }
+
+            var tokenValidationParameters = new TokenValidationParameters
+            {
+                IssuerValidator = AadIssuerValidator.GetAadIssuerValidator(EntraIdAuthority).Validate,
+                ValidAudience = _configuration.EntraIdAudience,
+                ConfigurationManager = _oidcConfigManager,
+            };
+
+            tokenValidationParameters.EnableAadSigningKeyIssuerValidation();
+
+            var result = await _jsonWebTokenHandler.ValidateTokenAsync(token, tokenValidationParameters);
+
+            return result;
+        }
+    }
+}
diff --git a/src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialConfiguration.cs b/src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialConfiguration.cs
new file mode 100644
index 0000000000..ab95bf6e5f
--- /dev/null
+++ b/src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialConfiguration.cs
@@ -0,0 +1,21 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#nullable enable
+
+namespace NuGetGallery.Services.Authentication
+{
+    public interface IFederatedCredentialConfiguration
+    {
+        /// <summary>
+        /// The expected audience for the incoming token. This is the "aud" claim and should be specific to the gallery
+        /// service itself (not shared between multiple services). This is used only for Entra ID token validation.
+        /// </summary>
+        string? EntraIdAudience { get; }
+    }
+
+    public class FederatedCredentialConfiguration : IFederatedCredentialConfiguration
+    {
+        public string? EntraIdAudience { get; set; }
+    }
+}
diff --git a/src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialRepository.cs b/src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialRepository.cs
new file mode 100644
index 0000000000..45e9dfd403
--- /dev/null
+++ b/src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialRepository.cs
@@ -0,0 +1,84 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Threading.Tasks;
+using System.Linq;
+using System.Data;
+using System.Collections.Generic;
+using System.Data.Entity;
+using NuGet.Services.Entities;
+
+#nullable enable
+
+namespace NuGetGallery.Services.Authentication
+{
+    public interface IFederatedCredentialRepository
+    {
+        Task AddPolicyAsync(FederatedCredentialPolicy policy, bool saveChanges);
+        Task SaveFederatedCredentialAsync(FederatedCredential federatedCredential, bool saveChanges);
+        IReadOnlyList<FederatedCredentialPolicy> GetPoliciesCreatedByUser(int userKey);
+        FederatedCredentialPolicy? GetPolicyByKey(int policyKey);
+        Task DeletePolicyAsync(FederatedCredentialPolicy policy, bool saveChanges);
+    }
+
+    public class FederatedCredentialRepository : IFederatedCredentialRepository
+    {
+        private readonly IEntityRepository<FederatedCredentialPolicy> _policyRepository;
+        private readonly IEntityRepository<FederatedCredential> _federatedCredentialRepository;
+
+        public FederatedCredentialRepository(
+            IEntityRepository<FederatedCredentialPolicy> policyRepository,
+            IEntityRepository<FederatedCredential> federatedCredentialRepository)
+        {
+            _policyRepository = policyRepository;
+            _federatedCredentialRepository = federatedCredentialRepository;
+        }
+
+        public IReadOnlyList<FederatedCredentialPolicy> GetPoliciesCreatedByUser(int userKey)
+        {
+            return _policyRepository
+                .GetAll()
+                .Where(p => p.CreatedByUserKey == userKey)
+                .ToList();
+        }
+
+        public FederatedCredentialPolicy? GetPolicyByKey(int policyKey)
+        {
+            return _policyRepository
+                .GetAll()
+                .Where(p => p.Key == policyKey)
+                .Include(p => p.CreatedBy)
+                .FirstOrDefault();
+        }
+
+        public async Task SaveFederatedCredentialAsync(FederatedCredential federatedCredential, bool saveChanges)
+        {
+            _federatedCredentialRepository.InsertOnCommit(federatedCredential);
+
+            if (saveChanges)
+            {
+                await _federatedCredentialRepository.CommitChangesAsync();
+            }
+        }
+
+        public async Task AddPolicyAsync(FederatedCredentialPolicy policy, bool saveChanges)
+        {
+            _policyRepository.InsertOnCommit(policy);
+
+            if (saveChanges)
+            {
+                await _policyRepository.CommitChangesAsync();
+            }
+        }
+
+        public async Task DeletePolicyAsync(FederatedCredentialPolicy policy, bool saveChanges)
+        {
+            _policyRepository.DeleteOnCommit(policy);
+
+            if (saveChanges)
+            {
+                await _policyRepository.CommitChangesAsync();
+            }
+        }
+    }
+}
diff --git a/src/NuGetGallery.Services/Authentication/ICredentialBuilder.cs b/src/NuGetGallery.Services/Authentication/ICredentialBuilder.cs
index 9da4eb84cd..9c5e9dea1a 100644
--- a/src/NuGetGallery.Services/Authentication/ICredentialBuilder.cs
+++ b/src/NuGetGallery.Services/Authentication/ICredentialBuilder.cs
@@ -20,5 +20,7 @@ public interface ICredentialBuilder
         IList<Scope> BuildScopes(User scopeOwner, string[] scopes, string[] subjects);
 
         bool VerifyScopes(User currentUser, IEnumerable<Scope> scopes);
+
+        Credential CreateShortLivedApiKey(TimeSpan expiration, FederatedCredentialPolicy policy, out string plaintextApiKey);
     }
 }
diff --git a/src/NuGetGallery.Services/Configuration/ConfigurationService.cs b/src/NuGetGallery.Services/Configuration/ConfigurationService.cs
index fba91fe698..65a0bfc18a 100644
--- a/src/NuGetGallery.Services/Configuration/ConfigurationService.cs
+++ b/src/NuGetGallery.Services/Configuration/ConfigurationService.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -14,6 +14,7 @@
 using NuGet.Services.Configuration;
 using NuGet.Services.KeyVault;
 using NuGetGallery.Configuration.SecretReader;
+using NuGetGallery.Services.Authentication;
 
 namespace NuGetGallery.Configuration
 {
@@ -23,6 +24,7 @@ public class ConfigurationService : IGalleryConfigurationService, IConfiguration
         protected const string FeaturePrefix = "Feature.";
         protected const string ServiceBusPrefix = "AzureServiceBus.";
         protected const string PackageDeletePrefix = "PackageDelete.";
+        protected const string FederatedCredentialPrefix = "FederatedCredential.";
 
         private readonly Lazy<string> _httpSiteRootThunk;
         private readonly Lazy<string> _httpsSiteRootThunk;
@@ -31,6 +33,7 @@ public class ConfigurationService : IGalleryConfigurationService, IConfiguration
         private readonly Lazy<FeatureConfiguration> _lazyFeatureConfiguration;
         private readonly Lazy<IServiceBusConfiguration> _lazyServiceBusConfiguration;
         private readonly Lazy<IPackageDeleteConfiguration> _lazyPackageDeleteConfiguration;
+        private readonly Lazy<FederatedCredentialConfiguration> _lazyFederatedCredentialConfiguration;
 
         private static readonly HashSet<string> NotInjectedSettingNames = new HashSet<string>(StringComparer.OrdinalIgnoreCase) {
             SettingPrefix + "SqlServer",
@@ -66,6 +69,7 @@ public ConfigurationService()
             _lazyFeatureConfiguration = new Lazy<FeatureConfiguration>(() => ResolveFeatures().Result);
             _lazyServiceBusConfiguration = new Lazy<IServiceBusConfiguration>(() => ResolveServiceBus().Result);
             _lazyPackageDeleteConfiguration = new Lazy<IPackageDeleteConfiguration>(() => ResolvePackageDelete().Result);
+            _lazyFederatedCredentialConfiguration = new Lazy<FederatedCredentialConfiguration>(() => ResolveFederatedCredential().Result);
         }
 
         public static IEnumerable<PropertyDescriptor> GetConfigProperties<T>(T instance)
@@ -81,6 +85,8 @@ public static IEnumerable<PropertyDescriptor> GetConfigProperties<T>(T instance)
 
         public IPackageDeleteConfiguration PackageDelete => _lazyPackageDeleteConfiguration.Value;
 
+        public FederatedCredentialConfiguration FederatedCredential => _lazyFederatedCredentialConfiguration.Value;
+
         /// <summary>
         /// Gets the site root using the specified protocol
         /// </summary>
@@ -206,6 +212,11 @@ private async Task<IPackageDeleteConfiguration> ResolvePackageDelete()
             return await ResolveConfigObject(new PackageDeleteConfiguration(), PackageDeletePrefix);
         }
 
+        private async Task<FederatedCredentialConfiguration> ResolveFederatedCredential()
+        {
+            return await ResolveConfigObject(new FederatedCredentialConfiguration(), FederatedCredentialPrefix);
+        }
+
         protected virtual string GetAppSetting(string settingName)
         {
             return WebConfigurationManager.AppSettings[settingName];
@@ -273,4 +284,4 @@ private void CheckValidSiteRoot(string siteRoot)
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/NuGetGallery.Services/Configuration/FeatureFlagService.cs b/src/NuGetGallery.Services/Configuration/FeatureFlagService.cs
index c5b3cbfca1..3ae66e189b 100644
--- a/src/NuGetGallery.Services/Configuration/FeatureFlagService.cs
+++ b/src/NuGetGallery.Services/Configuration/FeatureFlagService.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -63,6 +63,7 @@ public class FeatureFlagService : IFeatureFlagService
         private const string FrameworkFilteringFeatureName = GalleryPrefix + "FrameworkFiltering";
         private const string DisplayTfmBadgesFeatureName = GalleryPrefix + "DisplayTfmBadges";
         private const string AdvancedFrameworkFilteringFeatureName = GalleryPrefix + "AdvancedFrameworkFiltering";
+        private const string FederatedCredentialsFeatureName = GalleryPrefix + "FederatedCredentials";
 
         private const string ODataV1GetAllNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllNonHijacked";
         private const string ODataV1GetAllCountNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllCountNonHijacked";
@@ -120,7 +121,7 @@ public bool IsPackagesAtomFeedEnabled()
         /// <summary>
         /// The number of versions a package needs to have before it should be flighted using <see cref="ManageDeprecationForManyVersionsFeatureName"/> instead of <see cref="ManageDeprecationFeatureName"/>.
         /// </summary>
-        private const int _manageDeprecationForManyVersionsThreshold = 500;
+        private const int ManageDeprecationForManyVersionsThreshold = 500;
 
         public bool IsManageDeprecationEnabled(User user, PackageRegistration registration)
         {
@@ -144,7 +145,7 @@ public bool IsManageDeprecationEnabled(User user, IEnumerable<Package> allVersio
                 return false;
             }
 
-            return allVersions.Count() < _manageDeprecationForManyVersionsThreshold
+            return allVersions.Count() < ManageDeprecationForManyVersionsThreshold
                 || _client.IsEnabled(ManageDeprecationForManyVersionsFeatureName, user, defaultValue: true);
         }
 
@@ -421,5 +422,10 @@ public bool IsAdvancedFrameworkFilteringEnabled(User user)
         {
             return _client.IsEnabled(AdvancedFrameworkFilteringFeatureName, user, defaultValue: false);
         }
+
+        public bool CanUseFederatedCredentials(User user)
+        {
+            return _client.IsEnabled(FederatedCredentialsFeatureName, user, defaultValue: false);
+        }
     }
 }
diff --git a/src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs b/src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs
index 68bbf227ec..c58a19b0a9 100644
--- a/src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs
+++ b/src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Collections.Generic;
@@ -342,5 +342,10 @@ public interface IFeatureFlagService
         /// Whether or not to allow filtering by frameworks on NuGet.org search
         /// </summary>
         bool IsAdvancedFrameworkFilteringEnabled(User user);
+
+        /// <summary>
+        /// Whether or not the user specified in a package owner scope can use federated credentials.
+        /// </summary>
+        bool CanUseFederatedCredentials(User user);
     }
 }
diff --git a/src/NuGetGallery/App_Data/Files/Content/flags.json b/src/NuGetGallery/App_Data/Files/Content/flags.json
index 8d9a69ec0a..b702e453c6 100644
--- a/src/NuGetGallery/App_Data/Files/Content/flags.json
+++ b/src/NuGetGallery/App_Data/Files/Content/flags.json
@@ -145,6 +145,12 @@
       "SiteAdmins": false,
       "Accounts": [],
       "Domains": []
+    },
+    "NuGetGallery.FederatedCredentials": {
+      "All": true,
+      "SiteAdmins": false,
+      "Accounts": [],
+      "Domains": []
     }
   }
-}
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/App_Start/DefaultDependenciesModule.cs b/src/NuGetGallery/App_Start/DefaultDependenciesModule.cs
index 9a2051dbf4..6b138f24c7 100644
--- a/src/NuGetGallery/App_Start/DefaultDependenciesModule.cs
+++ b/src/NuGetGallery/App_Start/DefaultDependenciesModule.cs
@@ -25,6 +25,9 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Http;
 using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Protocols;
 using Microsoft.WindowsAzure.ServiceRuntime;
 using NuGet.Services.Configuration;
 using NuGet.Services.Entities;
@@ -55,6 +58,7 @@
 using NuGetGallery.Infrastructure.Search.Correlation;
 using NuGetGallery.Security;
 using NuGetGallery.Services;
+using NuGetGallery.Services.Authentication;
 using Role = NuGet.Services.Entities.Role;
 
 namespace NuGetGallery
@@ -151,6 +155,8 @@ protected override void Load(ContainerBuilder builder)
             builder.Register(c => configuration.PackageDelete)
                 .As<IPackageDeleteConfiguration>();
 
+            ConfigureFederatedCredentials(builder, configuration);
+
             var telemetryService = new TelemetryService(
                 new TraceDiagnosticsSource(nameof(TelemetryService), telemetryClient),
                 telemetryClient);
@@ -276,6 +282,16 @@ protected override void Load(ContainerBuilder builder)
                 .As<IEntityRepository<PackageRename>>()
                 .InstancePerLifetimeScope();
 
+            builder.RegisterType<EntityRepository<FederatedCredentialPolicy>>()
+                .AsSelf()
+                .As<IEntityRepository<FederatedCredentialPolicy>>()
+                .InstancePerLifetimeScope();
+
+            builder.RegisterType<EntityRepository<FederatedCredential>>()
+                .AsSelf()
+                .As<IEntityRepository<FederatedCredential>>()
+                .InstancePerLifetimeScope();
+
             ConfigureGalleryReadOnlyReplicaEntitiesContext(builder, loggerFactory, configuration, secretInjector, telemetryService);
 
             var supportDbConnectionFactory = CreateDbConnectionFactory(
@@ -531,6 +547,44 @@ protected override void Load(ContainerBuilder builder)
             builder.Populate(services);
         }
 
+        private static void ConfigureFederatedCredentials(ContainerBuilder builder, ConfigurationService configuration)
+        {
+            builder
+                .RegisterType<FederatedCredentialRepository>()
+                .As<IFederatedCredentialRepository>()
+                .InstancePerLifetimeScope();
+
+            builder
+                .Register(c => configuration.FederatedCredential)
+                .As<IFederatedCredentialConfiguration>();
+
+            builder
+                .Register(_ => new OpenIdConnectConfigurationRetriever())
+                .As<IConfigurationRetriever<OpenIdConnectConfiguration>>();
+
+            const string EntraIdKey = "EntraId";
+
+            // this is a singleton to provide caching of the OIDC metadata
+            builder
+                .Register(p => new ConfigurationManager<OpenIdConnectConfiguration>(
+                    metadataAddress: EntraIdTokenValidator.MetadataAddress,
+                    p.Resolve<IConfigurationRetriever<OpenIdConnectConfiguration>>()))
+                .SingleInstance()
+                .Keyed<ConfigurationManager<OpenIdConnectConfiguration>>(EntraIdKey);
+
+            builder
+                .RegisterType<JsonWebTokenHandler>()
+                .InstancePerLifetimeScope();
+
+            builder
+                .Register(p => new EntraIdTokenValidator(
+                    p.ResolveKeyed<ConfigurationManager<OpenIdConnectConfiguration>>(EntraIdKey),
+                    p.Resolve<JsonWebTokenHandler>(),
+                    p.Resolve<IFederatedCredentialConfiguration>()))
+                .As<IEntraIdTokenValidator>()
+                .InstancePerLifetimeScope();
+        }
+
         // Internal for testing purposes
         internal static ApplicationInsightsConfiguration ConfigureApplicationInsights(
             IAppConfiguration configuration,
diff --git a/src/NuGetGallery/Services/PackageDeprecationManagementService.cs b/src/NuGetGallery/Services/PackageDeprecationManagementService.cs
index c24a9c9456..53e2e9ec38 100644
--- a/src/NuGetGallery/Services/PackageDeprecationManagementService.cs
+++ b/src/NuGetGallery/Services/PackageDeprecationManagementService.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -148,7 +148,7 @@ public async Task<UpdateDeprecationError> UpdateDeprecation(
             foreach (var version in versions)
             {
                 var normalizedVersion = NuGetVersionFormatter.Normalize(version);
-                var package = packages.SingleOrDefault(v => v.NormalizedVersion == normalizedVersion);
+                var package = packages.SingleOrDefault(v => StringComparer.OrdinalIgnoreCase.Equals(v.NormalizedVersion, normalizedVersion));
                 if (package == null)
                 {
                     return new UpdateDeprecationError(
@@ -181,4 +181,4 @@ await _deprecationService.UpdateDeprecation(
             return null;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/NuGetGallery/Views/Packages/DisplayPackage.cshtml b/src/NuGetGallery/Views/Packages/DisplayPackage.cshtml
index d7b757974a..166f92b450 100644
--- a/src/NuGetGallery/Views/Packages/DisplayPackage.cshtml
+++ b/src/NuGetGallery/Views/Packages/DisplayPackage.cshtml
@@ -256,8 +256,8 @@
 
 @* The following two helpers must be on a single line each so no extra whitespace is introduced in the expression when rendered. *@
 @* Helpers themselves are needed not to introduce that extra whitespce, which happens if they are inlined. *@
-@helper MakeLicenseLink(CompositeLicenseExpressionSegment segment) {<a href="@LicenseExpressionRedirectUrlHelper.GetLicenseExpressionRedirectUrl(segment.Value)" aria-label="License @segment.Value">@segment.Value</a>}
-@helper MakeLicenseSpan(CompositeLicenseExpressionSegment segment) {<span>@segment.Value</span>}
+@helper MakeLicenseLink(CompositeLicenseExpressionSegment segment) {<a href="@LicenseExpressionRedirectUrlHelper.GetLicenseExpressionRedirectUrl(segment.Value)" aria-label="License @segment.Value">@segment.Value license</a>}
+@helper MakeLicenseSpan(CompositeLicenseExpressionSegment segment) {<span>@segment.Value license</span>}
 
 <section role="main" class="container main-container page-package-details">
     <div class="row">
@@ -1107,7 +1107,6 @@
                                             @MakeLicenseSpan(segment);
                                         }
                                     }
-                                    @:license
                                 }
                                 else
                                 {
diff --git a/src/NuGetGallery/Web.config b/src/NuGetGallery/Web.config
index 36d12beba9..dd5d2bdfbd 100644
--- a/src/NuGetGallery/Web.config
+++ b/src/NuGetGallery/Web.config
@@ -203,6 +203,7 @@
     <add key="PackageDelete.MaximumDownloadsForPackageVersion" value=""/>
     <add key="Gallery.BlockLegacyLicenseUrl" value="false"/>
     <add key="Gallery.AllowLicenselessPackages" value="true"/>
+    <add key="FederatedCredential.EntraIdAudience" value=""/>
   </appSettings>
   <connectionStrings>
     <add name="Gallery.SqlServer" connectionString="Data Source=(localdb)\mssqllocaldb; Initial Catalog=NuGetGallery; Integrated Security=True; MultipleActiveResultSets=True" providerName="System.Data.SqlClient"/>
diff --git a/src/Stats.AzureCdnLogs.Common/Collect/Collector.cs b/src/Stats.AzureCdnLogs.Common/Collect/Collector.cs
index e54ecc01fe..b1f81f8d65 100644
--- a/src/Stats.AzureCdnLogs.Common/Collect/Collector.cs
+++ b/src/Stats.AzureCdnLogs.Common/Collect/Collector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -25,6 +25,8 @@ public abstract class Collector
         protected ILogSource _source;
         protected ILogDestination _destination;
         protected readonly ILogger<Collector> _logger;
+        protected readonly bool _writeHeader;
+        protected readonly bool _addSourceFilenameColumn;
 
         /// <summary>
         /// Used by UnitTests
@@ -38,11 +40,18 @@ public Collector()
         /// <param name="source">The source of the Collector.</param>
         /// <param name="destination">The destination for the collector.</param>
         /// <param name="logger">The logger.</param>
-        public Collector(ILogSource source, ILogDestination destination, ILogger<Collector> logger)
+        public Collector(
+            ILogSource source,
+            ILogDestination destination,
+            ILogger<Collector> logger,
+            bool writeHeader,
+            bool addSourceFilenameColumn)
         {
             _source = source;
             _destination = destination;
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+            _writeHeader = writeHeader;
+            _addSourceFilenameColumn = addSourceFilenameColumn;
         }
 
         /// <summary>
@@ -126,9 +135,25 @@ private void AddException(ConcurrentBag<Exception> exceptions, Exception e, stri
         /// A method to transform each line from the input stream before writing it to the output stream. It is useful for example to modify the schema of each line.
         /// </summary>
         /// <param name="line">A line from the input stream.</param>
+        /// <param name="sourceFilename">The name of the file the <paramref name="line"/> was read from.</param>
         /// <returns>The transformed line.</returns>
         public abstract OutputLogLine TransformRawLogLine(string line);
 
+        /// <summary>
+        /// A method that returns the file header to put into the output file (if enabled).
+        /// </summary>
+        /// <returns>The header line.</returns>
+        public string GetOutputFileHeader()
+        {
+            if (!_addSourceFilenameColumn)
+            {
+                return OutputLogLine.Header;
+            }
+
+            return $"{OutputLogLine.Header} sourceFilename";
+        }
+
+
         /// <summary>
         /// A method to validate the stream integrity before data transfer.
         /// </summary>
@@ -151,7 +176,10 @@ protected void ProcessLogStream(Stream sourceStream, Stream targetStream, string
                 using (var sourceStreamReader = new StreamReader(sourceStream))
                 using (var targetStreamWriter = new StreamWriter(targetStream))
                 {
-                    targetStreamWriter.WriteLine(OutputLogLine.Header);
+                    if (_writeHeader)
+                    {
+                        targetStreamWriter.WriteLine(GetOutputFileHeader());
+                    }
 
                     while (!sourceStreamReader.EndOfStream)
                     {
@@ -279,7 +307,15 @@ private string GetParsedModifiedLogEntry(int lineNumber, string rawLogEntry, str
             stringBuilder.Append(spaceCharacter);
 
             // x-ec_custom-1
-            stringBuilder.AppendLine((parsedEntry.CustomField ?? dashCharacter));
+            stringBuilder.Append((parsedEntry.CustomField ?? dashCharacter));
+
+            if (_addSourceFilenameColumn)
+            {
+                stringBuilder.Append(spaceCharacter);
+                stringBuilder.Append(OutputLogLine.Quote(filename));
+            }
+
+            stringBuilder.AppendLine();
 
             return stringBuilder.ToString();
         }
diff --git a/src/Stats.AzureCdnLogs.Common/Collect/OutputLogLine.cs b/src/Stats.AzureCdnLogs.Common/Collect/OutputLogLine.cs
index bcc68454ce..6435cccc7a 100644
--- a/src/Stats.AzureCdnLogs.Common/Collect/OutputLogLine.cs
+++ b/src/Stats.AzureCdnLogs.Common/Collect/OutputLogLine.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 namespace Stats.AzureCdnLogs.Common.Collect
@@ -79,7 +79,7 @@ public OutputLogLine(string timestamp,
 
         public static string Header
         {
-            get { return "#Fields: timestamp time-taken c-ip filesize s-ip s-port sc-status sc-bytes cs-method cs-uri-stem - rs-duration rs-bytes c-referrer c-user-agent customer-id x-ec_custom-1\n"; }
+            get { return "#Fields: timestamp time-taken c-ip filesize s-ip s-port sc-status sc-bytes cs-method cs-uri-stem - rs-duration rs-bytes c-referrer c-user-agent customer-id x-ec_custom-1"; }
         }
 
         public override string ToString()
@@ -87,7 +87,7 @@ public override string ToString()
             return $"{TimeStamp} {TimeTaken} {CIp} {FileSize} {SIp} {SPort} {ScStatus} {ScBytes} {CsMethod} {CsUriStem} - {RsDuration} {RsBytes} {CReferrer} {Quote(CUserAgent)} {CustomerId} {Quote(XEc_Custom_1)}";
         }
 
-        private static string Quote(string input)
+        public static string Quote(string input)
         {
             if (input.StartsWith("\"") && input.EndsWith("\""))
             {
diff --git a/src/Stats.CollectAzureChinaCDNLogs/ChinaStatsCollector.cs b/src/Stats.CollectAzureChinaCDNLogs/ChinaStatsCollector.cs
index 75333be1d8..efa535c475 100644
--- a/src/Stats.CollectAzureChinaCDNLogs/ChinaStatsCollector.cs
+++ b/src/Stats.CollectAzureChinaCDNLogs/ChinaStatsCollector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -35,7 +35,13 @@ private enum ChinaLogHeaderFields
             sip = 11
         }
 
-        public ChinaStatsCollector(ILogSource source, ILogDestination destination, ILogger<ChinaStatsCollector> logger) : base(source, destination, logger)
+        public ChinaStatsCollector(
+            ILogSource source,
+            ILogDestination destination,
+            ILogger<ChinaStatsCollector> logger,
+            bool writeHeader,
+            bool addSourceFilenameColumn)
+            : base(source, destination, logger, writeHeader, addSourceFilenameColumn)
         {}
 
         public override OutputLogLine TransformRawLogLine(string line)
diff --git a/src/Stats.CollectAzureChinaCDNLogs/Configuration/CollectAzureChinaCdnLogsConfiguration.cs b/src/Stats.CollectAzureChinaCDNLogs/Configuration/CollectAzureChinaCdnLogsConfiguration.cs
index 2674642093..5d602eaa35 100644
--- a/src/Stats.CollectAzureChinaCDNLogs/Configuration/CollectAzureChinaCdnLogsConfiguration.cs
+++ b/src/Stats.CollectAzureChinaCDNLogs/Configuration/CollectAzureChinaCdnLogsConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 namespace Stats.CollectAzureChinaCDNLogs
@@ -16,5 +16,8 @@ public class CollectAzureChinaCdnLogsConfiguration
         public string DestinationFilePrefix { get; set; }
 
         public int? ExecutionTimeoutInSeconds { get; set; }
+
+        public bool WriteOutputHeader { get; set; } = true;
+        public bool AddSourceFilenameColumn { get; set; } = false;
     }
 }
diff --git a/src/Stats.CollectAzureChinaCDNLogs/Job.cs b/src/Stats.CollectAzureChinaCDNLogs/Job.cs
index 92d45d626d..78c4c3fef8 100644
--- a/src/Stats.CollectAzureChinaCDNLogs/Job.cs
+++ b/src/Stats.CollectAzureChinaCDNLogs/Job.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -53,7 +53,12 @@ public void InitializeJobConfiguration(IServiceProvider serviceProvider)
                 _configuration.AzureContainerNameDestination,
                 serviceProvider.GetRequiredService<ILogger<AzureStatsLogDestination>>());
 
-            _chinaCollector = new ChinaStatsCollector(source, dest, serviceProvider.GetRequiredService<ILogger<ChinaStatsCollector>>());
+            _chinaCollector = new ChinaStatsCollector(
+                source,
+                dest,
+                serviceProvider.GetRequiredService<ILogger<ChinaStatsCollector>>(),
+                _configuration.WriteOutputHeader,
+                _configuration.AddSourceFilenameColumn);
         }
 
         public override async Task Run()
diff --git a/src/Stats.PostProcessReports/Job.cs b/src/Stats.PostProcessReports/Job.cs
index 0387e3ed88..df6f87a51b 100644
--- a/src/Stats.PostProcessReports/Job.cs
+++ b/src/Stats.PostProcessReports/Job.cs
@@ -39,7 +39,7 @@ protected override void ConfigureAutofacServices(ContainerBuilder containerBuild
                 .Register(c =>
                 {
                     var cfg = c.Resolve<IOptionsSnapshot<PostProcessReportsConfiguration>>().Value;
-                    return new BlobServiceClient(AzureStorageFactory.PrepareConnectionString(cfg.StorageAccount));
+                    return new BlobServiceClientFactory(AzureStorageFactory.PrepareConnectionString(cfg.StorageAccount));
                 })
                 .AsSelf();
 
@@ -48,7 +48,7 @@ protected override void ConfigureAutofacServices(ContainerBuilder containerBuild
                 {
                     var cfg = c.Resolve<IOptionsSnapshot<PostProcessReportsConfiguration>>().Value;
                     var factory = new AzureStorageFactory(
-                        c.Resolve<BlobServiceClient>(),
+                        c.Resolve<BlobServiceClientFactory>(),
                         cfg.SourceContainerName,
                         enablePublicAccess: false,
                         c.Resolve<ILogger<AzureStorage>>(),
@@ -65,7 +65,7 @@ protected override void ConfigureAutofacServices(ContainerBuilder containerBuild
                 {
                     var cfg = c.Resolve<IOptionsSnapshot<PostProcessReportsConfiguration>>().Value;
                     var factory = new AzureStorageFactory(
-                        c.Resolve<BlobServiceClient>(),
+                        c.Resolve<BlobServiceClientFactory>(),
                         cfg.WorkContainerName,
                         enablePublicAccess: false,
                         c.Resolve<ILogger<AzureStorage>>(),
@@ -82,7 +82,7 @@ protected override void ConfigureAutofacServices(ContainerBuilder containerBuild
                 {
                     var cfg = c.Resolve<IOptionsSnapshot<PostProcessReportsConfiguration>>().Value;
                     var factory = new AzureStorageFactory(
-                        c.Resolve<BlobServiceClient>(),
+                        c.Resolve<BlobServiceClientFactory>(),
                         cfg.DestinationContainerName,
                         enablePublicAccess: true,
                         c.Resolve<ILogger<AzureStorage>>(),
diff --git a/src/Validation.PackageSigning.ProcessSignature/Job.cs b/src/Validation.PackageSigning.ProcessSignature/Job.cs
index 2716a2c754..392023f397 100644
--- a/src/Validation.PackageSigning.ProcessSignature/Job.cs
+++ b/src/Validation.PackageSigning.ProcessSignature/Job.cs
@@ -55,7 +55,7 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
                 var useStorageManagedIdentity = bool.Parse(configurationRoot[Constants.StorageUseManagedIdentityPropertyName]);
                 var config = p.GetRequiredService<IOptionsSnapshot<CertificateStoreConfiguration>>().Value;
 
-                BlobServiceClient targetStorageAccount;
+                BlobServiceClientFactory targetStorageAccount;
                 if (useStorageManagedIdentity)
                 {
                     var managedIdentityClientId =
@@ -63,12 +63,12 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
                         configurationRoot[Constants.ManagedIdentityClientIdKey] :
                         configurationRoot[Constants.StorageManagedIdentityClientIdPropertyName];
                     var storageAccountUri = AzureStorage.GetPrimaryServiceUri(config.DataStorageAccount);
-                    var managedIdentity = new ManagedIdentityCredential(managedIdentityClientId);
-                    targetStorageAccount = new BlobServiceClient(storageAccountUri, managedIdentity);
+                    var managedIdentityCredential = new ManagedIdentityCredential(managedIdentityClientId);
+                    targetStorageAccount = new BlobServiceClientFactory(storageAccountUri, managedIdentityCredential);
                 }
                 else
                 {
-                    targetStorageAccount = new BlobServiceClient(AzureStorageFactory.PrepareConnectionString(config.DataStorageAccount));
+                    targetStorageAccount = new BlobServiceClientFactory(AzureStorageFactory.PrepareConnectionString(config.DataStorageAccount));
                 }
 
                 var storageFactory = new AzureStorageFactory(
diff --git a/src/Validation.PackageSigning.ValidateCertificate/Job.cs b/src/Validation.PackageSigning.ValidateCertificate/Job.cs
index 883ede5a1f..965faf991f 100644
--- a/src/Validation.PackageSigning.ValidateCertificate/Job.cs
+++ b/src/Validation.PackageSigning.ValidateCertificate/Job.cs
@@ -37,7 +37,7 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
                 var useStorageManagedIdentity = bool.Parse(configurationRoot[Constants.StorageUseManagedIdentityPropertyName]);
                 var config = p.GetRequiredService<IOptionsSnapshot<CertificateStoreConfiguration>>().Value;
 
-                BlobServiceClient targetStorageAccount;
+                BlobServiceClientFactory targetStorageAccount;
                 if (useStorageManagedIdentity)
                 {
                     var managedIdentityClientId =
@@ -45,12 +45,12 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
                         configurationRoot[Constants.ManagedIdentityClientIdKey] :
                         configurationRoot[Constants.StorageManagedIdentityClientIdPropertyName];
                     var storageAccountUri = AzureStorage.GetPrimaryServiceUri(config.DataStorageAccount);
-                    var managedIdentity = new ManagedIdentityCredential(managedIdentityClientId);
-                    targetStorageAccount = new BlobServiceClient(storageAccountUri, managedIdentity);
+                    var managedIdentityCredential = new ManagedIdentityCredential(managedIdentityClientId);
+                    targetStorageAccount = new BlobServiceClientFactory(storageAccountUri, managedIdentityCredential);
                 }
                 else
                 {
-                    targetStorageAccount = new BlobServiceClient(AzureStorageFactory.PrepareConnectionString(config.DataStorageAccount));
+                    targetStorageAccount = new BlobServiceClientFactory(AzureStorageFactory.PrepareConnectionString(config.DataStorageAccount));
                 }
 
                 var storageFactory = new AzureStorageFactory(
diff --git a/src/VerifyMicrosoftPackage/Fakes/FakeFeatureFlagService.cs b/src/VerifyMicrosoftPackage/Fakes/FakeFeatureFlagService.cs
index 4d89d4fb4a..7b3ab36c67 100644
--- a/src/VerifyMicrosoftPackage/Fakes/FakeFeatureFlagService.cs
+++ b/src/VerifyMicrosoftPackage/Fakes/FakeFeatureFlagService.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -135,5 +135,7 @@ public class FakeFeatureFlagService : IFeatureFlagService
         public bool IsDisplayTfmBadgesEnabled(User user) => throw new NotImplementedException();
 
         public bool IsAdvancedFrameworkFilteringEnabled(User user) => throw new NotImplementedException();
+
+        public bool CanUseFederatedCredentials(User user) => throw new NotImplementedException();
     }
 }
diff --git a/tests/CatalogMetadataTests/AzureStorageFacts.cs b/tests/CatalogMetadataTests/AzureStorageFacts.cs
index 349843be1b..9089afed9b 100644
--- a/tests/CatalogMetadataTests/AzureStorageFacts.cs
+++ b/tests/CatalogMetadataTests/AzureStorageFacts.cs
@@ -10,6 +10,8 @@
 using NuGet.Services.Metadata.Catalog.Persistence;
 using Azure.Storage.Blobs;
 using Azure.Storage.Blobs.Models;
+using NuGet.Services.Storage;
+using AzureStorage = NuGet.Services.Metadata.Catalog.Persistence.AzureStorage;
 
 namespace CatalogMetadataTests
 {
@@ -138,14 +140,12 @@ private ICloudBlockBlob GetMockedBlockBlobWithNullMetadata(bool isBlobMetadataEx
 
     public abstract class AzureStorageBaseFacts
     {
+        protected readonly string _baseAddressString = "DefaultEndpointsProtocol=https;AccountName=devstoreaccount1;AccountKey=fake";
         protected readonly Uri _baseAddress = new Uri("https://test");
         protected readonly AzureStorage _storage;
 
         public AzureStorageBaseFacts()
         {
-            // Mock the BlobServiceClient
-            var mockBlobServiceClient = new Mock<BlobServiceClient>(_baseAddress, null);
-            mockBlobServiceClient.Setup(x => x.Uri).Returns(_baseAddress);
 
             // Mock the BlobContainerClient
             string containerName = "azuresearch";
@@ -159,12 +159,24 @@ public AzureStorageBaseFacts()
 
             mockBlobContainerClient.Setup(client => client.Name)
                 .Returns(containerName);
+            
+            // Mock the BlobServiceClient
+            var mockBlobServiceClient = new Mock<BlobServiceClient>(_baseAddressString);
+            mockBlobServiceClient.Setup(x => x.Uri).Returns(_baseAddress);
+            mockBlobServiceClient.Setup(x => x.GetBlobContainerClient(It.IsAny<string>()))
+                .Returns(mockBlobContainerClient.Object);
+
+            // Mock the BlobServiceClientFactory
+            var mockBlobServiceFactoryClient = new Mock<BlobServiceClientFactory>(_baseAddressString);
+            mockBlobServiceFactoryClient.Setup(x => x.Uri).Returns(_baseAddress);
+            mockBlobServiceFactoryClient.Setup(x => x.GetBlobServiceClient(It.IsAny<BlobClientOptions>()))
+                .Returns(mockBlobServiceClient.Object);
 
             // Mock ICloudBlobDirectory
             var directory = new Mock<ICloudBlobDirectory>();
 
             // Setup the ServiceClient to return the mocked BlobServiceClient
-            directory.Setup(x => x.ServiceClient).Returns(mockBlobServiceClient.Object);
+            directory.Setup(x => x.ServiceClient).Returns(mockBlobServiceFactoryClient.Object);
             directory.Setup(x => x.DirectoryPrefix).Returns("");
             directory.Setup(x => x.ContainerClientWrapper).Returns(new BlobContainerClientWrapper(mockBlobContainerClient.Object));
 
diff --git a/tests/CatalogMetadataTests/CloudBlobDirectoryWrapperFacts.cs b/tests/CatalogMetadataTests/CloudBlobDirectoryWrapperFacts.cs
index bdc9355310..8510d2f8d9 100644
--- a/tests/CatalogMetadataTests/CloudBlobDirectoryWrapperFacts.cs
+++ b/tests/CatalogMetadataTests/CloudBlobDirectoryWrapperFacts.cs
@@ -1,10 +1,10 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Xunit;
 using NuGet.Services.Metadata.Catalog.Persistence;
-using Azure.Storage.Blobs;
+using NuGet.Services.Storage;
+using Xunit;
 
 namespace CatalogMetadataTests
 {
@@ -13,13 +13,13 @@ public class CloudBlobDirectoryWrapperFacts
         public class TheUriProperty
         {
             [Theory]
-            [InlineData("", "https://test/containerName/")]
-            [InlineData("directoryPrefix", "https://test/containerName/directoryPrefix")]
-            [InlineData("directoryPrefix/foo", "https://test/containerName/directoryPrefix/foo")]
+            [InlineData("", "https://devstoreaccount1.blob.core.windows.net/containerName/")]
+            [InlineData("directoryPrefix", "https://devstoreaccount1.blob.core.windows.net/containerName/directoryPrefix")]
+            [InlineData("directoryPrefix/foo", "https://devstoreaccount1.blob.core.windows.net/containerName/directoryPrefix/foo")]
             public void ReturnsTheUriWithVariousPrefixes(string directoryPrefix, string expectedUri)
             {
                 // Arrange
-                var serviceClient = new BlobServiceClient(new Uri("https://test"));
+                var serviceClient = new BlobServiceClientFactory("DefaultEndpointsProtocol=https;AccountName=devstoreaccount1;AccountKey=fake");
                 var directory = new CloudBlobDirectoryWrapper(serviceClient, "containerName", directoryPrefix);
 
                 // Act
diff --git a/tests/NgTests/CommandHelpersTests.cs b/tests/NgTests/CommandHelpersTests.cs
index 370768351b..7afd1e247d 100644
--- a/tests/NgTests/CommandHelpersTests.cs
+++ b/tests/NgTests/CommandHelpersTests.cs
@@ -202,6 +202,7 @@ public void DefaultsToAzurePublicWithNoCompression()
                     { Arguments.StorageKeyValue, DummyKey },
                     { Arguments.StorageContainer, "testContainer" },
                     { Arguments.StoragePath, "testStoragePath" },
+                    { Arguments.StorageUseManagedIdentity, "false" },
                 };
 
                 // Act
@@ -226,6 +227,7 @@ public void AllowsCustomStorageSuffix()
                     { Arguments.StorageContainer, "testContainer" },
                     { Arguments.StoragePath, "testStoragePath" },
                     { Arguments.StorageSuffix, "core.chinacloudapi.cn" },
+                    { Arguments.StorageUseManagedIdentity, "false" }
                 };
 
                 // Act
diff --git a/tests/NuGet.Services.Storage.Tests/AzureStorageNewFacts.cs b/tests/NuGet.Services.Storage.Tests/AzureStorageNewFacts.cs
index cd05baea83..3f5141d029 100644
--- a/tests/NuGet.Services.Storage.Tests/AzureStorageNewFacts.cs
+++ b/tests/NuGet.Services.Storage.Tests/AzureStorageNewFacts.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -21,6 +21,7 @@ public class AzureStorageNewFacts
     {
         private Mock<BlockBlobClient> _blobClientMock = new Mock<BlockBlobClient>();
         private Mock<BlobServiceClient> _blobServiceClientMock = new Mock<BlobServiceClient>();
+        private Mock<BlobServiceClientFactory> _blobServiceClientFactoryMock = new Mock<BlobServiceClientFactory>();
         private Mock<BlobContainerClient> _blobContainerClientMock = new Mock<BlobContainerClient>();
         private Mock<ILogger<AzureStorage>> _loggerMock = new Mock<ILogger<AzureStorage>>();
 
@@ -34,13 +35,16 @@ public AzureStorageNewFacts()
             _blobServiceClientMock
                 .Setup(x => x.GetBlobContainerClient(It.IsAny<string>()))
                 .Returns(_blobContainerClientMock.Object);
+            _blobServiceClientFactoryMock
+                .Setup(x => x.GetBlobServiceClient(It.IsAny<BlobClientOptions>()))
+                .Returns(_blobServiceClientMock.Object);
         }
 
         [Fact]
         public void Constructor_DoNotInitialize()
         {
             var azureStorage = new AzureStorage(
-                _blobServiceClientMock.Object,
+                _blobServiceClientFactoryMock.Object,
                 "containerName",
                 "path",
                 new Uri("http://baseAddress"),
@@ -75,7 +79,7 @@ public void Constructor_Initialize_ContainerDoesNotExist(bool enablePublicAccess
                 .Throws(new RequestFailedException(404, "Not found"));
 
             var azureStorage = new AzureStorage(
-                _blobServiceClientMock.Object,
+                _blobServiceClientFactoryMock.Object,
                 "containerName",
                 "path",
                 new Uri("http://baseAddress"),
@@ -109,7 +113,7 @@ public void Constructor_Initialize_ContainerExists_AccessMatches(bool enablePubl
                     Mock.Of<Response>()));
 
             var azureStorage = new AzureStorage(
-                _blobServiceClientMock.Object,
+                _blobServiceClientFactoryMock.Object,
                 "containerName",
                 "path",
                 new Uri("http://baseAddress"),
@@ -143,7 +147,7 @@ public void Constructor_Initialize_ContainerExists_AccessDoesNotMatch(bool enabl
                     Mock.Of<Response>()));
 
             var azureStorage = new AzureStorage(
-                _blobServiceClientMock.Object,
+                _blobServiceClientFactoryMock.Object,
                 "containerName",
                 "path",
                 new Uri("http://baseAddress"),
@@ -172,7 +176,7 @@ public void Exists(bool expected)
             _blobClientMock.Setup(c => c.Exists(It.IsAny<CancellationToken>())).Returns(Response.FromValue(expected, azureResponse.Object));
             _blobContainerClientMock.Protected().Setup<BlockBlobClient>("GetBlockBlobClientCore",ItExpr.IsAny<string>())
                 .Returns(_blobClientMock.Object);
-            var azureStorage = new AzureStorage(_blobServiceClientMock.Object, "containerName", "path", new Uri("http://baseAddress"), initializeContainer: true, enablePublicAccess: false, _loggerMock.Object);
+            var azureStorage = new AzureStorage(_blobServiceClientFactoryMock.Object, "containerName", "path", new Uri("http://baseAddress"), initializeContainer: true, enablePublicAccess: false, _loggerMock.Object);
 
             Assert.Equal(azureStorage.Exists("file"), expected);
         }
@@ -186,7 +190,7 @@ public async Task ExistsAsync(bool expected)
             _blobClientMock.Setup(c => c.ExistsAsync(It.IsAny<CancellationToken>())).Returns(Task.FromResult(Response.FromValue(expected, azureResponse.Object)));
             _blobContainerClientMock.Protected().Setup<BlockBlobClient>("GetBlockBlobClientCore", ItExpr.IsAny<string>())
                 .Returns(_blobClientMock.Object);
-            var azureStorage = new AzureStorage(_blobServiceClientMock.Object, "containerName", "path", new Uri("http://baseAddress"), initializeContainer: true, enablePublicAccess: false, _loggerMock.Object);
+            var azureStorage = new AzureStorage(_blobServiceClientFactoryMock.Object, "containerName", "path", new Uri("http://baseAddress"), initializeContainer: true, enablePublicAccess: false, _loggerMock.Object);
 
             Assert.Equal(await azureStorage.ExistsAsync("file", CancellationToken.None), expected);
         }
@@ -211,7 +215,7 @@ public async Task Save(bool overwrite, bool exists, int calledTimes)
 
             _blobContainerClientMock.Protected().Setup<BlockBlobClient>("GetBlockBlobClientCore", ItExpr.IsAny<string>())
                 .Returns(_blobClientMock.Object);
-            var azureStorage = new AzureStorage(_blobServiceClientMock.Object, "containerName", "path", new Uri("http://baseAddress"), initializeContainer: true, enablePublicAccess: false, _loggerMock.Object);
+            var azureStorage = new AzureStorage(_blobServiceClientFactoryMock.Object, "containerName", "path", new Uri("http://baseAddress"), initializeContainer: true, enablePublicAccess: false, _loggerMock.Object);
 
             await azureStorage.Save(new Uri("http://testUri.com/blob.json"), new StringStorageContent("content"), overwrite: overwrite, CancellationToken.None);
 
diff --git a/tests/NuGetGallery.Core.Facts/Auditing/CredentialAuditRecordTests.cs b/tests/NuGetGallery.Core.Facts/Auditing/CredentialAuditRecordTests.cs
index 3d21a1cbd9..e1828b7e03 100644
--- a/tests/NuGetGallery.Core.Facts/Auditing/CredentialAuditRecordTests.cs
+++ b/tests/NuGetGallery.Core.Facts/Auditing/CredentialAuditRecordTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -13,31 +13,23 @@ public class CredentialAuditRecordTests
         [Fact]
         public void Constructor_ThrowsForNullCredential()
         {
-            Assert.Throws<ArgumentNullException>(() => new CredentialAuditRecord(credential: null, removedOrRevoked: true));
+            Assert.Throws<ArgumentNullException>(() => new CredentialAuditRecord(credential: null));
         }
 
         [Fact]
-        public void Constructor_ThrowsForRemovalWithNullType()
-        {
-            var credential = new Credential();
-
-            Assert.Throws<ArgumentNullException>(() => new CredentialAuditRecord(credential, removedOrRevoked: true));
-        }
-
-        [Fact]
-        public void Constructor_RemovalOfNonPasswordSetsValue()
+        public void Constructor_RemovalOfNonPasswordDoesNotSetValue()
         {
             var credential = new Credential(type: "a", value: "b");
-            var record = new CredentialAuditRecord(credential, removedOrRevoked: true);
+            var record = new CredentialAuditRecord(credential);
 
-            Assert.Equal("b", record.Value);
+            Assert.Null(record.Value);
         }
 
         [Fact]
         public void Constructor_RemovalOfPasswordDoesNotSetValue()
         {
             var credential = new Credential(type: CredentialTypes.Password.V3, value: "a");
-            var record = new CredentialAuditRecord(credential, removedOrRevoked: true);
+            var record = new CredentialAuditRecord(credential);
 
             Assert.Null(record.Value);
         }
@@ -46,7 +38,7 @@ public void Constructor_RemovalOfPasswordDoesNotSetValue()
         public void Constructor_NonRemovalOfNonPasswordDoesNotSetsValue()
         {
             var credential = new Credential(type: "a", value: "b");
-            var record = new CredentialAuditRecord(credential, removedOrRevoked: false);
+            var record = new CredentialAuditRecord(credential);
 
             Assert.Null(record.Value);
         }
@@ -57,7 +49,7 @@ public void Constructor_NonRemovalOfNonPasswordDoesNotSetsValue()
         public void Constructor_ExternalCredentialSetsValue(string externalType)
         {
             var credential = new Credential(type: externalType, value: "b");
-            var record = new CredentialAuditRecord(credential, removedOrRevoked: false);
+            var record = new CredentialAuditRecord(credential);
 
             Assert.Equal("b", record.Value);
         }
@@ -66,7 +58,7 @@ public void Constructor_ExternalCredentialSetsValue(string externalType)
         public void Constructor_NonRemovalOfPasswordDoesNotSetValue()
         {
             var credential = new Credential(type: CredentialTypes.Password.V3, value: "a");
-            var record = new CredentialAuditRecord(credential, removedOrRevoked: false);
+            var record = new CredentialAuditRecord(credential);
 
             Assert.Null(record.Value);
         }
@@ -90,7 +82,7 @@ public void Constructor_SetsProperties()
                 Type = "e",
                 Value = "f"
             };
-            var record = new CredentialAuditRecord(credential, removedOrRevoked: true);
+            var record = new CredentialAuditRecord(credential);
 
             Assert.Equal(created, record.Created);
             Assert.Equal("a", record.Description);
@@ -104,7 +96,7 @@ public void Constructor_SetsProperties()
             Assert.Equal("c", scope.Subject);
             Assert.Equal("d", scope.AllowedAction);
             Assert.Equal("e", record.Type);
-            Assert.Equal("f", record.Value);
+            Assert.Null(record.Value);
         }
 
         [Fact]
@@ -112,11 +104,11 @@ public void Constructor_WithRevocationSource_Properties()
         {
             var testRevocationSource = "TestRevocationSource";
             var credential = new Credential(type: "a", value: "b");
-            var record = new CredentialAuditRecord(credential, removedOrRevoked: true, revocationSource: testRevocationSource);
+            var record = new CredentialAuditRecord(credential, revocationSource: testRevocationSource);
 
             Assert.Equal(testRevocationSource, record.RevocationSource);
             Assert.Equal("a", record.Type);
-            Assert.Equal("b", record.Value);
+            Assert.Null(record.Value);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/tests/NuGetGallery.Core.Facts/Auditing/UserAuditRecordTests.cs b/tests/NuGetGallery.Core.Facts/Auditing/UserAuditRecordTests.cs
index 6760589e61..ca42318626 100644
--- a/tests/NuGetGallery.Core.Facts/Auditing/UserAuditRecordTests.cs
+++ b/tests/NuGetGallery.Core.Facts/Auditing/UserAuditRecordTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -108,7 +108,7 @@ public void Constructor_WithRevocationSource_SetsProperties()
             Assert.Single(record.AffectedCredential);
             Assert.Equal(testRevocationSource, record.AffectedCredential[0].RevocationSource);
             Assert.Equal("b", record.AffectedCredential[0].Type);
-            Assert.Equal("c", record.AffectedCredential[0].Value);
+            Assert.Null(record.AffectedCredential[0].Value);
         }
 
         [Fact]
@@ -127,4 +127,4 @@ public void GetPath_ReturnsLowerCasedUserName()
             Assert.Equal("a", actualPath);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/tests/NuGetGallery.Core.Facts/Frameworks/FrameworkCompatibilityServiceFacts.cs b/tests/NuGetGallery.Core.Facts/Frameworks/FrameworkCompatibilityServiceFacts.cs
index d279bd8cef..cdd0af9eab 100644
--- a/tests/NuGetGallery.Core.Facts/Frameworks/FrameworkCompatibilityServiceFacts.cs
+++ b/tests/NuGetGallery.Core.Facts/Frameworks/FrameworkCompatibilityServiceFacts.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -155,9 +155,7 @@ public void PlatformVersionsShouldContainAllSpecifiedFrameworks(string platformV
             var compatibleFrameworks = FrameworkCompatibilityService.GetCompatibleFrameworks(new HashSet<NuGetFramework>() { packageFramework });
 
             // Assert
-            Assert.Equal(expectedFrameworks.Length, compatibleFrameworks.Count);
-
-            var containsAllCompatibleFrameworks = compatibleFrameworks.All(cf => projectFrameworks.Contains(cf));
+            var containsAllCompatibleFrameworks = projectFrameworks.All(cf => compatibleFrameworks.Contains(cf));
             Assert.True(containsAllCompatibleFrameworks);
         }
 
@@ -189,9 +187,7 @@ public void MultiplePlatformVersionCasesShouldContainAllSpecifiedFrameworks(stri
             var compatibleFrameworks = FrameworkCompatibilityService.GetCompatibleFrameworks(packageFrameworks);
 
             // Assert
-            Assert.Equal(expectedFrameworks.Length, compatibleFrameworks.Count);
-
-            var containsAllCompatibleFrameworks = compatibleFrameworks.All(cf => expectedComputedFrameworks.Contains(cf));
+            var containsAllCompatibleFrameworks = expectedComputedFrameworks.All(cf => compatibleFrameworks.Contains(cf));
             Assert.True(containsAllCompatibleFrameworks);
         }
     }
diff --git a/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs b/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs
index ee1a26eb7e..01466c530a 100644
--- a/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs
+++ b/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs
@@ -1,8 +1,9 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Collections.Generic;
+using System.Data.Entity;
 using System.Globalization;
 using System.Linq;
 using System.Security.Claims;
@@ -1605,7 +1606,7 @@ public async Task WritesAuditRecordRemovingTheOldCredential()
                     ar.AffectedCredential.Length == 1 &&
                     ar.AffectedCredential[0].Type == existingCred.Type &&
                     ar.AffectedCredential[0].Identity == existingCred.Identity &&
-                    ar.AffectedCredential[0].Value == existingCred.Value &&
+                    ar.AffectedCredential[0].Value is null &&
                     ar.AffectedCredential[0].Created == existingCred.Created &&
                     ar.AffectedCredential[0].Expires == existingCred.Expires));
             }
@@ -2382,6 +2383,44 @@ public async Task SavesChangesInTheDataStore()
                 authService.Entities.VerifyCommitChanges();
             }
 
+            /// <summary>
+            /// Needed to avoid collection modified exception caused by the entity context.
+            /// </summary>
+            [Fact]
+            public async Task CopiesScopeCollectionForDeletion()
+            {
+                // Arrange
+                var credentialBuilder = new CredentialBuilder();
+
+                var credScopes =
+                    Enumerable.Range(0, 5)
+                        .Select(
+                            i => new Scope { AllowedAction = NuGetScopes.PackagePush, Key = i, Subject = "package" + i }).ToList();
+
+                var mockScopes = new Mock<DbSet<Scope>>();
+                var dbContext = GetMock<IEntitiesContext>();
+                dbContext.Setup(x => x.Scopes).Returns(mockScopes.Object);
+                mockScopes.Setup(x => x.Remove(It.IsAny<Scope>())).Callback<Scope>(x => credScopes.Remove(x));
+
+                var fakes = Get<Fakes>();
+                var cred = credentialBuilder.CreateApiKey(null, out string plaintextApiKey);
+                var user = fakes.CreateUser("test", credentialBuilder.CreatePasswordCredential(Fakes.Password), cred);
+                var authService = Get<AuthenticationService>();
+
+                var newScopes =
+                    Enumerable.Range(1, 2)
+                        .Select(
+                            i => new Scope { AllowedAction = NuGetScopes.PackageUnlist, Key = i * 10, Subject = "otherpackage" + i }).ToList();
+
+                cred.Scopes = credScopes;
+
+                // Act
+                await authService.EditCredentialScopes(user, cred, newScopes);
+
+                // Act
+                Assert.Empty(credScopes);
+            }
+
             [Fact]
             public async Task WritesAuditRecordForTheEditedCredential()
             {
@@ -2633,4 +2672,4 @@ public static bool VerifyPasswordHash(string hash, string algorithm, string pass
             return canAuthenticate && !confidenceCheck;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/tests/NuGetGallery.Facts/Authentication/CredentialBuilderFacts.cs b/tests/NuGetGallery.Facts/Authentication/CredentialBuilderFacts.cs
new file mode 100644
index 0000000000..24f273a6cb
--- /dev/null
+++ b/tests/NuGetGallery.Facts/Authentication/CredentialBuilderFacts.cs
@@ -0,0 +1,83 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using NuGet.Services.Entities;
+using NuGetGallery.Authentication;
+using Xunit;
+
+namespace NuGetGallery.Infrastructure.Authentication
+{
+    public class CredentialBuilderFacts
+    {
+        public class TheCreateShortLivedApiKeyMethod : CredentialBuilderFacts
+        {
+            [Fact]
+            public void CreatesShortLivedApiKey()
+            {
+                // Act
+                var credential = Target.CreateShortLivedApiKey(Expiration, Policy, out var plaintextApiKey);
+
+                // Assert
+                Assert.Null(credential.User);
+                Assert.Equal(default, credential.UserKey);
+                Assert.StartsWith("oy2", plaintextApiKey, StringComparison.Ordinal);
+                Assert.Equal(CredentialTypes.ApiKey.V4, credential.Type);
+                Assert.Equal("Short-lived API key generated via a federated credential", credential.Description);
+                Assert.Equal(Expiration.Ticks, credential.ExpirationTicks);
+                Assert.Null(credential.User);
+
+                var scope = Assert.Single(credential.Scopes);
+                Assert.Equal(NuGetScopes.All, scope.AllowedAction);
+                Assert.Equal(NuGetPackagePattern.AllInclusivePattern, scope.Subject);
+                Assert.Same(Policy.PackageOwner, scope.Owner);
+            }
+
+            [Fact]
+            public void RejectsMissingPackageOwner()
+            {
+                // Arrange
+                Policy.PackageOwner = null;
+
+                // Act
+                Assert.Throws<ArgumentException>(() => Target.CreateShortLivedApiKey(Expiration, Policy, out var plaintextApiKey));
+            }
+
+            [Theory]
+            [InlineData(-1)]
+            [InlineData(0)]
+            [InlineData(61)]
+            public void RejectsOutOfRangeExpiration(int expirationMinutes)
+            {
+                // Arrange
+                Expiration = TimeSpan.FromMinutes(expirationMinutes);
+
+                // Act
+                Assert.Throws<ArgumentOutOfRangeException>(() => Target.CreateShortLivedApiKey(Expiration, Policy, out var plaintextApiKey));
+            }
+
+            public FederatedCredentialPolicy Policy { get; }
+
+            public TheCreateShortLivedApiKeyMethod()
+            {
+                Policy = new FederatedCredentialPolicy
+                {
+                    Key = 23,
+                    PackageOwner = new User { Key = 42 },
+                    CreatedBy = new User { Key = 43 },
+                };
+            }
+        }
+
+        public TimeSpan Expiration { get; set; }
+
+        public CredentialBuilder Target { get; }
+
+        public CredentialBuilderFacts()
+        {
+            Expiration = TimeSpan.FromMinutes(13);
+
+            Target = new CredentialBuilder();
+        }
+    }
+}
diff --git a/tests/NuGetGallery.Facts/Authentication/Federated/EntraIdTokenValidatorFacts.cs b/tests/NuGetGallery.Facts/Authentication/Federated/EntraIdTokenValidatorFacts.cs
new file mode 100644
index 0000000000..71797bc3de
--- /dev/null
+++ b/tests/NuGetGallery.Facts/Authentication/Federated/EntraIdTokenValidatorFacts.cs
@@ -0,0 +1,177 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Tokens;
+using Moq;
+using Xunit;
+
+#nullable enable
+
+namespace NuGetGallery.Services.Authentication
+{
+    public class EntraIdTokenValidatorFacts
+    {
+        public class TheValidateAsyncMethod : EntraIdTokenValidatorFacts
+        {
+            [Fact]
+            public async Task RejectsMissingAudience()
+            {
+                // Arrange
+                Configuration.Setup(x => x.EntraIdAudience).Returns((string?)null);
+
+                // Act & Assert
+                await Assert.ThrowsAsync<InvalidOperationException>(() => Target.ValidateAsync(Token));
+            }
+
+            [Fact]
+            public async Task ReturnsTokenValidationResultDirectly()
+            {
+                // Arrange
+                var result = new TokenValidationResult();
+                JsonWebTokenHandler
+                    .Setup(x => x.ValidateTokenAsync(It.IsAny<JsonWebToken>(), It.IsAny<TokenValidationParameters>()))
+                    .ReturnsAsync(result);
+
+                // Act
+                var actual = await Target.ValidateAsync(Token);
+
+                // Assert
+                Assert.Same(result, actual);
+            }
+
+            [Fact]
+            public async Task ConfiguresTokenValidationParameters()
+            {
+                // Arrange
+                var token = Token;
+
+                // Act
+                await Target.ValidateAsync(token);
+
+                // Assert
+                JsonWebTokenHandler.Verify(x => x.ValidateTokenAsync(token, It.IsAny<TokenValidationParameters>()), Times.Once);
+                var invocation = Assert.Single(JsonWebTokenHandler.Invocations);
+                var tokenValidationParameters = (TokenValidationParameters)invocation.Arguments[1];
+                Assert.Equal("nuget-audience", tokenValidationParameters.ValidAudience);
+                Assert.NotNull(tokenValidationParameters.IssuerValidator);
+                Assert.NotNull(tokenValidationParameters.IssuerSigningKeyValidatorUsingConfiguration);
+                Assert.Same(OidcConfigManager.Object, tokenValidationParameters.ConfigurationManager);
+            }
+
+            [Fact]
+            public async Task AcceptsEntraIdIssuer()
+            {
+                // Arrange
+                await Target.ValidateAsync(Token);
+                JsonWebTokenHandler.Verify(x => x.ValidateTokenAsync(It.IsAny<JsonWebToken>(), It.IsAny<TokenValidationParameters>()), Times.Once);
+                var invocation = Assert.Single(JsonWebTokenHandler.Invocations);
+                var tokenValidationParameters = (TokenValidationParameters)invocation.Arguments[1];
+
+                // Act
+                var issuer = tokenValidationParameters.IssuerValidator(Issuer, Token, tokenValidationParameters);
+
+                // Assert
+                Assert.Equal(Issuer, issuer);
+            }
+
+            [Fact]
+            public async Task RejectsOtherIssuer()
+            {
+                // Arrange
+                Issuer = "https://localhost/my-issuer";
+                await Target.ValidateAsync(Token);
+                JsonWebTokenHandler.Verify(x => x.ValidateTokenAsync(It.IsAny<JsonWebToken>(), It.IsAny<TokenValidationParameters>()), Times.Once);
+                var invocation = Assert.Single(JsonWebTokenHandler.Invocations);
+                var tokenValidationParameters = (TokenValidationParameters)invocation.Arguments[1];
+
+                // Act & Assert
+                Assert.Throws<SecurityTokenInvalidIssuerException>(
+                    () => tokenValidationParameters.IssuerValidator(Issuer, Token, tokenValidationParameters));
+            }
+
+            [Fact]
+            public async Task AcceptsSigningKeyWithMatchingIssuer()
+            {
+                // Arrange
+                await Target.ValidateAsync(Token);
+                JsonWebTokenHandler.Verify(x => x.ValidateTokenAsync(It.IsAny<JsonWebToken>(), It.IsAny<TokenValidationParameters>()), Times.Once);
+                var invocation = Assert.Single(JsonWebTokenHandler.Invocations);
+                var tokenValidationParameters = (TokenValidationParameters)invocation.Arguments[1];
+
+                // Act
+                var valid = tokenValidationParameters.IssuerSigningKeyValidatorUsingConfiguration(JsonWebKey, Token, tokenValidationParameters, OpenIdConnectConfiguration);
+
+                // Assert
+                Assert.True(valid);
+            }
+
+            [Fact]
+            public async Task RejectsSigningKeyWithDifferentIssuer()
+            {
+                // Arrange
+                await Target.ValidateAsync(Token);
+                JsonWebTokenHandler.Verify(x => x.ValidateTokenAsync(It.IsAny<JsonWebToken>(), It.IsAny<TokenValidationParameters>()), Times.Once);
+                var invocation = Assert.Single(JsonWebTokenHandler.Invocations);
+                var tokenValidationParameters = (TokenValidationParameters)invocation.Arguments[1];
+                var key = new JsonWebKey { Kid = "key-id", AdditionalData = { { "issuer", "https://localhost/my-issuer" } } };
+                var config = new OpenIdConnectConfiguration { JsonWebKeySet = new JsonWebKeySet { Keys = { key } } };
+
+                // Act & Assert
+                Assert.Throws<SecurityTokenInvalidIssuerException>(
+                    () => tokenValidationParameters.IssuerSigningKeyValidatorUsingConfiguration(key, Token, tokenValidationParameters, config));
+            }
+        }
+
+        public EntraIdTokenValidatorFacts()
+        {
+            ConfigurationRetriever = new Mock<IConfigurationRetriever<OpenIdConnectConfiguration>>();
+            OidcConfigManager = new Mock<ConfigurationManager<OpenIdConnectConfiguration>>(
+                EntraIdTokenValidator.MetadataAddress,
+                ConfigurationRetriever.Object);
+            JsonWebTokenHandler = new Mock<JsonWebTokenHandler>();
+            Configuration = new Mock<IFederatedCredentialConfiguration>();
+            Configuration.Setup(x => x.EntraIdAudience).Returns("nuget-audience");
+
+            TenantId = "c311b905-19a2-483e-a014-41d0fcdc99cf";
+            Issuer = $"https://login.microsoftonline.com/{TenantId}/v2.0";
+
+            Target = new EntraIdTokenValidator(
+                OidcConfigManager.Object,
+                JsonWebTokenHandler.Object,
+                Configuration.Object);
+        }
+
+        public EntraIdTokenValidator Target { get; }
+        public Mock<IConfigurationRetriever<OpenIdConnectConfiguration>> ConfigurationRetriever { get; }
+        public Mock<ConfigurationManager<OpenIdConnectConfiguration>> OidcConfigManager { get; }
+        public Mock<JsonWebTokenHandler> JsonWebTokenHandler { get; }
+        public Mock<IFederatedCredentialConfiguration> Configuration { get; }
+        public string TenantId { get; }
+        public string Issuer { get; set; }
+
+        public JsonWebToken Token
+        {
+            get
+            {
+                var handler = new JsonWebTokenHandler();
+                return handler.ReadJsonWebToken(handler.CreateToken(new SecurityTokenDescriptor
+                {
+                    Claims = new Dictionary<string, object>
+                    {
+                        { "tid", TenantId },
+                        { "iss", Issuer },
+                    }
+                }));
+            }
+        }
+
+        public JsonWebKey JsonWebKey => new() { Kid = "key-id", AdditionalData = { { "issuer", Issuer } } };
+        public OpenIdConnectConfiguration OpenIdConnectConfiguration => new() { JsonWebKeySet = new JsonWebKeySet { Keys = { JsonWebKey } } };
+    }
+}
diff --git a/tests/NuGetGallery.Facts/Authentication/Federated/FederatedCredentialRepositoryFacts.cs b/tests/NuGetGallery.Facts/Authentication/Federated/FederatedCredentialRepositoryFacts.cs
new file mode 100644
index 0000000000..426c44d219
--- /dev/null
+++ b/tests/NuGetGallery.Facts/Authentication/Federated/FederatedCredentialRepositoryFacts.cs
@@ -0,0 +1,159 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Moq;
+using NuGet.Services.Entities;
+using Xunit;
+
+#nullable enable
+
+namespace NuGetGallery.Services.Authentication
+{
+    public class FederatedCredentialRepositoryFacts
+    {
+        public class TheGetPoliciesCreatedByUserMethod : FederatedCredentialRepositoryFacts
+        {
+            [Fact]
+            public void FiltersByUserKey()
+            {
+                // Act
+                var policies = Target.GetPoliciesCreatedByUser(userKey: 4);
+
+                // Assert
+                Assert.Equal(2, policies.Count);
+                Assert.Equal(1, policies[0].Key);
+                Assert.Equal(2, policies[1].Key);
+            }
+        }
+
+        public class TheGetPolicyByKeyMethod : FederatedCredentialRepositoryFacts
+        {
+            [Fact]
+            public void ReturnsPolicyByKey()
+            {
+                // Act
+                var policy = Target.GetPolicyByKey(2);
+
+                // Assert
+                Assert.Equal(2, policy!.Key);
+            }
+
+            [Fact]
+            public void ReturnsNullIfDoesNotExist()
+            {
+                // Act
+                var policy = Target.GetPolicyByKey(23);
+
+                // Assert
+                Assert.Null(policy);
+            }
+        }
+
+        public class TheSaveFederatedCredentialAsyncMethod : FederatedCredentialRepositoryFacts
+        {
+            [Fact]
+            public async Task InsertsCredential()
+            {
+                // Arrange
+                var credential = new FederatedCredential();
+
+                // Act
+                await Target.SaveFederatedCredentialAsync(credential, saveChanges: false);
+
+                // Assert
+                CredentialRepository.Verify(x => x.InsertOnCommit(credential), Times.Once);
+                CredentialRepository.Verify(x => x.CommitChangesAsync(), Times.Never);
+            }
+
+            [Fact]
+            public async Task CommitsChangesIfRequested()
+            {
+                // Arrange
+                var credential = new FederatedCredential();
+
+                // Act
+                await Target.SaveFederatedCredentialAsync(credential, saveChanges: true);
+
+                // Assert
+                CredentialRepository.Verify(x => x.InsertOnCommit(credential), Times.Once);
+                CredentialRepository.Verify(x => x.CommitChangesAsync(), Times.Once);
+            }
+        }
+
+        public class TheAddPolicyAsyncMethod : FederatedCredentialRepositoryFacts
+        {
+            [Fact]
+            public async Task InsertsPolicy()
+            {
+                // Act
+                await Target.AddPolicyAsync(Policies[0], saveChanges: false);
+
+                // Assert
+                PolicyRepository.Verify(x => x.InsertOnCommit(Policies[0]), Times.Once);
+                PolicyRepository.Verify(x => x.CommitChangesAsync(), Times.Never);
+            }
+
+            [Fact]
+            public async Task CommitsChangesIfRequested()
+            {
+                // Act
+                await Target.AddPolicyAsync(Policies[0], saveChanges: true);
+
+                // Assert
+                PolicyRepository.Verify(x => x.InsertOnCommit(Policies[0]), Times.Once);
+                PolicyRepository.Verify(x => x.CommitChangesAsync(), Times.Once);
+            }
+        }
+
+        public class TheDeletePolicyAsyncMethod : FederatedCredentialRepositoryFacts
+        {
+            [Fact]
+            public async Task DeletesPolicy()
+            {
+                // Act
+                await Target.DeletePolicyAsync(Policies[0], saveChanges: false);
+
+                // Assert
+                PolicyRepository.Verify(x => x.DeleteOnCommit(Policies[0]), Times.Once);
+                PolicyRepository.Verify(x => x.CommitChangesAsync(), Times.Never);
+            }
+
+            [Fact]
+            public async Task CommitsChangesIfRequested()
+            {
+                // Act
+                await Target.DeletePolicyAsync(Policies[0], saveChanges: true);
+
+                // Assert
+                PolicyRepository.Verify(x => x.DeleteOnCommit(Policies[0]), Times.Once);
+                PolicyRepository.Verify(x => x.CommitChangesAsync(), Times.Once);
+            }
+        }
+
+        public FederatedCredentialRepositoryFacts()
+        {
+            CredentialRepository = new Mock<IEntityRepository<FederatedCredential>>();
+            PolicyRepository = new Mock<IEntityRepository<FederatedCredentialPolicy>>();
+
+            Policies = new List<FederatedCredentialPolicy>
+            {
+                new() { Key = 1, CreatedByUserKey = 4 },
+                new() { Key = 2, CreatedByUserKey = 4 },
+                new() { Key = 3, CreatedByUserKey = 5 },
+            };
+            PolicyRepository.Setup(x => x.GetAll()).Returns(() => Policies.AsQueryable());
+
+            Target = new FederatedCredentialRepository(
+                PolicyRepository.Object,
+                CredentialRepository.Object);
+        }
+
+        public Mock<IEntityRepository<FederatedCredential>> CredentialRepository { get; }
+        public Mock<IEntityRepository<FederatedCredentialPolicy>> PolicyRepository { get; }
+        public List<FederatedCredentialPolicy> Policies { get; }
+        public FederatedCredentialRepository Target { get; }
+    }
+}
diff --git a/tests/NuGetGallery.Facts/Services/PackageDeprecationManagementServiceFacts.cs b/tests/NuGetGallery.Facts/Services/PackageDeprecationManagementServiceFacts.cs
index 20b424c8f7..4170717547 100644
--- a/tests/NuGetGallery.Facts/Services/PackageDeprecationManagementServiceFacts.cs
+++ b/tests/NuGetGallery.Facts/Services/PackageDeprecationManagementServiceFacts.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -856,7 +856,7 @@ private async Task AssertSuccessful(
 
                 var package2 = new Package
                 {
-                    NormalizedVersion = "1.0.0",
+                    NormalizedVersion = "1.0.0-RC1",
                     PackageRegistration = registration
                 };
 
@@ -932,7 +932,7 @@ private async Task AssertSuccessful(
 
                 var service = GetService<PackageDeprecationManagementService>();
 
-                var packageNormalizedVersions = new[] { package.NormalizedVersion, package2.NormalizedVersion };
+                var packageNormalizedVersions = new[] { package.NormalizedVersion, package2.NormalizedVersion.ToLowerInvariant() };
 
                 // Act
                 var result = await InvokeUpdateDeprecation(
@@ -981,4 +981,4 @@ private static Task<UpdateDeprecationError> InvokeUpdateDeprecation(
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/tests/Tests.Stats.CollectAzureChinaCDNLogs/ChinaCollectorTests.cs b/tests/Tests.Stats.CollectAzureChinaCDNLogs/ChinaCollectorTests.cs
index af0a6ae6ff..afe299e6e3 100644
--- a/tests/Tests.Stats.CollectAzureChinaCDNLogs/ChinaCollectorTests.cs
+++ b/tests/Tests.Stats.CollectAzureChinaCDNLogs/ChinaCollectorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -35,7 +35,9 @@ public void TransformRawLogLine(string input, string expectedOutput)
             var collector = new ChinaStatsCollector(
                 Mock.Of<ILogSource>(),
                 Mock.Of<ILogDestination>(),
-                Mock.Of<ILogger<ChinaStatsCollector>>());
+                Mock.Of<ILogger<ChinaStatsCollector>>(),
+                writeHeader: true,
+                addSourceFilenameColumn: false);
 
             var transformedInput = collector.TransformRawLogLine(input);
             string output = transformedInput == null ? null : transformedInput.ToString();
@@ -51,7 +53,9 @@ public void CdnLogEntryParserIntegration(string input)
             var collector = new ChinaStatsCollector(
                 Mock.Of<ILogSource>(),
                 Mock.Of<ILogDestination>(),
-                Mock.Of<ILogger<ChinaStatsCollector>>());
+                Mock.Of<ILogger<ChinaStatsCollector>>(),
+                writeHeader: true,
+                addSourceFilenameColumn: false);
 
             var transformedInput = collector.TransformRawLogLine(input);
             if (transformedInput == null)
@@ -74,7 +78,9 @@ public void SkipsMalformedTimestamps()
             var collector = new ChinaStatsCollector(
                 Mock.Of<ILogSource>(),
                 Mock.Of<ILogDestination>(),
-                Mock.Of<ILogger<ChinaStatsCollector>>());
+                Mock.Of<ILogger<ChinaStatsCollector>>(),
+                writeHeader: true,
+                addSourceFilenameColumn: false);
 
             OutputLogLine transformedInput = null;
 
@@ -121,24 +127,106 @@ public void SkipsMalformedTimestamps()
         public async Task SkipsLinesWithMalformedColumns(string data, int expectedOutputLines)
         {
             const string header = "c-ip, timestamp, cs-method, cs-uri-stem, http-ver, sc-status, sc-bytes, c-referer, c-user-agent, rs-duration(ms), hit-miss, s-ip\n";
-            var sourceUri = new Uri("https://example.com/log1");
+            Mock<ILogSource> sourceMock = SetupSource(header + data);
 
-            var sourceMock = new Mock<ILogSource>();
-            sourceMock
-                .Setup(s => s.GetFilesAsync(It.IsAny<int>(), It.IsAny<CancellationToken>(), It.IsAny<string>()))
-                .ReturnsAsync((IEnumerable<Uri>)new List<Uri> { sourceUri });
+            var writeSucceeded = false;
+            var outputStream = new MemoryStream();
+            Mock<ILogDestination> destinationMock = SetupDestination(outputStream, () => writeSucceeded = true);
 
-            sourceMock
-                .Setup(s => s.TakeLockAsync(sourceUri, It.IsAny<CancellationToken>()))
-                .ReturnsAsync(new AzureBlobLockResult(new Microsoft.WindowsAzure.Storage.Blob.CloudBlob(sourceUri), true, "foo", CancellationToken.None));
+            var collector = new ChinaStatsCollector(
+                sourceMock.Object,
+                destinationMock.Object,
+                Mock.Of<ILogger<ChinaStatsCollector>>(),
+                writeHeader: true,
+                addSourceFilenameColumn: false);
 
-            sourceMock
-                .Setup(s => s.OpenReadAsync(sourceUri, It.IsAny<ContentType>(), It.IsAny<CancellationToken>()))
-                .ReturnsAsync(() => new MemoryStream(Encoding.UTF8.GetBytes(header + data)));
+            await collector.TryProcessAsync(
+                maxFileCount: 10,
+                fileNameTransform: s => s,
+                sourceContentType: ContentType.Text,
+                destinationContentType: ContentType.Text,
+                CancellationToken.None);
 
-            var destinationMock = new Mock<ILogDestination>();
+            string[] outputLines = null;
+
+            outputLines = GetStreamLines(outputStream);
+
+            Assert.True(writeSucceeded);
+            Assert.NotEmpty(outputLines);
+            Assert.Equal("#Fields: timestamp time-taken c-ip filesize s-ip s-port sc-status sc-bytes cs-method cs-uri-stem - rs-duration rs-bytes c-referrer c-user-agent customer-id x-ec_custom-1", outputLines[0]);
+            Assert.True(expectedOutputLines <= outputLines.Length - 1); // excluding header
+        }
+
+        [Fact]
+        public async Task DoesNotWriteHeaderIfConfigured()
+        {
+            const string header = "c-ip, timestamp, cs-method, cs-uri-stem, http-ver, sc-status, sc-bytes, c-referer, c-user-agent, rs-duration(ms), hit-miss, s-ip\n";
+            const string data = "1.2.3.4,4/6/2019 4:00:20 PM +00:00,GET,\"/v3-flatcontainer/microsoft.codeanalysis.common/1.2.2/microsoft.codeanalysis.common.1.2.2.nupkg\",HTTPS,200,2044843,\"NULL\",\"NuGet VS VSIX/4.7.0 (Microsoft Windows NT 10.0.17134.0, VS Enterprise/15.0)\",796,MISS,4.3.2.1";
+
+            Mock<ILogSource> sourceMock = SetupSource(header + data);
+            var writeSucceeded = false;
             var outputStream = new MemoryStream();
+            Mock<ILogDestination> destinationMock = SetupDestination(outputStream, () => writeSucceeded = true);
+
+            var collector = new ChinaStatsCollector(
+                sourceMock.Object,
+                destinationMock.Object,
+                Mock.Of<ILogger<ChinaStatsCollector>>(),
+                writeHeader: false,
+                addSourceFilenameColumn: false);
+
+            await collector.TryProcessAsync(
+                maxFileCount: 10,
+                fileNameTransform: s => s,
+                sourceContentType: ContentType.Text,
+                destinationContentType: ContentType.Text,
+                CancellationToken.None);
+
+            string[] outputLines = null;
+
+            outputLines = GetStreamLines(outputStream);
+            Assert.True(writeSucceeded);
+            Assert.Single(outputLines);
+            Assert.False(outputLines[0].StartsWith("#Fields"));
+        }
+
+        [Fact]
+        public async Task WritesSourceFilenameColumn()
+        {
+            const string header = "c-ip, timestamp, cs-method, cs-uri-stem, http-ver, sc-status, sc-bytes, c-referer, c-user-agent, rs-duration(ms), hit-miss, s-ip\n";
+            const string data = "1.2.3.4,4/6/2019 4:00:20 PM +00:00,GET,\"/v3-flatcontainer/microsoft.codeanalysis.common/1.2.2/microsoft.codeanalysis.common.1.2.2.nupkg\",HTTPS,200,2044843,\"NULL\",\"NuGet VS VSIX/4.7.0 (Microsoft Windows NT 10.0.17134.0, VS Enterprise/15.0)\",796,MISS,4.3.2.1";
+
+            Mock<ILogSource> sourceMock = SetupSource(header + data);
             var writeSucceeded = false;
+            var outputStream = new MemoryStream();
+            Mock<ILogDestination> destinationMock = SetupDestination(outputStream, () => writeSucceeded = true);
+
+            var collector = new ChinaStatsCollector(
+                sourceMock.Object,
+                destinationMock.Object,
+                Mock.Of<ILogger<ChinaStatsCollector>>(),
+                writeHeader: true,
+                addSourceFilenameColumn: true);
+
+            await collector.TryProcessAsync(
+                maxFileCount: 10,
+                fileNameTransform: s => s,
+                sourceContentType: ContentType.Text,
+                destinationContentType: ContentType.Text,
+                CancellationToken.None);
+
+            string[] outputLines = null;
+
+            outputLines = GetStreamLines(outputStream);
+            Assert.True(writeSucceeded);
+            Assert.Equal(2, outputLines.Length);
+            Assert.EndsWith("sourceFilename", outputLines[0]);
+            Assert.EndsWith("log1", outputLines[1]);
+        }
+
+        private static Mock<ILogDestination> SetupDestination(MemoryStream outputStream, Action onSuccess)
+        {
+            var destinationMock = new Mock<ILogDestination>();
             destinationMock
                 .Setup(d => d.TryWriteAsync(It.IsAny<Stream>(), It.IsAny<Action<Stream, Stream>>(), It.IsAny<string>(), It.IsAny<ContentType>(), It.IsAny<CancellationToken>()))
                 .ReturnsAsync((Stream inputStream, Action<Stream, Stream> writeAction, string destinationFileName, ContentType destinationContentType, CancellationToken token) =>
@@ -146,7 +234,7 @@ public async Task SkipsLinesWithMalformedColumns(string data, int expectedOutput
                     try
                     {
                         writeAction(inputStream, outputStream);
-                        writeSucceeded = true;
+                        onSuccess();
                     }
                     catch (Exception ex)
                     {
@@ -154,21 +242,31 @@ public async Task SkipsLinesWithMalformedColumns(string data, int expectedOutput
                     }
                     return new AsyncOperationResult(true, null);
                 });
+            return destinationMock;
+        }
 
-            var collector = new ChinaStatsCollector(
-                sourceMock.Object,
-                destinationMock.Object,
-                Mock.Of<ILogger<ChinaStatsCollector>>());
+        private static Mock<ILogSource> SetupSource(string content)
+        {
+            var sourceUri = new Uri("https://example.com/log1");
 
-            await collector.TryProcessAsync(
-                maxFileCount: 10,
-                fileNameTransform: s => s,
-                sourceContentType: ContentType.Text,
-                destinationContentType: ContentType.Text,
-                CancellationToken.None);
+            var sourceMock = new Mock<ILogSource>();
+            sourceMock
+                .Setup(s => s.GetFilesAsync(It.IsAny<int>(), It.IsAny<CancellationToken>(), It.IsAny<string>()))
+                .ReturnsAsync((IEnumerable<Uri>)new List<Uri> { sourceUri });
 
-            string[] outputLines = null;
+            sourceMock
+                .Setup(s => s.TakeLockAsync(sourceUri, It.IsAny<CancellationToken>()))
+                .ReturnsAsync(new AzureBlobLockResult(new Microsoft.WindowsAzure.Storage.Blob.CloudBlob(sourceUri), true, "foo", CancellationToken.None));
 
+            sourceMock
+                .Setup(s => s.OpenReadAsync(sourceUri, It.IsAny<ContentType>(), It.IsAny<CancellationToken>()))
+                .ReturnsAsync(() => new MemoryStream(Encoding.UTF8.GetBytes(content)));
+            return sourceMock;
+        }
+
+        private static string[] GetStreamLines(MemoryStream outputStream)
+        {
+            string[] outputLines;
             // need to reopen closed stream
             var outputBuffer = outputStream.ToArray();
             outputStream = new MemoryStream(outputBuffer);
@@ -177,11 +275,7 @@ await collector.TryProcessAsync(
                 outputLines = streamReader.ReadToEnd().Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries);
             }
 
-            Assert.True(writeSucceeded);
-            Assert.NotEmpty(outputLines);
-            Assert.Equal("#Fields: timestamp time-taken c-ip filesize s-ip s-port sc-status sc-bytes cs-method cs-uri-stem - rs-duration rs-bytes c-referrer c-user-agent customer-id x-ec_custom-1", outputLines[0]);
-            Assert.True(expectedOutputLines <= outputLines.Length - 1); // excluding header
+            return outputLines;
         }
     }
 }
- 
\ No newline at end of file