diff --git a/.azure/pipelines/azure-pipelines-mirror-within-azdo.yml b/.azure/pipelines/azure-pipelines-mirror-within-azdo.yml
index 4725ab9fba1c..82b2e48f3efd 100644
--- a/.azure/pipelines/azure-pipelines-mirror-within-azdo.yml
+++ b/.azure/pipelines/azure-pipelines-mirror-within-azdo.yml
@@ -13,7 +13,6 @@ parameters:
   type: boolean
 
 variables:
-- group: Mirror-Credentials
 - template: /eng/common/templates/variables/pool-providers.yml
 
 # Merges code from one AzDO branch into another
@@ -41,15 +40,35 @@ jobs:
             Write-Host "##vso[task.setvariable variable=BranchToMirror]$branch"
             Write-Host "##vso[task.setvariable variable=TargetBranchName]$branch$suffix"
           displayName: Calculate Mirrored Branch Names
+        - task: AzureCLI@2
+          displayName: Mint AzDO token (WIF)
+          inputs:
+            azureSubscription: dnceng-build-rw-code-rw-wif
+            scriptType: pscore
+            scriptLocation: inlineScript
+            inlineScript: |
+              # Azure DevOps AAD resource ID
+              $azureDevOpsResourceId = "499b84ac-1321-427f-aa17-267ca6975798"
+              $token = az account get-access-token --resource $azureDevOpsResourceId --query accessToken -o tsv
+              if ($LASTEXITCODE -ne 0) {
+                Write-Error "Failed to acquire Azure DevOps token via 'az account get-access-token'. Exit code: $LASTEXITCODE"
+                exit 1
+              }
+              $token = $token.Trim()
+              if ([string]::IsNullOrWhiteSpace($token)) {
+                Write-Error "Received an empty Azure DevOps token from 'az account get-access-token'."
+                exit 1
+              }
+              Write-Host "##vso[task.setvariable variable=WifAzdoToken;issecret=true]$token"
         - script: |
-            git clone https://dn-bot:$(dn-bot-dnceng-build-rw-code-rw)@dev.azure.com/dnceng/internal/_git/$(AzdoRepo) $(WorkingDirectoryName) --recursive --no-tags --branch $(TargetBranchName)
+            git -c http.https://dev.azure.com/.extraheader="Authorization: Bearer $(WifAzdoToken)" clone https://dev.azure.com/dnceng/internal/_git/$(AzdoRepo) $(WorkingDirectoryName) --recursive --no-tags --branch $(TargetBranchName)
           displayName: Clone AzDO repo
         - script: |
             git -c user.email="dotnet-bot@microsoft.com" -c user.name="dotnet-bot" merge origin/$(BranchToMirror) -m "Merge in '$(BranchToMirror)' changes"
           displayName: Merge head branch to target branch
           workingDirectory: $(WorkingDirectoryName)
         - script: |
-            git push origin $(TargetBranchName)
+            git -c http.https://dev.azure.com/.extraheader="Authorization: Bearer $(WifAzdoToken)" push origin $(TargetBranchName)
           displayName: Push changes to Azure DevOps repo
           workingDirectory: $(WorkingDirectoryName)