diff --git a/eng/common/pipelines/templates/steps/create-pull-request.yml b/eng/common/pipelines/templates/steps/create-pull-request.yml
index 57e413c2db78..397856dd6032 100644
--- a/eng/common/pipelines/templates/steps/create-pull-request.yml
+++ b/eng/common/pipelines/templates/steps/create-pull-request.yml
@@ -1,5 +1,6 @@
-# Expects azuresdk-github-pat is set to the PAT for azure-sdk
-# Expects the buildtools to be cloned
+# Expects AuthToken to be a valid GitHub token.
+# Defaults to azuresdk-github-pat for backwards compatibility.
+# New callers should pass AuthToken: '' to auto-login via login-to-github.yml.
 
 parameters:
   BaseBranchName: $(Build.SourceBranch)
@@ -21,8 +22,19 @@ parameters:
   SkipCheckingForChanges: false
   CloseAfterOpenForTesting: false
   OpenAsDraft: false
+  AuthToken: $(azuresdk-github-pat)
+  # PushAuthToken: for cross-org pushes (pushing to PROwner's fork in a different org).
+  # Defaults to AuthToken when not specified.
+  PushAuthToken: ''
 
 steps:
+- ${{ if eq(parameters.AuthToken, '') }}:
+  - template: /eng/common/pipelines/templates/steps/login-to-github.yml
+    parameters:
+      TokenOwners:
+        - ${{ parameters.RepoOwner }}
+      ScriptDirectory: ${{ parameters.ScriptDirectory }}
+
 - template: /eng/common/pipelines/templates/steps/git-push-changes.yml
   parameters:
     BaseRepoBranch: ${{ parameters.PRBranchName }}
@@ -34,6 +46,7 @@ steps:
     WorkingDirectory: ${{ parameters.WorkingDirectory }}
     ScriptDirectory: ${{ parameters.ScriptDirectory }}
     SkipCheckingForChanges: ${{ parameters.SkipCheckingForChanges }}
+    AuthToken: ${{ coalesce(parameters.PushAuthToken, parameters.AuthToken, '$(GH_TOKEN)') }}
 
 - task: PowerShell@2
   displayName: Create pull request
@@ -48,7 +61,7 @@ steps:
       -BaseBranch "${{ parameters.BaseBranchName }}"
       -PROwner "${{ parameters.PROwner }}"
       -PRBranch "${{ parameters.PRBranchName }}"
-      -AuthToken "$(azuresdk-github-pat)"
+      -AuthToken "${{ coalesce(parameters.AuthToken, '$(GH_TOKEN)') }}"
       -PRTitle "${{ parameters.PRTitle }}"
       -PRBody "${{ coalesce(parameters.PRBody, parameters.CommitMsg, parameters.PRTitle) }}"
       -PRLabels "${{ parameters.PRLabels }}"
diff --git a/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml b/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml
index 3981dc1b2c52..35df366c2322 100644
--- a/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml
+++ b/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml
@@ -8,8 +8,16 @@ parameters:
   ScriptDirectory: eng/common/scripts
   NpmConfigUserConfig: ''
   NpmConfigRegistry: ''
+  AuthToken: $(azuresdk-github-pat)
 
 steps:
+- ${{ if eq(parameters.AuthToken, '') }}:
+  - template: /eng/common/pipelines/templates/steps/login-to-github.yml
+    parameters:
+      TokenOwners:
+        - ${{ split(parameters.RepoId, '/')[0] }}
+      ScriptDirectory: ${{ parameters.ScriptDirectory }}
+
 - task: PowerShell@2
   displayName: 'Verify Package Tags and Create Git Releases'
   inputs:
@@ -24,7 +32,7 @@ steps:
     pwsh: true
   timeoutInMinutes: 5
   env:
-    GH_TOKEN: $(azuresdk-github-pat)
+    GH_TOKEN: ${{ coalesce(parameters.AuthToken, '$(GH_TOKEN)') }}
     SYSTEM_ACCESSTOKEN: $(System.AccessToken)
     ${{ if ne(parameters.NpmConfigUserConfig, '') }}:
       npm_config_userconfig: ${{ parameters.NpmConfigUserConfig }}
diff --git a/eng/common/pipelines/templates/steps/git-push-changes.yml b/eng/common/pipelines/templates/steps/git-push-changes.yml
index 53d70fac45be..7df62145b980 100644
--- a/eng/common/pipelines/templates/steps/git-push-changes.yml
+++ b/eng/common/pipelines/templates/steps/git-push-changes.yml
@@ -5,11 +5,19 @@ parameters:
   TargetRepoOwner: Azure
   TargetRepoName: $(Build.Repository.Name)
   PushArgs:
-  WorkingDirectory: $(System.DefaultWorkingDirectory)'
+  WorkingDirectory: $(System.DefaultWorkingDirectory)
   ScriptDirectory: eng/common/scripts
   SkipCheckingForChanges: false
+  AuthToken: $(azuresdk-github-pat)
 
 steps:
+- ${{ if eq(parameters.AuthToken, '') }}:
+  - template: /eng/common/pipelines/templates/steps/login-to-github.yml
+    parameters:
+      TokenOwners:
+        - ${{ parameters.TargetRepoOwner }}
+      ScriptDirectory: ${{ parameters.ScriptDirectory }}
+
 - task: PowerShell@2
   displayName: Check for changes
   condition: and(succeeded(), eq(${{ parameters.SkipCheckingForChanges }}, false))
@@ -31,7 +39,7 @@ steps:
 - template: /eng/common/pipelines/templates/steps/emit-rate-limit-metrics.yml
   parameters:
     GitHubUser: azure-sdk
-    GitHubToken: $(azuresdk-github-pat)
+    GitHubToken: ${{ coalesce(parameters.AuthToken, '$(GH_TOKEN)') }}
 
 - task: PowerShell@2
   displayName: Push changes
@@ -43,6 +51,6 @@ steps:
     arguments: >
       -PRBranchName "${{ parameters.BaseRepoBranch }}"
       -CommitMsg "${{ parameters.CommitMsg }}"
-      -GitUrl "https://$(azuresdk-github-pat)@github.com/${{ parameters.BaseRepoOwner }}/$(RepoNameWithoutOwner).git"
+      -GitUrl "https://x-access-token:${{ coalesce(parameters.AuthToken, '$(GH_TOKEN)') }}@github.com/${{ parameters.BaseRepoOwner }}/$(RepoNameWithoutOwner).git"
       -PushArgs "${{ parameters.PushArgs }}"
       -SkipCommit $${{ parameters.SkipCheckingForChanges }}