diff --git a/.azure/pipelines/ci.yml b/.azure/pipelines/ci.yml
index 300305948a..835b8bf0ef 100644
--- a/.azure/pipelines/ci.yml
+++ b/.azure/pipelines/ci.yml
@@ -65,7 +65,10 @@ variables:
       valule: test
     - name: _PublishArgs
       value: ''
-
+  # used for post-build phases, internal builds only
+  - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
+    - group: DotNet-AspNet-SDLValidation-Params
+    
 stages:
 - stage: build
   displayName: Build
@@ -634,3 +637,17 @@ stages:
       enableSymbolValidation: false
       enableSigningValidation: false
       publishInstallersAndChecksums: true
+      # This is to enable SDL runs part of Post-Build Validation Stage
+      SDLValidationParameters:
+        enable: true
+        continueOnError: false
+        params: ' -SourceToolsList @("policheck","credscan")
+        -TsaInstanceURL $(_TsaInstanceURL)
+        -TsaProjectName $(_TsaProjectName)
+        -TsaNotificationEmail $(_TsaNotificationEmail)
+        -TsaCodebaseAdmin $(_TsaCodebaseAdmin)
+        -TsaBugAreaPath $(_TsaBugAreaPath)
+        -TsaIterationPath $(_TsaIterationPath)
+        -TsaRepositoryName "AspNetCore"
+        -TsaCodebaseName "AspNetCore"
+        -TsaPublish $True'