diff --git a/eng/common/pipelines/templates/steps/retain-run.yml b/eng/common/pipelines/templates/steps/retain-run.yml
index c2ac61866..f7d854143 100644
--- a/eng/common/pipelines/templates/steps/retain-run.yml
+++ b/eng/common/pipelines/templates/steps/retain-run.yml
@@ -1,6 +1,6 @@
 parameters:
   - name: DaysValid
-    default: 365
+    default: 731
     type: number
 
 steps:
@@ -16,7 +16,6 @@ steps:
         -Project $(System.TeamProject)
         -DefinitionId $(System.DefinitionId)
         -RunId $(Build.BuildId)
-        -OwnerId Pipeline
-        -DaysValid ${{parameters.DaysValid}}
+        -DaysValid ${{ parameters.DaysValid }}
         -AccessToken $env:SYSTEM_ACCESSTOKEN
         -Debug
\ No newline at end of file
diff --git a/eng/common/scripts/Add-RetentionLease.ps1 b/eng/common/scripts/Add-RetentionLease.ps1
index dd56c20a5..cbc677730 100644
--- a/eng/common/scripts/Add-RetentionLease.ps1
+++ b/eng/common/scripts/Add-RetentionLease.ps1
@@ -12,28 +12,33 @@ param(
   [Parameter(Mandatory = $true)]
   [int]$RunId,
 
-  [Parameter(Mandatory = $true)]
-  [string]$OwnerId,
-
   [Parameter(Mandatory = $true)]
   [int]$DaysValid,
 
-  [Parameter(Mandatory = $true)]
-  [string]$AccessToken
+  [Parameter(Mandatory = $false)]
+  [string]$OwnerId = "azure-sdk-pipeline-automation",
+
+  [Parameter(Mandatory = $false)]
+  [string]$AccessToken = $env:DEVOPS_PAT
 )
 
+Set-StrictMode -Version 3
+
+. (Join-Path $PSScriptRoot common.ps1)
+
 $unencodedAuthToken = "nobody:$AccessToken"
 $unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken)
 $encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes)
 
-# We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines
-# build logs. Azure Pipelines will see this text and register the secret as a value it should *** out
-# before being transmitted to the server (and shown in logs). It means if the value is accidentally
-# leaked anywhere else that it won't be visible. The downside is that when the script is executed
-# on a local development box, it will be visible.
-Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)"
+if ($isDevOpsRun) {
+  # We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines
+  # build logs. Azure Pipelines will see this text and register the secret as a value it should *** out
+  # before being transmitted to the server (and shown in logs). It means if the value is accidentally
+  # leaked anywhere else that it won't be visible. The downside is that when the script is executed
+  # on a local development box, it will be visible.
+  Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)"
+}
 
-. (Join-Path $PSScriptRoot common.ps1)
 
 LogDebug "Checking for existing leases on run: $RunId"
 $existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken
diff --git a/eng/common/scripts/Invoke-DevOpsAPI.ps1 b/eng/common/scripts/Invoke-DevOpsAPI.ps1
index 41f4796d4..bc89aa88b 100644
--- a/eng/common/scripts/Invoke-DevOpsAPI.ps1
+++ b/eng/common/scripts/Invoke-DevOpsAPI.ps1
@@ -137,7 +137,7 @@ function Add-RetentionLease {
     $RunId,
     $OwnerId,
     $DaysValid,
-    $Base64AuthToken
+    $Base64EncodedAuthToken
   )
 
   $parameter = @{}