diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
index 98584c0d217..15020124ea2 100644
--- a/build-tools/automation/azure-pipelines.yaml
+++ b/build-tools/automation/azure-pipelines.yaml
@@ -60,8 +60,12 @@ extends:
         enableAllTools: false
       binskim:
         scanOutputDirectoryOnly: true
-        # Only scan actual build output, not test assemblies under bin/Test*
-        analyzeTargetGlob: bin\Build*\**
+        # Scan build output and MSI conversion output, but not test assemblies
+        # under bin/Test* which produce BA2021 false positives.
+        # Both patterns are needed because the 1ES template applies sdl config
+        # globally: build/test jobs produce bin\Build*\ output, while the
+        # "Convert NuGet to MSI" job only produces bin\msi-nupkgs\ output.
+        analyzeTargetGlob: bin\Build*\**;bin\msi-nupkgs\**
       codeql:
         compiled:
           enabled: false