DRAG DROP (Drag and Drop is not supported)You have a project in Azure DevOps named Project1 that contains two Azure DevOps pipelines named Pipeline1 and Pipeline2.You need to ensure that Pipeline1 can deploy code successfully to an Azure web app named webapp1. The solution must ensure that Pipeline2 does not have permission to webapp1.Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Select and Place:
Answer(s): A
Step 1: Create a service principal in Microsoft Entra IDWe need it in step 3.Step 2: In Project1, create a service connectionYou can create a connection from Azure Pipelines to external and remote services for executing tasks in a job. Once you establish a connection, you can view, edit, and add security to the service connectionStep 3: In Project, configure permissions.To authorize a service connection for a specific pipeline, open the pipeline by selecting Edit and queue a build manually. You see a resource authorization error and an "Authorize resources" action on the error. Choose this action to explicitly add the pipeline as an authorized user of the service connection.Azure Resource Manager service connectionUse the following parameters to define and secure a connection to a Microsoft Azure subscription using Service Principal Authentication (SPA) or an Azure managed Service Identity. The dialog offers two main modes:* Automated subscription detection. In this mode, Azure Pipelines queries Azure for all of the subscriptions and instances to which you have access. They use the credentials you're currently signed in with in Azure Pipelines (including Microsoft accounts and School or Work accounts).If you don't see the subscription you want to use, sign out of Azure Pipelines and sign in again using the appropriate account credentials.*-> Manual subscription pipeline. In this mode, you must specify the service principal you want to use to connect to Azure. The service principal specifies the resources and the access levels that are available over the connection.Use this approach when you need to connect to an Azure account using different credentials from the credentials you're currently signed in with in Azure Pipelines. It's useful way to maximize security and limit access. Service principals are valid for two years.
https://docs.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints
DRAG DROP (Drag and Drop is not supported)You need to increase the security of your team's development process.Which type of security tool should you recommend for each stage of the development process? To answer, drag the appropriate security tools to the correct stages. Each security tool may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.Note: Each correct selection is worth one point.Select and Place:
Box 1: Threat modeling -Threat modeling's motto should be, "The earlier the better, but not too late and never ignore."Box 2: Static code analysis -Validation in the CI/CD begins before the developer commits his or her code. Static code analysis tools in the IDE provide the first line of defense to help ensure that security vulnerabilities are not introduced into the CI/CD process.Box 3: Penetration testing -Once your code quality is verified, and the application is deployed to a lower environment like development or QA, the process should verify that there are not any security vulnerabilities in the running application. This can be accomplished by executing automated penetration test against the running application to scan it for vulnerabilities.
https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=vsts
You plan to use a NuGet package in a project in Azure DevOps. The NuGet package is in a feed that requires authentication.You need to ensure that the project can restore the NuGet package automatically.What should the project use to automate the authentication?
Answer(s): B
The Azure Artifacts Credential Provider automates the acquisition of credentials needed to restore NuGet packages as part of your .NET development workflow. It integrates with MSBuild, dotnet, and NuGet(.exe) and works on Windows, Mac, and Linux. Any time you want to use packages from an Azure Artifacts feed, the Credential Provider will automatically acquire and securely store a token on behalf of the NuGet client you're using.
https://github.com/Microsoft/artifacts-credprovider
You use Azure Pipelines to manage project builds and deployments.You plan to use Azure Pipelines for Microsoft Teams to notify the legal team when a new build is ready for release.You need to configure the Organization Settings in Azure DevOps to support Azure Pipelines for Microsoft Teams.What should you turn on?
The Azure Pipelines app uses the OAuth authentication protocol, and requires Third-party application access via OAuth for the organization to be enabled. To enable this setting, navigate to Organization Settings > Security > Policies, and set the Third-party application access via OAuth for the organization setting to On.
https://docs.microsoft.com/en-us/azure/devops/pipelines/integrations/microsoft-teams
DRAG DROP (Drag and Drop is not supported)You have an Azure subscription that uses Azure Monitor and contains a Log Analytics workspace.You have an encryption key.You need to configure Azure Monitor to use the key to encrypt log data.Which five actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Note: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.Select and Place:
Customer-Managed key provisioning steps:Step 1: Create an Azure Key vault and store the key.Creating Azure Key Vault and storing key. Create or use an existing Azure Key Vault in the region that the cluster is planed, and generate or import a key to be used for logs encryption.Step 2: Create an Azure Monitor Logs dedicate cluster that has a system-assigned managed identityClusters uses managed identity for data encryption with your Key Vault. Configure identity type property to SystemAssigned when creating your cluster to allow access to your Key Vault for "wrap" and "unwrap" operations.Step 3: Grant the system-assigned managed Identity Key permissions for the key vault.Grant Key Vault permissions.Create Access Policy in Key Vault to grants permissions to your cluster. These permissions are used by the underlay cluster storage. Open your Key Vault in Azure portal and click Access Policies then + Add Access Policy to create a policy with these settings:Key permissions--select Get, Wrap Key and Unwrap Key.Etc.1. Creating cluster2. Granting permissions to your Key Vault3. Updating cluster with key identifier details4. Linking workspacesStep 4: Configure the key vault properties for the cluster.Update cluster with key identifier details.Step 5: Link the Log Analytics workspace to the clusterLink workspace to cluster.This step should be performed only after the cluster provisioning. If you link workspaces and ingest data prior to the provisioning, ingested data will be dropped and won't be recoverable.
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys
DRAG DROP (Drag and Drop is not supported)You need to deploy a new project in Azure DevOps that has the following requirements:· The lead developer must be able to create repositories, manage permissions, manage policies, and contribute to the repository.· Developers must be able to contribute to the repository and create branches, but NOT bypass policies when pushing builds.· Project managers must only be able to view the repository.· The principle of least privilege must be used.You create a new Azure DevOps project team for each role.To which Azure DevOps groups should you add each team? To answer, drag the appropriate groups to the correct teams. Each group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.Note: Each correct selection is worth one point.Select and Place:
Box 1: ReadersProject managers must only be able to view the repository.Only read permission necessary.Box 2: Project AdministratorsThe lead developer must be able to create repositories, manage permissions, manage policies, and contribute to the repository.Add to the Project Collection Administrators security group users tasked with managing organization or collection resources.Box 3: ContributorsDevelopers must be able to contribute to the repository and create branches, but NOT bypass policies when pushing builds.Add to the Contributors security group full-time workers who contribute to the code base or manage projects.
https://docs.microsoft.com/en-us/azure/devops/organizations/security/look-up-project-collection- administrators
You plan to provision a self-hosted Linux agent.Which authentication mechanism should you use to register the self-hosted agent?
Note: PAT Supported only on Azure Pipelines and TFS 2017 and newer. After you choose PAT, paste the PAT token you created into the command prompt window. Use a personal access token (PAT) if your Azure DevOps Server or TFS instance and the agent machine are not in a trusted domain. PAT authentication is handled by your Azure DevOps Server or TFS instance instead of the domain controller.
https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-linux
DRAG DROP (Drag and Drop is not supported)You have an Azure subscription that contains a project in Azure DevOps named Project1. In Microsoft Entra ID, you have three users that require access to Project1 as shown in the following table.You need to ensure that the users have the appropriate permissions. The solution must use the principle of least privilege.To which permission group in Azure DevOps should you add each user? To answer, drag the appropriate permission groups to the correct users. Each permission group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.Note: Each correct selection is worth one point.Select and Place:
Box 1: ReadersDefault repository permissionsBy default, members of the project Contributors group have permissions to contribute to a repository. This includes the ability to create branches, create tags, and manage notes.
https://docs.microsoft.com/en-us/azure/devops/repos/git/set-git-repository-permissions?view=azure-devops
Share your comments for Microsoft AZ-400 exam with other users:
Question 2:
This is very good and accurate. Explanation is very helpful even thou some are not 100% right but good enough to pass.