Microsoft Role-based AZ-400 Questions & Answers

• Question 1:

  DRAG DROP

  You have a tenant in Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra. The tenant contains three groups named Group1, Group2, and Group3.

  You create a new project in Azure DevOps named Project1.

  You need to secure the service connections for Project1. The solution must meet the following requirements:

  1.

  The members of Group1 must be able to share and unshare a service connection with other projects.

  2.

  The members of Group2 must be able to rename a service connection and update the description.

  3.

  The members of Group3 must be able to use the service connection within build or release pipelines.

  4.

  The principle of least privilege must be followed.

  Which permission should you grant to each group? To answer, drag the appropriate permissions to the correct groups. Each permission may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: Organization-level Administrator

  The members of Group1 must be able to share and unshare a service connection with other projects.

  Add members to the Project Collection Administrators group

  When you create an organization, you become a member of the Project Collection Administrators group. This group has the authority to manage the organization's settings, policies, and processes. It can also create and manage all the

  projects and extensions in the organization.

  Incorrect:

  * Project-level Administrators Add members to the Project Administrators group The person who creates a project is automatically added as a member to the Project Administrators group. Members of this group have permissions to manage project configuration, repositories, pipeline resources, teams, and all project-level permissions.

  It's always a good idea to have more than one person who has administrative privileges. To add a user to this group, see Change permissions at the project level, Add members to the Project Administrators group.

  Grant or restrict permissions

  Permissions are managed at the following three levels and through role-based assignments.

  object

  project

  organization or collection

  As a member of the Project Administrators group, you can grant or restrict permissions for all objects and at the project-level. To delegate specific tasks to others, we recommend that you add them to a built-in or custom security group, or add

  them to a specific role.

  Box 2: Creator

  The members of Group2 must be able to rename a service connection and update the description.

  You can create, view, use, and manage a service connection based on your assigned user roles.

  Role Creator

  Members of this role can create the service connection in the project. Contributors are added as members by default

  Box 3: User

  The members of Group3 must be able to use the service connection within build or release pipelines.

  Role User

  Members of this role can use the service connection when authoring build or release pipelines or authorize yaml pipelines.

  Note: User permissions on service connections

  Reference:

  https://learn.microsoft.com/en-us/azure/devops/user-guide/manage-organization-collection

  https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints

  https://learn.microsoft.com/en-us/azure/devops/user-guide/project-admin-tutorial

• Question 2:

  DRAG DROP

  You plan to use Azure DevOps in development processes.

  You identify the following issues with the existing development processes:

  1.

  Frequent discovery of bugs in production

  2.

  Increasing detection of bugs by customers

  3.

  Slow resolution of bugs and slow resumption of production

  You need to implement Key Performance Indicators (KPIs) to track each issue.

  Which KPI should you implement for each issue? To answer, drag the appropriate KPIs to the correct issues. Each KPI may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: Defect Escape Rate Defect Escape Rate

  -What percentage of defects are being found in production?

  Box 2: Bug Report Rates Bug Report Rates

  -You don't want customers finding bugs in your code.

  -Is the amount they are finding increasing or decreasing?

  Box 3: Application Failure Rates

  Application Failure Rates

  How often do application failures occur, such as configuration failures, performance timeouts, etc?

  Incorrect:

  * Deployment Failure Rates

  -How often do deployments (and/or applications) fail?

• Question 3:

  DRAG DROP

  You use Semantic Versioning (SemVer) as a dependency versioning strategy.

  You perform changes to code as shown in the following table.

  

  Which part of the version should you increment for each change? To answer, drag the appropriate parts to the correct changes. Each part may be used once, more than once, or not at all. You may need to drag the split bar between panes or

  scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: Minor New functionality: Yes Change: Minor

  Minor version Y (x.Y.z | x > 0) MUST be incremented if new, backward compatible functionality is introduced to the public API.

  Note: Given a version number MAJOR.MINOR.PATCH, increment the:

  MAJOR version when you make incompatible API changes MINOR version when you add functionality in a backward compatible manner PATCH version when you make backward compatible bug fixes Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.

  Box 2: Major New functionality: Yes Change: Significant

  Major version zero (0.y.z) is for initial development. Anything MAY change at any time. The public API SHOULD NOT be considered stable.

  Box 3: Patch New functionality: No Change: Minor

  Patch version Z (x.y.Z | x > 0) MUST be incremented if only backward compatible bug fixes are introduced. A bug fix is defined as an internal change that fixes incorrect behavior.

• Question 4:

  DRAG DROP

  You have a GitHub repository named repo1 that stores the code of an app named App1. You need deploy a workflow for repo1 by using GitHub Actions. The solution must meet the following requirements:

  1.

  Scan on pushes to the main branch.

  2.

  Scan on pull requests to the main branch.

  3.

  Scan on pull requests to any branch that has a prefix of releases/.

  4.

  Scan all the files in the subdirectories of the src directory.

  How should you complete the code? To answer, drag he appropriate values to the correct targets. Each value may be used once, more than once, or not at all.

  Select and Place:

  

  Correct Answer:

  

  Box 1: -'releases/**'

  Scan on pull requests to any branch that has a prefix of releases/.

  Scan on pull requests to the main branch.

  For example, a workflow with the following trigger will only run when the workflow named Build runs on a branch whose name starts with releases/:

  on: workflow_run: workflows: ["Build"] types: [requested] branches:

  -'releases/**'

  Box 2: -'src/**'

  Scan all the files in the subdirectories of the src directory.

  Box 3: '*.md'

  Use the paths-ignore filter when you only want to exclude file path patterns. You cannot use both the paths and paths-ignore filters for the same event in a workflow.

• Question 5:

  DRAG DROP

  You have a project in Azure DevOps named Project that has a release pipeline in Azure Pipeline named ReleaseP1.

  You need to ensure that when a new release is generated for ReleaseP1, a new release note document is created. The release notes must contain new features and bug fixes.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

  Select and Place:

  

  Correct Answer:

  

  Step 1: Create a personal access token (PAT)

  1.

  Setup a PAT Token

  2.

  Secure Access to Tokens

  3.

  Create Pipeline

  4.

  Combining with the Azure CLI

  To support this, we’ll also need:

  A service-connection from Azure DevOps to Azure (a Service Principal with access to our Azure Subscription) (Step 2)

  Step 2: Create a service principal

  Step 3: Create a PowerShell task in ReleaseP1 that writes the retrieved data to a markdown file.

• Question 6:

  DRAG DROP

  You use an Azure pipeline to build a .NET app that has NuGet dependencies.

  You need to ensure that the pipeline caches required NuGet packages.

  How should you configure the pipeline? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: $(Build.SourcesDirectory)/**/packages.lock.json'

  Cache NuGet packages

  We'll need to create a pipeline variable to point to the location of our packages on the agent running the pipeline.

  In this example, the content of the packages.lock.json will be hashed to produce a dynamic cache key. This ensures that every time the file is modified, a new cache key is generated.

  variables:

  NUGET_PACKAGES: $(Pipeline.Workspace)/.nuget/packages

  -task: Cache@2 displayName: Cache inputs:

  key: 'nuget | "$(Agent.OS)" | **/packages.lock.json,!**/bin/**,!**/obj/**'

  restoreKeys: |

  nuget | "$(Agent.OS)"

  nuget

  path: '$(NUGET_PACKAGES)'

  cacheHitVar: 'CACHE_RESTORED'

  Box 2: "$(Agent.OS

  Box 3: $(NUGET_PACKAGES)

  Reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/artifacts/caching-nuget

• Question 7:

  DRAG DROP

  You have a web app named App1 that uses Application Insights in Azure Monitor.

  You need to compare the hourly CPU usage of App1 from the last 24 hours. The solution must include a graph that has a threshold line at 75 percent.

  How should you complete the query? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: bin(TimeGenerated, 1h)

  Reference line

  A reference line can help you easily identify whether the metric exceeded a specific threshold. To add a line to a chart, extend the dataset by adding a constant column:

  Perf

  | where TimeGenerated > ago(1d)

  | where CounterName == "% Processor Time"

  | summarize avg(CounterValue), percentiles(CounterValue, 50, 95) by bin(TimeGenerated, 1h)

  | extend Threshold = 20

  Box 2: extend

  Reference:

  https://github.com/microsoft/Kusto-Query-Language/blob/master/doc/samples.md

• Question 8:

  DRAG DROP

  You have an Azure Pipelines application CI/CD pipeline named Pipeline1.

  You need to add OWASP ZAP testing to Pipeline1.

  Which four actions should you add to Pipeline1 in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Step 1: Start the container How will you be able to test your app? First, you need to run your application which was containerized before in detached mode on a specific port so that the Owasp Zap scanner can perform attacks on that port and scan your app

  

  Step 2: Run the baseline Then run Owasp Zap container. Be careful NOT to run it in detached mode

  

  - bash: | chmod -R 777 ./ docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t http://$(ip -f inet -o addr show docker0 | awk '{print $4}' | cut -d '/' -f 1): -x xml_report.xml true displayName: 'Owasp Container Scan'

  Here, as can be seen it runs a Full Scan which runs the ZAP spider against the target. This means that the script performs “real attacks” and can run for a long period of time. Not ideally suited for CI, but is a useful tool for release-gates.

  You can change the scan type to Baseline Scan by changing zap-full-scan.py to zap-baseline.py in the code above. Baseline Scan runs the ZAP spider against the target for 1 minute, meaning that the script doesn't perform any “real attacks”.

  This scan runs on the pool agent. That is why you needed to run your application on this host in order for Owasp to scan it via the container port.

  Step 3: Run an active scan

  Step 4: Report the results

  We need a PowerShell script to convert the report file

  The ZAP scanner includes several reporting options. None of which are useful to teams. With the help of powershell script below, we will be able to obtain a much more useful report.

  

  -powershell: | $XslPath = "/xml_to_nunit.xslt" $XmlInputPath = "xml_report.xml" $XmlOutputPath = "converted_report.xml" $XslTransform = New-Object System.Xml.Xsl.XslCompiledTransform $XslTransform.Load($XslPath)

  $XslTransform.Transform($XmlInputPath, $XmlOutputPath)

  displayName: 'PowerShell Script'

  Last but not least, add a Publish Test Results task to convert the report file into Nunit format

  -task: PublishTestResults@2 displayName: 'Publish Test Results' inputs:

  testResultsFormat: 'NUnit'

  testResultsFiles: 'converted_report.xml'

  Reference:

• Question 9:

  DRAG DROP

  You are implementing a new project in Azure DevOps.

  You need to assess the performance of the project. The solution must identify the following metrics:

  How long it takes to complete a work item

  The percentage of defects found in production

  Which DevOps KPI should you review for each metric? To answer, drag the appropriate KPIs to the correct metrics. Each KPI may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to

  view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

• Question 10:

  DRAG DROP

  You have a web app named App1 that uses Application Insights in Azure Monitor.

  You need to compare the hourly CPU usage of App1 from the last 24 hours. The solution must include a graph that has a threshold line at 75 percent.

  How should you complete the query? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  Correct Answer:

  Box 1: bin(TimeGenerated, 1h)

  Reference line

  A reference line can help you easily identify whether the metric exceeded a specific threshold. To add a line to a chart, extend the dataset by adding a constant column:

  Perf

  | where TimeGenerated > ago(1d)

  | where CounterName == "% Processor Time"

  | summarize avg(CounterValue), percentiles(CounterValue, 50, 95) by bin(TimeGenerated, 1h)

  | extend Threshold = 20

  Box 2: extend

  Reference: https://github.com/microsoft/Kusto-Query-Language/blob/master/doc/samples.md