Microsoft Microsoft Certifications AZ-400 Questions & Answers

• Question 141:

  HOTSPOT

  You manage build and release pipelines by using Azure DevOps. Your entire managed environment resides in Azure.

  You need to configure a service endpoint for accessing Azure Key Vault secrets. The solution must meet the following requirements:

  1.

  Ensure that the secrets are retrieved by Azure DevOps.

  2.

  Avoid persisting credentials and tokens in Azure DevOps.

  How should you configure the service endpoint? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Azure Pipelines service connection

  Box 2: Managed Service Identity Authentication The managed identities for Azure resources feature in Azure Active Directory (Azure AD) provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

  Reference: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault

  https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

• Question 142:

  HOTSPOT

  You need to deploy Azure Kubernetes Service (AKS) to host an application. The solution must meet the following requirements:

  1.

  Containers must only be published internally.

  2.

  AKS clusters must be able to create and manage containers in Azure.

  What should you use for each requirement? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Azure Container Registry Azure services like Azure Container Registry (ACR) and Azure Container Instances (ACI) can be used and connected from independent container orchestrators like kubernetes (k8s). You can set up a custom ACR and connect it to an existing k8s cluster to ensure images will be pulled from the private container registry instead of the public docker hub.

  Box 2: An Azure service principal When you're using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), an authentication mechanism needs to be established. You can set up AKS and ACR integration during the initial creation of your AKS cluster. To allow an AKS cluster to interact with ACR, an Azure Active Directory service principal is used.

  References: https://thorsten-hans.com/how-to-use-private-azure-container-registry-with-kubernetes

  https://docs.microsoft.com/en-us/azure/aks/cluster-container-registry-integration

• Question 143:

  HOTSPOT

  You need to create deployment files for an Azure Kubernetes Service (AKS) cluster. The deployments must meet the provisioning storage requirements shown in the following table.

  

  Which resource type should you use for each deployment? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Deployment 1: Kubernetes.io/azure-file

  You can use Azure Files to connect using the Server Message Block (SMB) protocol.

  Deployment 2: Kubernetes.io/azure-disk

  Deployment 3: azurekeyvault-flexvolume

  azurekeyvault-flexvolume: Key Vault FlexVolume: Seamlessly integrate your key management systems with Kubernetes.

  Secrets, keys, and certificates in a key management system become a volume accessible to pods. Once the volume is mounted, its data is available directly in the container filesystem for your application.

  Incorrect Answers:

  blobfuse-flexvolume: This driver allows Kubernetes to access virtual filesystem backed by the Azure Blob storage.

  References:

  https://docs.microsoft.com/bs-cyrl-ba/azure/aks/azure-files-dynamic-pv

  https://docs.microsoft.com/en-us/azure/aks/azure-disks-dynamic-pv

• Question 144:

  HOTSPOT

  Your company is creating a suite of three mobile applications.

  You need to control access to the application builds. The solution must be managed at the organization level.

  What should you use? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Microsoft Visual Studio App Center distribution Groups Distribution Groups are used to control access to releases. A Distribution Group represents a set of users that can be managed jointly and can have common access to releases. Example of Distribution Groups can be teams of users, like the QA Team or External Beta Testers or can represent stages or rings of releases, such as Staging.

  Box 2: Shared

  Shared distribution groups are private or public distribution groups that are shared across multiple apps in a single organization. Shared distribution groups eliminate the need to replicate distribution groups across multiple apps.

  Note: With the Deploy with App Center Task in Visual Studio Team Services, you can deploy your apps from Azure DevOps (formerly known as VSTS) to App Center. By deploying to App Center, you will be able to distribute your builds to

  your users.

  References: https://docs.microsoft.com/en-us/appcenter/distribution/groups

• Question 145:

  HOTSPOT

  You currently use JIRA, Jenkins, and Octopus as part of your DevOps processes.

  You plan to use Azure DevOps to replace these tools.

  Which Azure DevOps service should you use to replace each tool? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  JIRA: Release pipelines Atlassian's Jira Software is a popular application that helps teams to plan, track, and manage software releases, whereas Octopus Deploy helps teams automate their development and operations processes in a fast, repeatable, and reliable manner. Together, they enable teams to get better end-to-end visibility into their software pipelines from idea to production.

  Jenkins: Repos One way to integrate Jenkins with Azure Pipelines is to run CI jobs in Jenkins separately. This involves configuration of a CI pipeline in Jenkins and a web hook in Azure DevOps that invokes the CI process when source code is pushed to a repository or a branch.

  Octopus: Build pipelines

  References: https://octopus.com/blog/octopus-jira-integration

  https://www.azuredevopslabs.com/labs/vstsextend/jenkins/

• Question 146:

  HOTSPOT

  Your company has an Azure subscription.

  The company requires that all resource group in the subscription have a tag named organization set to a value of Contoso.

  You need to implement a policy to meet the tagging requirement.

  How should you complete the policy? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: " Microsoft.Resources/subscriptions/resourceGroups"

  Box 2: "Deny",

  Sample - Enforce tag and its value on resource groups

  }, "policyRule": { "if": { "allOf": [

  {

  "field": "type",

  "equals": "Microsoft.Resources/subscriptions/resourceGroups"

  },

  {

  "not": {

  "field": "[concat('tags[',parameters('tagName'), ']')]",

  "equals": "[parameters('tagValue')]"

  }

  }

  ]

  },

  "then": {

  "effect": "deny" } } } }

  References: https://docs.microsoft.com/en-us/azure/governance/policy/samples/enforce-tag-on-resource-groups

• Question 147:

  HOTSPOT

  You are configuring a release pipeline in Azure DevOps as shown in the exhibit.

  

  Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: 5 There are five stages: Development, QA, Pre-production, Load Test and Production. They all have triggers. Box 2: The Internal Review stage References: https://docs.microsoft.com/en-us/azure/devops/pipelines/release/triggers

• Question 148:

  HOTSPOT

  You have an Azure DevOps project that contains a build pipeline. The build pipeline uses approximately 50 open source libraries.

  You need to ensure that the project can be scanned for known security vulnerabilities in the open source libraries.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: A Build task Trigger a build You have a Java code provisioned by the Azure DevOps demo generator. You will use WhiteSource Bolt extension to check the vulnerable components present in this code.

  1.

  Go to Builds section under Pipelines tab, select the build definition WhiteSourceBolt and click on Queue to trigger a build.

  2.

  To view the build in progress status, click on ellipsis and select View build results.

  Box 2: WhiteSource Bolt WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.

  References: https://www.azuredevopslabs.com/labs/vstsextend/whitesource/

• Question 149:

  HOTSPOT

  You have a project in Azure DevOps.

  You plan to create a build pipeline that will deploy resources by using Azure Resource Manager templates. The templates will reference secrets stored in Azure Key Vault.

  You need to ensure that you can dynamically generate the resource ID of the key vault during template deployment.

  What should you include in the template? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: "Microsoft.Resources/deployments"

  Reference a secret with dynamic ID. You need to reference a key vault secret that varies based on the current deployment.

  Example:

  "resources": [

  {

  "apiVersion": "2018-05-01",

  "name": "dynamicSecret",

  "type": "Microsoft.Resources/deployments",

  "properties": {

  "mode": "Incremental",

  "templateLink": {

  Box 2: "templateLink"

  In your parent template, you add the linked template and pass in a parameter that contains the dynamically generated resource ID.

  References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter

• Question 150:

  HOTSPOT

  Your company uses Team Foundation Server 2013 (TFS 2013).

  You plan to migrate to Azure DevOps.

  You need to recommend a migration strategy that meets the following requirements:

  1.

  Preserves the dates of Team Foundation Version Control changesets

  2.

  Preserves the changes dates of work items revisions

  3.

  Minimizes migration effort

  4.

  Migrates all TFS artifacts

  What should you recommend? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Upgrade TFS to the most recent RTM release.

  One of the major prerequisites for migrating your Team Foundation Server database is to get your database schema version as close as possible to what is currently deployed in Azure Devops Services.

  Box 2: Use the TFS Database Import Service

  In Phase 3 of your migration project, you will work on upgrading your Team Foundation Server to one of the supported versions for the Database Import Service in Azure Devops Services.