Microsoft Microsoft Certifications AZ-400 Questions & Answers

• Question 221:

  You have a 1-TB Azure Repos repository named repo1.

  You need to clone repo1. The solution must meet the following requirements:

  1.

  You must be able to search the commit history of the /src directory

  2.

  The amount of time it takes to clone the repository must be minimized Which command should you run?

  A. git clone –-depth-1 [email protected]:v3/org/Project1/repo1

  B. git clone –-filter=blob:none [email protected]:v3/org/Project1/repo1

  C. git clone [email protected]:v3/org/Project1/repo1

  D. git clone –-filter=true:0 [email protected]:v3/org/Project1/repo1

  Correct Answer: B

  Partial clone

  As Git repositories grow in size, they can become cumbersome to work with because of:

  The large amount of history that must be downloaded.

  The large amount of disk space they require.

  Partial clone is a performance optimization that “allows Git to function without having a complete copy of the repository. The goal of this work is to allow Git better handle extremely large repositories.”

  Git 2.22.0 or later is required

  Filter by object type

  Introduced in GitLab 12.10.

  For repositories with millions of files and a long history, you can exclude all files and use git sparse-checkout to reduce the size of your working copy.

  # Clone the repo excluding all files

  $ git clone --filter=blob:none --sparse [email protected]:gitlab-com/www-gitlab-com.git

  Incorrect:

  Not A: "Clone depth" is a feature of git to reduce server load: Instead of cloning the complete repository (as usually done with git), using clone depth just clones the last clone-depth-number revisions of your repository.

  In literature this is also called "shallow clone"

  Git shallow clone lets you pull down just the latest commits, not the entire repo history. So if your project has years of history, or history from thousands of commits, you can select a particular depth to pull.

  Reference:

  https://docs.gitlab.com/ee/topics/git/partial_clone.html https://www.perforce.com/blog/vcs/git-beyond-basics-using-shallow-clones

• Question 222:

  You use GitHub to host container packages that use Semantic Versioning (SemVer).

  You have an app named App1. The current version of App1 is 11.2.0.

  You change the code of App1 to fix a bug that was introduced in version 10.5.1.

  Which version number should you assign to the release?

  A. 10.5.1-PATCH

  B. 11.2.1

  C. 10.5.2

  D. 10.6.0

  Correct Answer: B

  Semantic Versioning 2.0.0 Summary Given a version number MAJOR.MINOR.PATCH, increment the:

  MAJOR version when you make incompatible API changes MINOR version when you add functionality in a backward compatible manner PATCH version when you make backward compatible bug fixes Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.

  Patch version Z (x.y.Z | x > 0) MUST be incremented if only backward compatible bug fixes are introduced. A bug fix is defined as an internal change that fixes incorrect behavior.

  Reference: https://semver.org/

• Question 223:

  You manage code by using GitHub.

  You need to ensure that repository owners are notified if a new vulnerable dependency or malware is found in their repository.

  What should you do?

  A. Configure CodeQL scanning actions.

  B. Configure Dependabot alerts.

  C. Configure branch protection rules for each repository.

  D. Subscribe all the repository owners to the GitHub Advisory Database.

  Correct Answer: B

  Identifying vulnerabilities in your project's dependencies with Dependabot alerts

  Dependabot generates Dependabot alerts when known vulnerabilites are detected in dependencies that your project uses.

  GitHub sends Dependabot alerts when we detect that your repository uses a vulnerable dependency or malware.

  Reference:

  https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

• Question 224:

  You have a public GitHub repository named Public1.

  A commit is made to Public1. The commit contains a pattern that matches a regular expression.

  Who is notified first when the commit is made?

  A. the administrator of the GitHub organization

  B. the committer

  C. the owner of Public1

  D. the secret scanning partner

  Correct Answer: D

  Reference: https://docs.github.com/en/code-security/secret-scanning/secret-scanning-partner-program

• Question 225:

  You use GitHub for source control and Microsoft Teams for collaboration.

  You need to send a notification to a Teams channel for each commit. The solution must minimize development effort.

  What should you do?

  A. Use Azure Automation to connect to the GitHub Actions API and send a message to the Teams channel.

  B. Use the Microsoft Teams for GitHub app and configure a subscription to receive notifications in the Teams channel.

  C. Use GitHub Actions with a dispatch to send a message to the Teams channel by using the Teams API.

  D. Use Azure Functions to connect to the GitHub REST API and send a message to the Teams channel.

  Correct Answer: B

  Reference: https://github.com/marketplace/actions/microsoft-teams-notification

• Question 226:

  You manage source code control and versioning by using GitHub.

  You need to ensure that a PowerShell script is executed automatically before rebase operations are performed.

  What should you use?

  A. a package

  B. GitHub Copilot

  C. a webhook

  D. a gist

  Correct Answer: C

  Webhooks are most commonly used to simplify communication between two applications, but they can also be used to automate Infrastructure-as-code (IaC) workflows and enable GitOps practices.

  Webhooks allow you to build or set up integrations, such as GitHub Apps or OAuth Apps, which subscribe to certain events on GitHub.com. When one of those events is triggered, we'll send a HTTP POST payload to the webhook's

  configured URL. Webhooks can be used to update an external issue tracker, trigger CI builds, update a backup mirror, or even deploy to your production server. You're only limited by your imagination.

  Incorrect:

  Not B: GitHub Copilot is an AI pair programmer that offers autocomplete-style suggestions as you code. You can receive suggestions from GitHub Copilot either by starting to write the code you want to use, or by writing a natural language

  comment describing what you want the code to do.

  Not D: Gists provide a simple way to share code snippets with others. Every gist is a Git repository, which means that it can be forked and cloned. If you are signed in to GitHub when you create a gist, the gist will be associated with your account and you will see it in your list of gists when you navigate to your gist home page.

  Reference: https://docs.github.com/en/webhooks-and-events/webhooks/about-webhooks

• Question 227:

  You have an Azure key vault named KV1 and three web servers.

  You plan to deploy an app named App1 to the web servers.

  You need to ensure that App1 can retrieve a secret from KV1. The solution must meet the following requirements:

  1.

  Minimize the number of permission grants required.

  2.

  Follow the principle of least privilege. What should you include in the solution?

  A. role-based access control (RBAC) permission

  B. a system-assigned managed identity

  C. a user-assigned managed identity

  D. a service principal

  Correct Answer: C

  Grant yourself data plane access to the Key Vault

  Step 1: Set access policy.

  Set access policy.

  1.

  Go to the Azure Portal and log in using your Azure account

  2.

  Search for your Key Vault in Search Resources dialog box

  3.

  Select Overview > Access policies

  4.

  Click on Add Access Policy > Secret permissions > Get

  5.

  Click on Select Principal, add your account and pre created system-assigned identity

  6.

  Click on "OK" to add the new Access Policy, then click "Save" to save the Access Policy

  Etc.

  Note: You can use a managed identity to connect Key Vault to an Azure web app in .NET.

  Azure Key Vault provides a way to store credentials and other secrets with increased security. But your code needs to authenticate to Key Vault to retrieve them. Managed identities for Azure resources help to solve this problem by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having to display credentials in your code.

  A managed identity automatically manages application credentials.

  While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting

  to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.

  Managed identity types

  There are two types of managed identities:

  System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource.

  User-assigned. You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more Azure Resources.

  Reference:

  https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

• Question 228:

  You manage code by using GitHub.

  You plan to use Dependabot to scan for code dependencies.

  You need to identify when scanning will be triggered automatically.

  Which two actions will trigger a scan? Each correct answer presents a complete solution.

  NOTE: Each correct solution is worth one point.

  A. The dependency graph of a repository changes.

  B. A pull request is created.

  C. A branch is forked.

  D. Any commit is pushed.

  E. A new advisory is added.

  Correct Answer: AE

  About Dependabot alerts, Detection of insecure dependencies

  Dependabot performs a scan of the default branch of your repository to detect insecure dependencies, and sends Dependabot alerts when:

  A new advisory is added to the GitHub Advisory Database.

  Note: Only advisories that have been reviewed by GitHub will trigger Dependabot alerts.

  The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on, or when the code of one of the dependencies changes.

  Reference:

  https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions

• Question 229:

  You plan to use Azure DevOps to build and deploy an app that will be hosted in a Kubernetes cluster. You need to scan the app image for vulnerabilities before the image is deployed to the cluster.

  What should you include in the solution?

  A. Microsoft Defender for Containers

  B. Microsoft Defender for App Service

  C. Microsoft Defender for DevOps

  D. Microsoft Defender for Storage

  Correct Answer: A

  Overview of Microsoft Defender for Containers

  Microsoft Defender for Containers is the cloud-native solution to improve, monitor, and maintain the security of your clusters, containers, and their applications.

  Defender for Containers assists you with four core aspects of container security:

  *

  Environment hardening - Defender for Containers protects your Kubernetes clusters whether they're running on Azure Kubernetes Service, Kubernetes on-premises/IaaS, or Amazon EKS. Defender for Containers continuously assesses clusters to provide visibility into misconfigurations and guidelines to help mitigate identified threats.

  *

  Vulnerability assessment - Vulnerability assessment and management tools for images stored in Azure Container Registry and Elastic Container Registry

  *

  Etc.

  Vulnerability assessment Defender for Containers scans the container images in Azure Container Registry (ACR) and Amazon AWS Elastic Container Registry (ECR) to provide vulnerability reports for your container images, providing details for each vulnerability detected, remediation guidance, real-world exploit insights, and more.

  Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction

• Question 230:

  You have an app named App1 that is built by using Azure Pipelines. The source code for App1 is stored in Azure Repos and contains open source libraries.

  You need to identify security vulnerabilities in the open source code.

  What should you use?

  A. Mend Bolt

  B. Rollbar

  C. Code Climate

  D. DeepSource

  Correct Answer: A

  Mend Bolt (formerly WhiteSource)

  Mend Bolt is a FREE extension, which scans all your projects and detects open source components, their license and known vulnerabilities.

  Mend Secures and Manages Your Open Source Usage

  Mend integrates with your Azure DevOps Services continuous integration servers and detects all open source components in your software, without ever scanning your code. It provides you with real-time alerts on vulnerable and outdated

  open source components and generates comprehensive up-to-date inventory, licenses and security reports with only one click.

  Reference:

  https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2