AZ-400 : Microsoft Azure DevOps Solutions : Part 04

AZ-400 : Microsoft Azure DevOps Solutions : Part 04

1. You are building a Microsoft ASP.NET application that requires authentication.

   You need to authenticate users by using Azure Active Directory (Azure AD).

   What should you do first?

   • Assign an enterprise application to users and groups
   • Create an app registration in Azure AD
   • Configure the application to use a SAML endpoint
   • Create a new OAuth token from the application
   • Create a membership database in an Azure SQL database

   Explanation:
   Register your application to use Azure Active Directory. Registering the application means that your developers can use Azure AD to authenticate users and request access to user resources such as email, calendar, and documents.

2. You have an Azure DevOps organization named Contoso.

   You need to recommend an authentication mechanism that meets the following requirements:

   – Supports authentication from Git
   – Minimizes the need to provide credentials during authentication

   What should you recommend?

   • personal access tokens (PATs) in Azure DevOps
   • Alternate credentials in Azure DevOps
   • user accounts in Azure Active Directory (Azure AD)
   • managed identities in Azure Active Directory (Azure AD)
   Explanation:

   Personal access tokens (PATs) give you access to Azure DevOps and Team Foundation Server (TFS), without using your username and password directly. These tokens have an expiration date from when they’re created. You can restrict the scope of the data they can access. Use PATs to authenticate if you don’t already have SSH keys set up on your system or if you need to restrict the permissions that are granted by the credential.

   Incorrect Answers:
   B: Azure DevOps no longer supports Alternate Credentials authentication since the beginning of March 2, 2020. If you’re still using Alternate Credentials, we [Microsoft] strongly encourage you to switch to a more secure authentication method (for example, personal access tokens).

3. You have an application that consists of several Azure App Service web apps and Azure functions.

   You need to assess the security of the web apps and the functions.

   Which Azure feature can you use to provide a recommendation for the security of the application?

   • Security & Compliance in Azure Log Analytics
   • Resource health in Azure Service Health
   • Smart Detection in Azure Application Insights
   • Compute & apps in Azure Security Center
   Explanation:

   Monitor compute and app services: Compute & apps include the App Services tab, which App services: list of your App service environments and current security state of each.

   Recommendations
   This section has a set of recommendations for each VM and computer, web and worker roles, Azure App Service Web Apps, and Azure App Service Environment that Security Center monitors. The first column lists the recommendation. The second column shows the total number of resources that are affected by that recommendation. The third column shows the severity of the issue.

   Incorrect Answers:
   C: Smart Detection automatically warns you of potential performance problems, not security problems in your web application.

4. Your company has a project in Azure DevOps for a new web application.

   The company identifies security as one of the highest priorities.

   You need to recommend a solution to minimize the likelihood that infrastructure credentials will be leaked.

   What should you recommend?

   • Add a Run Inline Azure PowerShell task to the pipeline.
   • Add a PowerShell task to the pipeline and run Set-AzureKeyVaultSecret.
   • Add an Azure Key Vault task to the pipeline.
   • Add Azure Key Vault references to Azure Resource Manger templates.
   Explanation:
   Azure Key Vault provides a way to securely store credentials and other keys and secrets.
   The Set-AzureKeyVaultSecret cmdlet creates or updates a secret in a key vault in Azure Key Vault.

5. SIMULATION

   You need to ensure that an Azure web app named az400-9940427-main can retrieve secrets from an Azure key vault named az400-9940427-kv1 by using a system managed identity.

   The solution must use the principle of least privilege.

   To complete this task, sign in to the Microsoft Azure portal.

   • See explanation below.
   Explanation:

   In Azure portal navigate to the az400-9940427-main app.
   Scroll down to the Settings group in the left navigation.
   Select Managed identity.
   Within the System assigned tab, switch Status to On. Click Save.

   

6. You create a Microsoft ASP.NET Core application.

   You plan to use Azure Key Vault to provide secrets to the application as configuration data.

   You need to create a Key Vault access policy to assign secret permissions to the application. The solution must use the principle of least privilege.

   Which secret permissions should you use?

   • List only
   • Get only
   • Get and List
   Explanation:
   Application data plane permissions:
   – Keys: sign
   – Secrets: get

7. DRAG DROP

   Your company has a project in Azure DevOps.

   You plan to create a release pipeline that will deploy resources by using Azure Resource Manager templates. The templates will reference secrets stored in Azure Key Vault.

   You need to recommend a solution for accessing the secrets stored in the key vault during deployments. The solution must use the principle of least privilege.

   What should you include in the recommendation? To answer, drag the appropriate configurations to the correct targets. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: A key Vault advanced access policy

   

   Box 2: RBAC
   Management plane access control uses RBAC.
   The management plane consists of operations that affect the key vault itself, such as:

   – Creating or deleting a key vault.
   – Getting a list of vaults in a subscription.
   – Retrieving Key Vault properties (such as SKU and tags).
   – Setting Key Vault access policies that control user and application access to keys and secrets.

8. DRAG DROP

   You need to configure access to Azure DevOps agent pools to meet the following requirements:

   – Use a project agent pool when authoring build or release pipelines.
   – View the agent pool and agents of the organization.
   – Use the principle of least privilege.

   Which role memberships are required for the Azure DevOps organization and the project? To answer, drag the appropriate role memberships to the correct targets. Each role membership may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: Reader
   Members of the Reader role can view the organization agent pool as well as agents. You typically use this to add operators that are responsible for monitoring the agents and their health.

   Box 2: Service account
   Members of the Service account role can use the organization agent pool to create a project agent pool in a project. If you follow the guidelines above for creating new project agent pools,
   you typically do not have to add any members here.

   Incorrect Answers:
   In addition to all the permissions given the Reader and the Service Account role, members of the administrator role can register or unregister agents from the organization agent pool. They can also refer to the organization agent pool when creating a project agent pool in a project. Finally, they can also manage membership for all roles of the organization agent pool. The user that created the organization agent pool is automatically added to the Administrator role for that pool.

9. You have a branch policy in a project in Azure DevOps. The policy requires that code always builds successfully.

   You need to ensure that a specific user can always merge changes to the master branch, even if the code fails to compile. The solution must use the principle of least privilege.

   What should you do?

   • Add the user to the Build Administrators group.
   • Add the user to the Project Administrators group.
   • From the Security settings of the repository, modify the access control for the user.
   • From the Security settings of the branch, modify the access control for the user.
   Explanation:
   In some cases, you need to bypass policy requirements so you can push changes to the branch directly or complete a pull request even if branch policies are not satisfied. For these situations, grant the desired permission from the previous list to a user or group. You can scope this permission to an entire project, a repo, or a single branch. Manage this permission along the with other Git permissions.

10. You have an Azure Resource Manager template that deploys a multi-tier application.

    You need to prevent the user who performs the deployment from viewing the account credentials and connection strings used by the application.

    What should you use?

    • Azure Key Vault
    • a Web.config file
    • an Appsettings.json file
    • an Azure Storage table
    • an Azure Resource Manager parameter file
    Explanation:
    When you need to pass a secure value (like a password) as a parameter during deployment, you can retrieve the value from an Azure Key Vault. You retrieve the value by referencing the key vault and secret in your parameter file. The value is never exposed because you only reference its key vault ID. The key vault can exist in a different subscription than the resource group you are deploying to.

11. SIMULATION

    Your company plans to implement a new compliance strategy that will require all Azure web apps to be backed up every five hours.

    You need to back up an Azure web app named az400-11566895-main every five hours to an Azure Storage account in your resource group.

    To complete this task, sign in to the Microsoft Azure portal.

    • See explanation below.
    Explanation:

    With the storage account ready, you can configure backs up in the web app or App Service.

    1. Open the App Service az400-11566895-main, which you want to protect, in the Azure Portal and browse to Settings > Backups. Click Configure and a Backup Configuration blade should appear.
    2. Select the storage account.
    3. Click + to create a private container. You could name this container after the web app or App Service.
    4. Select the container.
    5. If you want to schedule backups, then set Scheduled Backup to On and configure a schedule: every five hours
    6. Select your retention. Note that 0 means never delete backups.
    7. Decide if at least one backup should always be retained.
    8. Choose if any connected databases should be included in the web app backup.
    9. Click Save to finalize the backup configuration.

    

12. SIMULATION

    You need to configure a virtual machine named VM1 to securely access stored secrets in an Azure Key Vault named az400-11566895-kv.

    To complete this task, sign in to the Microsoft Azure portal.

    • See explanation below.
    Explanation:

    You can use a system-assigned managed identity for a Windows virtual machine (VM) to access Azure Key Vault.

    1. Sign in to Azure portal
    2. Locate virtual machine VM1.
    3. Select Identity
    4. Enable the system-assigned identity for VM1 by setting the Status to On.

    

    Note: Enabling a system-assigned managed identity is a one-click experience. You can either enable it during the creation of a VM or in the properties of an existing VM.

13. DRAG DROP

    Your company has an Azure subscription named Subscription1. Subscription1 is associated to an Azure Active Directory tenant named contoso.com.

    You need to provision an Azure Kubernetes Services (AKS) cluster in Subscription1 and set the permissions for the cluster by using RBAC roles that reference the identities in contoso.com.

    Which three objects should you create in sequence? To answer, move the appropriate objects from the list of objects to the answer area and arrange them in the correct order.

    

    

    Explanation:

    Step 1: Create an AKS cluster

    Step 2: a system-assigned managed identity
    To create an RBAC binding, you first need to get the Azure AD Object ID.
    1. Sign in to the Azure portal.
    2. In the search field at the top of the page, enter Azure Active Directory.
    3. Click Enter.
    4. In the Manage menu, select Users.
    5. In the name field, search for your account.
    6. In the Name column, select the link to your account.
    7. In the Identity section, copy the Object ID.

    

    Step 3: a RBAC binding

14. HOTSPOT

    You manage build and release pipelines by using Azure DevOps. Your entire managed environment resides in Azure.

    You need to configure a service endpoint for accessing Azure Key Vault secrets. The solution must meet the following requirements:

    – Ensure that the secrets are retrieved by Azure DevOps.
    – Avoid persisting credentials and tokens in Azure DevOps.

    How should you configure the service endpoint? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Azure Pipelines service connection

    Box 2: Managed Service Identity Authentication
    The managed identities for Azure resources feature in Azure Active Directory (Azure AD) provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

15. You are deploying a server application that will run on a Server Core installation of Windows Server 2019.

    You create an Azure key vault and a secret.

    You need to use the key vault to secure API secrets for third-party integrations.

    Which three actions should you perform? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Configure RBAC for the key vault.
    • Modify the application to access the key vault.
    • Configure a Key Vault access policy.
    • Deploy an Azure Desired State Configuration (DSC) extension.
    • Deploy a virtual machine that uses a system-assigned managed identity.
    Explanation:

    BE: An app deployed to Azure can take advantage of Managed identities for Azure resources, which allows the app to authenticate with Azure Key Vault using Azure AD authentication without credentials (Application ID and Password/Client Secret) stored in the app.

    C:
    1. Select Add Access Policy.
    2. Open Secret permissions and provide the app with Get and List permissions.
    3. Select Select principal and select the registered app by name. Select the Select button.
    4. Select OK.
    5. Select Save.
    6. Deploy the app.

16. HOTSPOT

    Your company is creating a suite of three mobile applications.

    You need to control access to the application builds. The solution must be managed at the organization level.

    What should you use? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Microsoft Visual Studio App Center distribution Groups
    Distribution Groups are used to control access to releases. A Distribution Group represents a set of users that can be managed jointly and can have common access to releases. Example of Distribution Groups can be teams of users, like the QA Team or External Beta Testers or can represent stages or rings of releases, such as Staging.

    Box 2: Shared
    Shared distribution groups are private or public distribution groups that are shared across multiple apps in a single organization. Shared distribution groups eliminate the need to replicate distribution groups across multiple apps.

    Note: With the Deploy with App Center Task in Visual Studio Team Services, you can deploy your apps from Azure DevOps (formerly known as VSTS) to App Center. By deploying to App Center, you will be able to distribute your builds to your users.

17. You have an Azure DevOps organization named Contoso that contains a project named Project1.

    You provision an Azure key vault named Keyvault1.

    You need to reference Keyvault1 secrets in a build pipeline of Project1.

    What should you do first?

    • Add a secure file to Project1.
    • Create an XAML build service.
    • Create a variable group in Project1.
    • Configure the security policy of Contoso.
    Explanation:

    Before this will work, the build needs permission to access the Azure Key Vault. This can be added in the Azure Portal.

    Open the Access Policies in the Key Vault and add a new one. Choose the principle used in the DevOps build.

18. Your company uses Azure DevOps.

    Only users who have accounts in Azure Active Directory can access the Azure DevOps environment.

    You need to ensure that only devices that are connected to the on-premises network can access the Azure DevOps environment.

    What should you do?

    • Assign the Stakeholder access level to all users.
    • In Azure Active Directory, configure risky sign-ins.
    • In Azure DevOps, configure Security in Project Settings.
    • In Azure Active Directory, configure conditional access. 
    Explanation:

    Conditional Access is a capability of Azure Active Directory. With Conditional Access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions.

    Conditional Access policies are enforced after the first-factor authentication has been completed.

19. You have the following Azure policy.

     

    

    You assign the policy to the Tenant root group.

    What is the effect of the policy?

    • prevents all HTTP traffic to existing Azure Storage accounts
    • ensures that all traffic to new Azure Storage accounts is encrypted
    • prevents HTTPS traffic to new Azure Storage accounts when the accounts are accessed over the Internet
    • ensures that all data for new Azure Storage accounts is encrypted at rest
    Explanation:
    Denies non HTTPS traffic.

20. You have an Azure DevOps organization named Contoso, an Azure DevOps project named Project1, an Azure subscription named Sub1, and an Azure key vault named vault1.

    You need to ensure that you can reference the values of the secrets stored in vault1 in all the pipelines of Project1. The solution must prevent the values from being stored in the pipelines.

    What should you do?

    • Create a variable group in Project1.
    • Add a secure file to Project1.
    • Modify the security settings of the pipelines.
    • Configure the security policy of Contoso.
    Explanation:
    Use a variable group to store values that you want to control and make available across multiple pipelines.