AZ-400 : Microsoft Azure DevOps Solutions : Part 05

AZ-400 : Microsoft Azure DevOps Solutions : Part 05

1. DRAG DROP

   You use GitHub Enterprise Server as a source code repository.

   You create an Azure DevOps organization named Contoso.

   In the Contoso organization, you create a project named Project1.

   You need to link GitHub commits, pull requests, and issues to the work items of Project1. The solution must use OAuth-based authentication.

   Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

   

   

   Explanation:

   Step 1: From Developer settings in GitHub Enterprise Server, register a new OAuth app.
   If you plan to use OAuth to connect Azure DevOps Services or Azure DevOps Server with your GitHub Enterprise Server, you first need to register the application as an OAuth App

   Step 2: Organization settings in Azure DevOps, add an OAuth configuration
   Register your OAuth configuration in Azure DevOps Services.

   Note:
   Sign into the web portal for Azure DevOps Services.
   Add the GitHub Enterprise Oauth configuration to your organization.
   Open Organization settings>Oauth configurations, and choose Add Oauth configuration.
   Fill in the form that appears, and then choose Create.

   Step 3: From Project Settings in Azure DevOps, add a GitHub connection.
   Connect Azure DevOps Services to GitHub Enterprise Server

   Choose the Azure DevOps logo to open Projects, and then choose the Azure Boards project you want to configure to connect to your GitHub Enterprise repositories.

   Choose (1) Project Settings, choose (2) GitHub connections and then (3) Click here to connect to your GitHub Enterprise organization.

2. DRAG DROP

   You are configuring an Azure DevOps deployment pipeline. The deployed application will authenticate to a web service by using a secret stored in an Azure key vault.

   You need to use the secret in the deployment pipeline.

   Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

   

   

   Explanation:

   Step 1: Create a service principal in Azure Active Directory (Azure AD).
   You will need a service principal to deploy an app to an Azure resource from Azure Pipelines.

   Step 2: Configure an access policy in the key vault.
   You need to secure access to your key vaults by allowing only authorized applications and users. To access the data from the vault, you will need to provide read (Get) permissions to the service principal that you will be using for authentication in the pipeline.
   Select Access policy and then select + Add Access Policy to setup a new policy.

   

   Step 3: Add an Azure Resource Manager service connection to the pipeline
   You need to authorize the pipeline to deploy to Azure:
   1. Select Pipelines | Pipelines,
   2. Go to Releases under Pipelines and then select and Edit your pipeline.
   3. Under Tasks, notice the release definition for Dev stage has a Azure Key Vault task. This task downloads Secrets from an Azure Key Vault. You will need to point to the subscription and the Azure Key Vault resource.
   4. Click Manage, this will redirect to the Service connections page.

   

   5.Click on New Service connection -> Azure Resource Manager -> Service Principal (manual). Fill the information from previously created service principal.

3. DRAG DROP

   You have a private project in Azure DevOps and two users named User1 and User2.

   You need to add User1 and User2 to groups to meet the following requirements:

   – User1 must be able to create a code wiki.
   – User2 must be able to edit wiki pages.
   – The solution must use the principle of least privilege.

   To which group should you add each user? To answer, drag the appropriate groups to the correct users. Each group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   User1: Project Administrators
   You must have the permission Create Repository to publish code as wiki. By default, this permission is set for members of the Project Administrators group.

   User2: Contributors
   Anyone who is a member of the Contributors security group can add or edit wiki pages.

   Anyone with access to the team project, including stakeholders, can view the wiki.

4. You use WhiteSource Bolt to scan a Node.js application.

   The WhiteSource Bolt scan identifies numerous libraries that have invalid licenses. The libraries are used only during development and are not part of a production deployment.

   You need to ensure that WhiteSource Bolt only scans production dependencies.

   Which two actions should you perform? Each correct answer presents part of the solution.

   NOTE: Each correct selection is worth one point.

   • Run npm install and specify the –production flag.
   • Modify the WhiteSource Bolt policy and set the action for the licenses used by the development tools to Reassign.
   • Modify the devDependencies section of the project’s Package.json file.
   • Configure WhiteSource Bolt to scan the node_modules directory only.
   Explanation:

   A: To resolve NPM dependencies, you should first run “npm install” command on the relevant folders before executing the plugin.

   C: All npm packages contain a file, usually in the project root, called package.json – this file holds various metadata relevant to the project. This file is used to give information to npm that allows it to identify the project as well as handle the project’s dependencies. It can also contain other metadata such as a project description, the version of the project in a particular distribution, license information, even configuration data – all of which can be vital to both npm and to the end users of the package.

5. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You plan to update the Azure DevOps strategy of your company.

   You need to identify the following issues as they occur during the company’s development process:

   – Licensing violations
   – Prohibited libraries

   Solution: You implement continuous integration.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.

6. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You plan to update the Azure DevOps strategy of your company.

   You need to identify the following issues as they occur during the company’s development process:

   – Licensing violations
   – Prohibited libraries

   Solution: You implement pre-deployment gates.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead use implement continuous integration.

   Note: WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You plan to update the Azure DevOps strategy of your company.

   You need to identify the following issues as they occur during the company’s development process:

   – Licensing violations
   – Prohibited libraries

   Solution: You implement automated security testing.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead use implement continuous integration.

   Note: WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.

8. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You plan to update the Azure DevOps strategy of your company.

   You need to identify the following issues as they occur during the company’s development process:

   – Licensing violations
   – Prohibited libraries

   Solution: You implement continuous deployment.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead implement continuous integration.

   Note: WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.

9. SIMULATION

   You manage a website that uses an Azure SQL Database named db1 in a resource group named RG1lod11566895.

   You need to modify the SQL database to protect against SQL injection.

   To complete this task, sign in to the Microsoft Azure portal.

   • See explanation below.
   Explanation:

   Set up Advanced Threat Protection in the Azure portal
   1. Sign into the Azure portal.
   2. Navigate to the configuration page of the server you want to protect. In the security settings, select Advanced Data Security.
   3. On the Advanced Data Security configuration page:

   

   4. Enable Advanced Data Security on the server.

   Note: Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Advanced Threat Protection can identify Potential SQL injection, Access from unusual location or data center, Access from unfamiliar principal or potentially harmful application, and Brute force SQL credentials

10. HOTSPOT

    Your company has an Azure subscription.

    The company requires that all resource groups in the subscription have a tag named organization set to a value of Contoso.

    You need to implement a policy to meet the tagging requirement.

    How should you complete the policy? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: ” Microsoft.Resources/subscriptions/resourceGroups”

    Box 2: “Deny”,
    Sample – Enforce tag and its value on resource groups

    },
    “policyRule”: {
    “if”: {
    “allOf”: [
    {
    “field”: “type”,
    “equals”: “Microsoft.Resources/subscriptions/resourceGroups”
    },
    {
    “not”: {
    “field”: “[concat(‘tags[‘,parameters(‘tagName’), ‘]’)]”,
    “equals”: “[parameters(‘tagValue’)]”
    }
    }
    ]
    },
    “then”: {
    “effect”: “deny”
    }
    }
    }
    }

11. You need to configure GitHub to use Azure Active Directory (Azure AD) for authentication.

    What should you do first?

    • Create a conditional access policy in Azure AD.
    • Register GitHub in Azure AD.
    • Create an Azure Active Directory B2C (Azure AD B2C) tenant.
    • Modify the Security settings of the GitHub organization.
    Explanation:

    When you connect to a Git repository from your Git client for the first time, the credential manager prompts for credentials. Provide your Microsoft account or Azure AD credentials.

    Note: Git Credential Managers simplify authentication with your Azure Repos Git repositories. Credential managers let you use the same credentials that you use for the Azure DevOps Services web portal. Credential managers support multi-factor authentication through Microsoft account or Azure Active Directory (Azure AD). Besides supporting multi-factor authentication with Azure Repos, credential managers also support two-factor authentication with GitHub repositories.

12. You have an Azure DevOps project named Project1 and an Azure subscription named Sub1.

    You need to prevent releases from being deployed unless the releases comply with the Azure Policy rules assigned to Sub1.

    What should you do in the release pipeline of Project1?

    • Add a deployment gate.
    • Modify the Deployment queue settings.
    • Configure a deployment trigger.
    • Create a pipeline variable.
    Explanation:
    You can check policy compliance with gates.
    You can extend the approval process for the release by adding a gate. Gates allow you to configure automated calls to external services, where the results are used to approve or reject a deployment.
    You can use gates to ensure that the release meets a wide range or criteria, without requiring user intervention.

13. DRAG DROP

    You have an Azure Kubernetes Service (AKS) implementation that is RBAC-enabled.

    You plan to use Azure Container Instances as a hosted development environment to run containers in the AKS implementation.

    You need to configure Azure Container Instances as a hosted environment for running the containers in AKS.

    Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

    Explanation:

    Step 1: Create a YAML file.
    If your AKS cluster is RBAC-enabled, you must create a service account and role binding for use with Tiller. To create a service account and role binding, create a file named rbac-virtual-kubelet.yaml

    Step 2: Run kubectl apply.
    Apply the service account and binding with kubectl apply and specify your rbac-virtual-kubelet.yaml file.

    Step 3: Run helm init.
    Configure Helm to use the tiller service account:

    helm init –service-account tiller

    You can now continue to installing the Virtual Kubelet into your AKS cluster.

14. You have an Azure DevOps project that contains a build pipeline. The build pipeline uses approximately 50 open source libraries.

    You need to ensure that all the open source libraries comply with your company’s licensing standards.

    Which service should you use?

    • Ansible
    • Maven
    • WhiteSource Bolt
    • Helm
    Explanation:

    WhiteSource provides WhiteSource Bolt, a lightweight open source security and management solution developed specifically for integration with Azure DevOps and Azure DevOps Server.

    Note: WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.

    Note: Blackduck would also be a good answer, but it is not an option here.

15. You are designing the security validation strategy for a project in Azure DevOps.

    You need to identify package dependencies that have known security issues and can be resolved by an update.

    What should you use?

    • Octopus Deploy
    • Jenkins
    • Gradle
    • SonarQube
    Explanation:

    Incorrect Answers:
    B: Jenkins is a popular open-source automation server used to set up continuous integration and delivery (CI/CD) for your software projects.

    D: SonarQube is a set of static analyzers that can be used to identify areas of improvement in your code. It allows you to analyze the technical debt in your project and keep track of it in the future.

16. You administer an Azure DevOps project that includes package feeds.

    You need to ensure that developers can unlist and deprecate packages. The solution must use the principle of least privilege.

    Which access level should you grant to the developers?

    • Collaborator
    • Contributor
    • Owner
    Explanation:

    Feeds have four levels of access: Owners, Contributors, Collaborators, and Readers. Owners can add any type of identity-individuals, teams, and groups-to any access level.

    

17. HOTSPOT

    You have a project in Azure DevOps that has three teams as shown in the Teams exhibit. (Click the Teams tab.)

    

    You create a new dashboard named Dash1.

    You configure the dashboard permissions for the Contoso project as shown in the Permissions exhibit. (Click the Permissions tab.)

    

    All other permissions have the default values set.

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

18. Your company is concerned that when developers introduce open source libraries, it creates licensing compliance issues.

    You need to add an automated process to the build pipeline to detect when common open source libraries are added to the code base.

    What should you use?

    • Microsoft Visual SourceSafe
    • Code Style
    • Black Duck
    • Jenkins
    Explanation:

    Secure and Manage Open Source Software
    Black Duck helps organizations identify and mitigate open source security, license compliance and code-quality risks across application and container portfolios.
    Black Duck Hub and its plugin for Team Foundation Server (TFS) allows you to automatically find and fix open source security vulnerabilities during the build process, so you can proactively manage risk. The integration allows you to receive alerts and fail builds when any Black Duck Hub policy violations are met.

    Note:
    There are several versions of this question in the exam. The question has two possible correct answers:
    – Black Duck
    – WhiteSource Bolt

    Other incorrect answer options you may see on the exam include the following:
    – OWASP ZAP
    – PDM
    – SourceGear
    – SourceGear Vault

19. DRAG DROP

     
    You are implementing a package management solution for a Node.js application by using Azure Artifacts.
     
    You need to configure the development environment to connect to the package repository. The solution must minimize the likelihood that credentials will be leaked.
     
    Which file should you use to configure each connection? To answer, drag the appropriate files to the correct connections. Each file may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
     
    NOTE: Each correct selection is worth one point.
    

    

    

    Explanation:

    All Azure Artifacts feeds require authentication, so you’ll need to store credentials for the feed before you can install or publish packages. npm uses .npmrc configuration files to store feed URLs and credentials. Azure DevOps Services recommends using two .npmrc files.

    Feed registry information: The .npmrc file in the project
    One .npmrc should live at the root of your git repo adjacent to your project’s package.json. It should contain a “registry” line for your feed and it should not contain credentials since it will be checked into git.

    Credentials: The .npmrc file in the user’s home folder
    On your development machine, you will also have a .npmrc in $home for Linux or Mac systems or $env.HOME for win systems. This .npmrc should contain credentials for all of the registries that you need to connect to. The NPM client will look at your project’s .npmrc, discover the registry, and fetch matching credentials from $home/.npmrc or $env.HOME/.npmrc.

20. HOTSPOT

    You have an Azure DevOps project that contains a build pipeline. The build pipeline uses approximately 50 open source libraries.

    You need to ensure that the project can be scanned for known security vulnerabilities in the open source libraries.

    What should you do? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: A Build task
    Trigger a build
    You have a Java code provisioned by the Azure DevOps demo generator. You will use WhiteSource Bolt extension to check the vulnerable components present in this code.
    1. Go to Builds section under Pipelines tab, select the build definition WhiteSourceBolt and click on Queue to trigger a build.
    2. To view the build in progress status, click on ellipsis and select View build results.

    Box 2: WhiteSource Bolt
    WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.