AZ-400 Develop a security and compliance plan • Complete Question Bank
Complete AZ-400 Develop a security and compliance plan question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
{
"properties": {
"policyDefinitions": [
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfd4f8c3-4b5d-4a7d-8c9a-1e2f3a4b5c6d",
"parameters": {
"effect": {
"value": "Deny"
},
"allowedLocations": {
"value": ["eastus", "westus"]
}
}
}
],
"policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/0a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d"
},
"id": "/subscriptions/sub123/resourceGroups/rg-devops/providers/Microsoft.Authorization/policyAssignments/assignment-dev",
"type": "Microsoft.Authorization/policyAssignments",
"name": "assignment-dev",
"location": "eastus"
}Refer to the exhibit.
```json
{
"alertRule": {
"displayName": "Key Vault Secret Near Expiry",
"query": "// Azure Resource Graph query
resources
| where type == 'microsoft.keyvault/vaults/secrets'
| extend DaysToExpiry = datetime_diff('day', now(), properties.attributes.expiresOn)
| where DaysToExpiry < 30 and DaysToExpiry > 0
| project name, vaultName = resourceGroup, expiresOn = properties.attributes.expiresOn, DaysToExpiry
| limit 10"
}
}
```Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Runs pipeline on code push
Runs pipeline on pull request creation
Runs pipeline at specified times
Runs pipeline after another pipeline completes
Drag a concept onto its matching description — or click a concept then click the description.
SonarQube analysis
Burnup chart
Slack integration on work item update
Terraform task for Azure Pipelines
Refer to the exhibit.
```json
{
"policy": {
"name": "Require MFA for pipeline variables",
"scope": [
"variableGroup:MySecrets"
],
"effects": {
"requireMFA": {
"on": "variableGroup:MySecrets",
"action": "approve"
}
}
}
}
```Refer to the exhibit.
```json
{
"id": "policy-secure-files",
"type": "Microsoft.Authorization/policyAssignments",
"properties": {
"displayName": "Secure Files in Pipelines",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/audit-secure-files",
"parameters": {
"allowedFileExtensions": {
"value": [".pfx", ".p12", ".cer"]
}
},
"scope": "/subscriptions/.../resourceGroups/.../providers/microsoft.devops/pipelines"
}
}
```Refer to the exhibit.
```json
{
"permissions": [
{
"role": "Reader",
"identity": {
"type": "group",
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
},
"scope": "project"
},
{
"role": "Contributor",
"identity": {
"type": "user",
"id": "user@contoso.com"
},
"scope": "build:Build-1"
}
]
}
```Refer to the exhibit. ```kql AzureDevOpsAuditLogs | where TimeGenerated > ago(30d) | where OperationName == "Project.Create" | where ResultType == "Success" | project TimeGenerated, ProjectName, ActorUPN | summarize Count = count() by ActorUPN | top 5 by Count desc ```
{
"alert": {
"type": "secret_scanning",
"secret_type": "Azure DevOps Personal Access Token",
"secret": "abc123...",
"repository": "contoso/MyApp",
"push_protection_bypass": false
}
}{
"type": "Azure DevOps Pipeline Security",
"settings": {
"enforceRequiredTemplate": true,
"requiredTemplate": "security-validation.yml",
"scope": ["production", "staging"]
}
}{
"policy": {
"name": "Require MFA for Azure DevOps",
"type": "Conditional Access Policy",
"assignments": {
"users": "All users",
"cloud_apps": "Azure DevOps",
"conditions": {
"client_apps": ["Browser", "Mobile apps and desktop clients"]
},
"grant_controls": {
"built_in_controls": ["Mfa"]
}
}
}
}{
"query": "ContainerRegistryLoginEvents\n| where TimeGenerated > ago(7d)\n| where ResultType != 'Success'\n| summarize FailureCount = count() by Repository, Action",
"result": [
{"Repository": "contoso/webapp", "Action": "push", "FailureCount": 15},
{"Repository": "contoso/api", "Action": "pull", "FailureCount": 3}
]
}Refer to the exhibit.
```json
{
"properties": {
"description": "Policy to restrict pipeline creation",
"policyType": "Custom",
"mode": "All",
"displayName": "Deny Pipeline Creation",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.DevOps/pipelines"
},
"then": "Deny"
}
}
}
```Refer to the exhibit.
```json
{
"alert": {
"title": "High severity vulnerability found in dependency",
"state": "open",
"severity": "critical",
"created_at": "2026-03-15T10:00:00Z",
"repository": {
"name": "my-app",
"visibility": "internal"
},
"security_advisory": {
"summary": "Remote code execution in lodash",
"severity": "critical",
"cvss": {
"score": 9.8
}
}
}
}
```Refer to the exhibit.
```yaml
# azure-pipelines.yml
variables:
- group: ProductionSecrets
- name: environment
value: 'prod'
stages:
- stage: Build
jobs:
- job: BuildJob
steps:
- script: echo Building...
- stage: Deploy
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
jobs:
- deployment: DeployJob
environment: Prod
strategy:
runOnce:
deploy:
steps:
- script: echo Deploying...
```Refer to the exhibit.
```json
{
"properties": {
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.DevOps/Pipelines"
},
"then": {
"effect": "deny",
"details": {
"field": "Microsoft.DevOps/Pipelines/yamlFilePath",
"notEquals": "/pipeline-templates/secure-pipeline.yml"
}
}
}
}
}
```Refer to the exhibit.
```json
{
"name": "service-connection-audit",
"query": "AzureDevOpsAuditing | where OperationName == 'ServiceConnectionCreated' | project TimeGenerated, ServiceConnectionId, ServiceConnectionName, CreatedBy"
}
```Refer to the exhibit. ```yaml # azure-pipelines.yml variables: - group: 'prod-variables' - name: 'DB_PASSWORD' value: $(prod-db-password) ```
{
"policies": [
{
"name": "Enforce branch naming convention",
"policyType": "Git",
"settings": {
"scope": [
{
"refName": "refs/heads/*",
"matchKind": "Prefix",
"prefix": "feature/"
}
],
"isEnabled": true,
"isBlocking": true
}
},
{
"name": "Require a minimum number of reviewers",
"policyType": "Approval",
"settings": {
"minimumApproverCount": 2,
"creatorVoteCounts": false,
"allowDownvotes": false,
"resetOnPush": true
}
}
]
}You are a security engineer for a large financial institution. The organization uses Azure DevOps with multiple projects, each containing hundreds of pipelines. The security team recently discovered that several pipeline variables marked as 'Secret' were inadvertently printed to logs due to a custom script task that echoed the variable. Consequently, the compliance officer requires that all secrets used in pipelines must be centrally managed in Azure Key Vault, and any pipeline that references a variable not from Key Vault must be blocked from running. Additionally, the solution must minimize administrative overhead and provide real-time enforcement across all projects in the organization. You have the following options:
Option A: Create an Azure Policy definition that audits pipelines for the use of non-Key Vault variables and attach it to the management group containing the Azure DevOps resources.
Option B: Develop a custom pipeline task that checks at runtime whether all secret variables originate from Key Vault, and add it to every pipeline YAML file manually.
Option C: Configure a pipeline decorator in the organization settings that injects a task at the beginning of every pipeline to validate that all secret variables are linked to Key Vault, and fail the pipeline if any are not.
Option D: Use Azure DevOps Audit Logs to periodically review pipeline runs and manually identify pipelines that use non-Key Vault secrets.
Which option meets the requirements most effectively?
Your company is migrating from on-premises TFS to Azure DevOps Services in the cloud. The security policy mandates that all access to Azure DevOps must go through a conditional access policy that requires multi-factor authentication (MFA) for users outside the corporate network. Additionally, the policy requires that service accounts (used for automated deployments) must use device-based authentication and cannot be interactive. You are configuring Microsoft Entra ID (formerly Azure AD) conditional access. The Azure DevOps organization is connected to the corporate Entra ID tenant. You have the following options:
Option A: Create a conditional access policy that applies to all users and service principals, requiring MFA for all cloud apps, and exclude the Azure DevOps app from the policy.
Option B: Create a conditional access policy that targets the Azure DevOps app, grant access requiring MFA for all users, and create a separate policy for service accounts that requires device compliance.
Option C: Create a conditional access policy that applies to the Azure DevOps app, requiring MFA for all users, and exclude service accounts by user group. Then create a separate policy for service accounts that requires a compliant device.
Option D: Use Azure DevOps IP address restrictions to block external traffic and rely on VPN for external users.
Which option best meets the requirements?
Your development team uses GitHub Enterprise with GitHub Actions for CI/CD. The security team wants to ensure that all secrets used in workflows are stored in GitHub Secrets and that they are not accessible to forked repositories. Currently, some workflows reference secrets directly in YAML files. You need to implement a solution that meets the following requirements: (1) Secrets must be stored in GitHub Secrets, not in YAML files. (2) Workflows triggered from forked repositories must not have access to organization secrets. (3) Auditors must be able to see which workflows access which secrets.
Option A: Move all secrets to GitHub Secrets, configure the repository to require approval for all external contributions, and enable audit logging for secret usage.
Option B: Move all secrets to GitHub Secrets, and in the repository settings, disable 'Allow GitHub Actions to create and approve pull requests' and enable 'Fork pull request workflows from outside collaborators' to require approval.
Option C: Move all secrets to GitHub Secrets, and in the organization settings, enable 'Private repository fork policy' to only allow forks from within the organization, and use environment secrets with required reviewers.
Option D: Move all secrets to GitHub Secrets, and for each workflow that uses secrets, add a condition to check if the event is from a fork, and if so, skip the step.
Which option best satisfies all requirements?
Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Azure DevOps repositories. The compliance team has identified that source code containing credit card numbers (PCI data) was accidentally committed to a public repository. You need to implement a solution that meets the following requirements: (1) Automatically scan all new commits in Azure Repos for sensitive data types like credit card numbers. (2) If sensitive data is detected, automatically block the push and notify the security team. (3) The solution must be integrated with Microsoft Purview and Azure DevOps.
Option A: Configure a branch policy in Azure Repos that runs a custom Azure Function via a service hook when a push occurs, and the function uses Purview APIs to scan the commit.
Option B: Enable Microsoft Purview Data Loss Prevention for Azure DevOps, which automatically scans and blocks pushes containing sensitive data.
Option C: Use GitHub Advanced Security secret scanning for Azure Repos, and configure a webhook to notify the security team.
Option D: Install a third-party extension from Azure DevOps Marketplace that provides content scanning and configure it to block pushes.
Which option is the most appropriate and efficient?