CCNA Develop a security and compliance plan Questions

67 of 142 questions · Page 2/2 · Develop a security and compliance plan · Answers revealed

76
MCQhard

Your company uses Microsoft Defender for Cloud to monitor Azure DevOps environments. You receive an alert that a service principal has excessive permissions. What is the first step you should take to investigate and remediate?

A.Reduce the service principal's permissions to the minimum required.
B.Review the Microsoft Entra ID audit logs for the service principal.
C.Immediately delete the service principal.
D.Reset the service principal's credentials.
AnswerB

Audit logs provide details on permissions and usage.

Why this answer

Option B is correct because reviewing the Entra ID audit logs helps understand the scope of permissions and actions taken. Option A is wrong because resetting credentials immediately might lock out legitimate users without investigation. Option C is wrong because deleting the service principal could break dependencies.

Option D is wrong because you need to investigate before adjusting permissions.

77
MCQeasy

You are reviewing an Azure Policy definition applied to an Azure DevOps organization. What is the effect of this policy?

A.It denies creation of any Azure resource
B.It allows creation of all pipelines
C.It denies creation of new pipelines
D.It audits pipeline creation without blocking
AnswerC

The policy rule denies when the type is Microsoft.DevOps/pipelines.

Why this answer

Option B is correct because the policy denies the creation of new pipelines. Option A is wrong because it allows creation. Option C is wrong because it denies all resource creation, not just pipelines.

Option D is wrong because it does not audit.

78
MCQeasy

Your team uses Azure Pipelines and wants to ensure that builds cannot access the internet to prevent data exfiltration. What should you do?

A.Create a private agent pool with no internet access
B.Use Microsoft-hosted agents with network isolation
C.Set the pipeline variable 'DisableInternetAccess' to true
D.Use self-hosted agents on an isolated network
AnswerB

Microsoft-hosted agents can be configured for network isolation.

Why this answer

Option C is correct because Microsoft-hosted agents have network isolation capabilities. Option A is wrong because self-hosted agents with no internet access would work, but the question implies using Azure DevOps hosted. Option B is wrong because a private agent pool with isolated network is similar.

Option D is wrong because Azure DevOps does not have a 'Disable internet access' setting.

79
MCQeasy

Your team uses GitHub Copilot for code suggestions. To comply with your organization's data protection policies, you need to ensure that code snippets and prompts sent to Copilot are not stored or used by Microsoft for service improvement. What should you configure?

A.Set a compliance grade in Microsoft Defender for Cloud
B.Enable the 'Data Exclusion' setting in Copilot's enterprise settings
C.Apply a Microsoft Purview Data Loss Prevention policy
D.Configure Azure OpenAI Service content filtering
AnswerB

This setting prevents Microsoft from storing or using your code snippets for service improvement.

Why this answer

Option A (Enable the 'Data Exclusion' setting in Copilot's enterprise settings) is correct because GitHub Copilot for Business provides a data exclusion setting that prevents Microsoft from storing or using code snippets. Option B is for Azure OpenAI, not Copilot. Option C is a generic compliance setting.

Option D is for Azure DevOps, not GitHub Copilot.

80
MCQmedium

Your organization uses Azure DevOps and requires that all pipelines enforce branch policy for pull requests. A developer creates a pipeline that builds and tests code on push to any branch. The security team wants to ensure that no code can be deployed to production without passing through a pull request with required reviewers. Which action should you take to meet this requirement?

A.Disable CI triggers on the pipeline and require manual builds.
B.Modify the service connection to require admin approval.
C.Set the pipeline to require approval from the security team before running.
D.Configure branch policy on the main branch to require a pull request with a minimum number of reviewers.
AnswerD

Branch policies enforce pull request requirements before merging.

Why this answer

Option C is correct because branch policies in Azure Repos can enforce that changes must go through a pull request with required reviewers before merging to the main branch. Option A is incorrect because disabling CI triggers does not enforce pull request requirements. Option B is incorrect because pipeline permissions don't enforce code review.

Option D is incorrect because service connections control access to external resources, not code review.

81
MCQmedium

You are reviewing an Azure Policy definition. What does this policy do?

A.Denies pipelines that use an outdated template version.
B.Allows only pipelines that use a specific YAML template.
C.Allows only pipelines in the pipeline-templates folder.
D.Denies any pipeline that does not use a specific YAML template.
AnswerD

The deny effect prevents creation of pipelines with a different YAML path.

Why this answer

Option B is correct because the policy denies any pipeline whose YAML file path is not exactly '/pipeline-templates/secure-pipeline.yml'. Option A is wrong because it denies, not allows. Option C is wrong because it targets all pipelines, not just those in a specific folder.

Option D is wrong because it does not enforce a specific template version.

82
MCQmedium

You are implementing a secrets management strategy for a multi-cloud deployment. You need to securely store and rotate API keys for a third-party service. Which Azure service should you use?

A.Azure Key Vault
B.Microsoft Entra ID
C.Azure App Configuration
D.Azure Storage Blob
AnswerA

Key Vault is designed for secure storage and rotation of secrets.

Why this answer

Option B is correct because Azure Key Vault provides secure storage and automatic rotation of secrets. Option A is wrong because Microsoft Entra ID is for identity management, not secret storage. Option C is wrong because Azure App Configuration is for application configuration, not secrets.

Option D is wrong because Azure Storage is not designed for secret management.

83
MCQeasy

A company uses Azure DevOps and has a security policy that all pipeline runs must use a specific service connection scoped to a resource group. A developer reports that a pipeline fails with the error: 'The service connection does not have permission to access the resource.' What is the most likely cause?

A.The Azure subscription linked to the service connection is disabled.
B.The service connection name is misspelled in the pipeline YAML.
C.The variable group in the library does not include the service connection ID.
D.The service principal used by the service connection does not have the required role assignment on the resource group.
AnswerD

Missing role assignments cause access denied errors.

Why this answer

Option D is correct because the error 'The service connection does not have permission to access the resource' indicates that the service principal associated with the service connection lacks the necessary Azure RBAC role assignment on the target resource group. In Azure DevOps, a service connection authenticates via a service principal, and that principal must have a role (e.g., Contributor) explicitly assigned at the resource group scope to perform actions like deploying resources. Without this role assignment, the pipeline fails with an access-denied error.

Exam trap

The trap here is that candidates often confuse service connection authentication (which always works if the connection is valid) with authorization (RBAC role assignments), leading them to pick options about disabled subscriptions or misspelled names instead of the missing role assignment.

How to eliminate wrong answers

Option A is wrong because a disabled Azure subscription would cause a different error (e.g., 'Subscription not found' or 'Authorization failed'), not a specific permission-denied message on a resource group. Option B is wrong because a misspelled service connection name in the YAML would result in a 'Service connection not found' error, not a permission error. Option C is wrong because variable groups in the library store variables, not service connection IDs; service connections are referenced by name in the pipeline, and the ID is not required for permission checks.

84
MCQeasy

You need to ensure that only authorized users can access the Azure DevOps organization. Which identity provider should you configure for single sign-on (SSO)?

A.Microsoft Entra ID
B.Google Workspace
C.Microsoft account (MSA)
D.GitHub ID
AnswerA

Microsoft Entra ID is the native identity provider for Azure DevOps.

Why this answer

Option C is correct because Azure DevOps can be integrated with Microsoft Entra ID for SSO. Option A is wrong because GitHub ID is not supported for Azure DevOps SSO. Option B is wrong because Google Workspace is not a native identity provider.

Option D is wrong because Microsoft account is for personal use, not enterprise SSO.

85
MCQmedium

Your Azure DevOps organization contains multiple teams. You need to ensure that code reviews require approval from a member of the security team before merging to the main branch. What is the best way to implement this?

A.Add a validation step in Azure Pipelines
B.Enable Microsoft Defender for Cloud
C.Deploy Microsoft Sentinel
D.Configure branch policies in Azure Repos
AnswerD

Branch policies can require specific reviewers for pull requests to main.

Why this answer

Option A is correct because branch policies in Azure Repos allow you to require specific reviewers (security team) for pull requests to main. Option B is wrong because Azure Pipelines is for CI/CD, not code review policies. Option C is wrong because Microsoft Defender for Cloud is for security posture.

Option D is wrong because Microsoft Sentinel is for SIEM.

86
MCQhard

Your organization uses Azure Boards and requires that all changes to work items in the 'Security' area path be audited. Which solution ensures that any modification to a work item triggers an audit event in Microsoft Sentinel?

A.Configure Azure DevOps Audit Streaming to send logs to Microsoft Sentinel
B.Enable Microsoft Purview to scan Azure DevOps and detect changes
C.Export Azure DevOps audit logs to CSV and import to Sentinel daily
D.Create a service hook in Azure DevOps that calls a logic app to create incidents in Sentinel
AnswerA

Azure DevOps supports streaming audit events to Microsoft Sentinel for real-time monitoring.

Why this answer

Option A is correct because Azure DevOps audit logs can be streamed to Microsoft Sentinel via the Azure DevOps data connector. Option B is wrong because service hooks don't directly integrate with Sentinel. Option C is wrong because Microsoft Purview is for data governance, not real-time auditing.

Option D is wrong because export to CSV is a manual process.

87
MCQhard

Your organization is adopting GitHub Copilot for developers. Which security measure should you implement to ensure that no proprietary code is inadvertently shared with the AI model?

A.Use a separate network segment for development
B.Configure content exclusions in the GitHub Copilot settings
C.Disable GitHub Copilot for all users
D.Enable audit logging for Copilot usage
AnswerB

Content exclusions prevent specific repositories from being used as context by Copilot.

Why this answer

Option C is correct because GitHub Copilot for Business allows administrators to configure content exclusions to prevent certain repositories from being used as context. Option A is wrong because disabling Copilot entirely is not necessary and reduces productivity. Option B is wrong because network segmentation does not affect Copilot's data usage.

Option D is wrong because auditing alone does not prevent sharing.

88
Multi-Selectmedium

Your organization is adopting GitHub Advanced Security. Which THREE features should you enable to improve security?

Select 3 answers
A.GitHub Pages
B.Branch protection rules
C.Secret scanning
D.Dependabot alerts and security updates
E.Code scanning (CodeQL)
AnswersC, D, E

Secret scanning detects credentials.

Why this answer

Options A, B, and D are correct because code scanning, secret scanning, and Dependabot alerts are core features of GitHub Advanced Security. Option C is wrong because branch protection rules are not part of Advanced Security. Option E is wrong because GitHub Pages is for hosting static sites.

89
MCQmedium

You are reviewing an Azure DevOps permissions JSON. What access does the user 'user@contoso.com' have?

A.Contributor access to the build pipeline named 'Build-1'
B.Reader access to the build pipeline
C.Contributor access to all build pipelines
D.Reader access to the project
AnswerA

The user has Contributor scope to that build.

Why this answer

Option B is correct because the user has Contributor role scoped to the build pipeline 'Build-1'. Option A is wrong because Reader is a group, not the user. Option C is wrong because scope is specific to build, not all pipelines.

Option D is wrong because the user has Contributor, not Reader.

90
MCQmedium

A company uses Azure DevOps for CI/CD. The security team requires that all pipeline runs must use a specific service connection (ServiceConnection-Prod) that has been approved for production deployments. However, developers are accidentally using unapproved connections. You need to enforce that only the approved service connection can be used in any pipeline that deploys to the production environment. What should you do?

A.Define a required template for all pipelines that includes the service connection, and instruct developers to use it.
B.Set up a manual approval gate on the production environment stage in the pipeline.
C.Configure a branch policy on the main branch to require a successful build before merging.
D.Create an Azure Pipeline decorator that validates the service connection used in each task and fails the pipeline if it is not the approved one.
AnswerD

A decorator can inject validation tasks into every pipeline to enforce the use of a specific service connection.

Why this answer

Option D is correct because Azure Pipeline decorators inject custom validation logic at runtime, allowing you to inspect each task's service connection and fail the pipeline if it does not match the approved one. This enforces the security requirement centrally without relying on developer compliance or manual gates.

Exam trap

The trap here is that candidates confuse process-based controls (templates, approvals, branch policies) with runtime enforcement, overlooking that only a decorator can programmatically validate and block unauthorized service connections at execution time.

How to eliminate wrong answers

Option A is wrong because a required template is a guideline that developers can bypass or modify, not an enforceable control. Option B is wrong because a manual approval gate only pauses the pipeline for human approval; it does not validate which service connection was used in the tasks. Option C is wrong because a branch policy on the main branch ensures code quality before merging but does not inspect or restrict the service connection used during pipeline execution.

91
MCQmedium

Your company uses Azure DevOps and must enforce that all pipelines use approved agent pools. The security team wants to prevent the use of the default agent pool. What should you do?

A.Use pipeline settings to require authorization for the default pool
B.Set agent pool permissions to deny the default pool for all projects
C.Remove the default agent pool from the organization
D.Disable the default agent pool in project settings
AnswerB

This explicitly denies access to the default pool.

Why this answer

Option A is correct because you can set agent pool permissions to 'Deny' for all projects except those using approved pools. Option B is wrong because removing the default pool from the organization does not prevent its use in existing pipelines. Option C is wrong because disabling the default pool requires manual intervention.

Option D is wrong because the 'Authorize' setting is for YAML pipelines, not for restricting pool usage.

92
MCQmedium

A company's Azure DevOps project uses a custom agent pool with self-hosted agents. The security team discovers that pipeline runs can access secrets stored in Azure Key Vault, but the team wants to ensure that secrets are only accessible to approved pipelines. Which configuration should the team implement?

A.Use a library variable group linked to Key Vault and enable 'Approval checks' on the variable group with branch control.
B.Store secrets directly in pipeline variables and use 'Make secrets available to all pipelines' setting.
C.Assign pipeline-level permissions to the Key Vault using Azure RBAC.
D.Limit the number of agents in the custom agent pool.
AnswerA

Approval checks and branch filters restrict which pipelines and branches can access secrets.

Why this answer

Option A is correct because linking a library variable group to Azure Key Vault and enabling 'Approval checks' on that variable group with branch control ensures that only approved pipelines (and specific branches) can access the secrets. This provides a granular, pipeline-scoped approval gate that prevents unauthorized pipeline runs from retrieving secrets from Key Vault, directly addressing the security requirement.

Exam trap

The trap here is that candidates often confuse Azure RBAC with pipeline-level permissions, not realizing that Key Vault access must be configured at the vault level (via access policies or RBAC) for the service principal, not at the pipeline scope, and that approval checks on variable groups are the correct way to gate secret access per pipeline run.

How to eliminate wrong answers

Option B is wrong because storing secrets directly in pipeline variables and enabling 'Make secrets available to all pipelines' would expose secrets to every pipeline in the project, violating the requirement to restrict access to approved pipelines only. Option C is wrong because assigning pipeline-level permissions to Key Vault using Azure RBAC is not a supported configuration; Key Vault access is managed via access policies or RBAC at the vault level for service principals or managed identities, not at the pipeline level. Option D is wrong because limiting the number of agents in the custom agent pool does not control which pipelines can access secrets; it only affects concurrency and resource availability, not secret authorization.

93
Multi-Selectmedium

Which TWO actions should you take to ensure that only approved pipelines can deploy to production in Azure DevOps? (Choose two.)

Select 2 answers
A.Disable parallel jobs for the project.
B.Configure a pipeline approval gate on the production environment.
C.Set branch policies to require a pull request before merging to the main branch.
D.Limit the number of pipelines that can deploy from the main branch.
E.Use a single agent pool for all pipelines.
AnswersB, C

Approval gates require manual approval before deployment.

Why this answer

Options A and D are correct: Use pipeline approvals to require manual approval before deployment, and use branch policies to enforce that only code from protected branches can be deployed. Option B is incorrect because disabling parallel jobs does not enforce approvals. Option C is incorrect because using a single agent pool does not enforce security.

Option E is incorrect because the main branch can have many pipelines.

94
MCQmedium

Your organization uses Microsoft Defender XDR for security monitoring. You need to configure an alert that fires whenever a user with high privileges (e.g., Project Collection Administrators) is added to an Azure DevOps group. What is the most efficient approach?

A.Set up a Microsoft Purview compliance policy for Azure DevOps
B.Run a weekly Azure DevOps audit log query manually
C.Create a custom detection rule in Microsoft Defender XDR using the Azure DevOps identity provider logs
D.Configure a Log Analytics workspace with Azure Activity Logs
AnswerC

Defender XDR can ingest Azure DevOps audit logs and trigger alerts on specific events.

Why this answer

Option C (Create a custom detection rule in Microsoft Defender XDR using the Azure DevOps identity provider logs) is correct because Defender XDR can ingest Azure DevOps audit logs and create custom detections for specific activities. Option A is not efficient for real-time alerting. Option B is for Azure, not Azure DevOps.

Option D is for compliance, not real-time alerting.

95
MCQhard

Your Azure DevOps organization has multiple projects. You need to ensure that only approved extension versions are installed across all projects. What is the most efficient way to enforce this?

A.Restrict extension usage to specific pipelines via YAML.
B.Use the Azure DevOps extension management settings to mark approved extensions and block others.
C.Create an Azure Policy that audits extension installations.
D.Uninstall all extensions and only install them per project as needed.
AnswerB

Organization-level extension management allows you to control which extensions are available.

Why this answer

Option A is correct because Azure DevOps allows you to manage extensions at the organization level and restrict installation to approved ones. Option B is wrong because uninstalling extensions in each project is not efficient. Option C is wrong because Azure Policy does not manage Azure DevOps extensions.

Option D is wrong because extensions cannot be restricted to specific pipelines.

96
MCQeasy

Your team uses GitHub and wants to automatically detect exposed credentials in code. Which GitHub feature should you enable?

A.Dependabot alerts
B.GitHub Copilot
C.Code scanning
D.Secret scanning
AnswerD

Secret scanning detects tokens, keys, and other secrets.

Why this answer

Secret scanning is the correct answer because it is the GitHub feature specifically designed to automatically detect exposed credentials, such as API keys, tokens, and passwords, in code repositories. It scans for known patterns of secrets and can alert both the repository owner and the partner service (e.g., AWS, Azure) to revoke the compromised credential. This directly addresses the requirement to automatically detect exposed credentials in code.

Exam trap

The trap here is that candidates often confuse Code scanning (which finds code vulnerabilities) with Secret scanning (which finds credentials), but Azure and GitHub treat them as separate features with distinct purposes and detection mechanisms.

How to eliminate wrong answers

Option A is wrong because Dependabot alerts focus on vulnerable dependencies and outdated packages, not on detecting exposed credentials or secrets in code. Option B is wrong because GitHub Copilot is an AI-powered code completion tool that suggests code snippets, not a security scanning feature for detecting credentials. Option C is wrong because Code scanning (powered by CodeQL) identifies code quality issues and security vulnerabilities like SQL injection or cross-site scripting, but it does not natively scan for hardcoded secrets or credentials; secret scanning is a separate, dedicated feature.

97
Multi-Selecthard

A company uses Azure DevOps and requires that all pipeline runs are audited and that sensitive information (e.g., passwords, keys) is never exposed in logs. Which THREE actions should you take? (Choose THREE.)

Select 3 answers
A.In tasks that run scripts, set the 'Logging command' option to 'ignore' to prevent script output from being captured in the log.
B.Store all sensitive information in a variable group and reference it in the pipeline.
C.Configure the service connection to use 'Read-only' scope.
D.Use secret pipeline variables and ensure the 'Log secret values in the pipeline' checkbox is unchecked.
E.Enable Azure DevOps audit logging and send logs to a security information and event management (SIEM) system.
AnswersA, D, E

This prevents any output from the script from appearing in logs.

Why this answer

Option A is correct because setting the 'Logging command' option to 'ignore' in script tasks prevents the script's standard output from being captured in the Azure DevOps pipeline logs. This is a direct way to avoid leaking sensitive information that might be printed by the script, such as passwords or keys, ensuring they are not exposed in the audit trail.

Exam trap

The trap here is that candidates often confuse variable groups with secret variables, thinking that storing sensitive data in a variable group automatically masks it in logs, when in fact only secret pipeline variables with the logging checkbox unchecked provide that protection.

98
MCQhard

You are designing a security compliance plan for Azure Pipelines. The plan must ensure that all pipelines: (1) run on Microsoft-hosted agents in a specific geo-region, (2) use approved Docker images from a private Azure Container Registry, and (3) enforce that pipeline variables containing secrets are never logged. Which combination of Azure DevOps features should you use?

A.Compliance gates in release pipelines, service connections, and audit logs
B.Agent pools with geo-filtering, Azure Policy for Repos to restrict image sources, and secret variables with 'Logging command' disabled
C.Entra ID Conditional Access, Azure Container Registry firewall, and pipeline decorators
D.Azure Policy for Pipelines, secret variables, and geo-restricted agent pools
AnswerB

This combination addresses all three requirements.

Why this answer

Option D (Agent pools with geo-filtering, Azure Policy for Repos to restrict image sources, and secret variables with 'Logging command' disabled) is correct. Agent pools can be scoped to a specific geography. Azure Policy for Repos can enforce that pipelines only use approved container registries.

Secret variables in Azure Pipelines have an option to 'Allow at runtime' and can be marked as secret to prevent logging. Option A uses Azure Policy for Pipelines (not a real feature). Option B's compliance gates are for release pipelines, not build.

Option C's Access reviews are for user permissions, not image sources.

99
MCQeasy

Your team is using GitHub Enterprise and wants to ensure that every pull request includes a link to a work item in Azure Boards. Which GitHub Apps or Azure DevOps Services integration should you configure?

A.GitHub-Azure Boards integration
B.Azure Repos branch policy
C.Azure DevOps OAuth app
D.Azure Pipelines GitHub App
AnswerA

This integration can require work item linking in GitHub PRs.

Why this answer

Option B (GitHub-Azure Boards integration) is correct because this official integration enforces linking work items to PRs. Option A is for Azure Repos. Option C is for Azure Pipelines.

Option D is a generic term, not a specific integration.

100
MCQhard

Your organization uses GitHub Actions and needs to enforce that only approved actions from the GitHub Marketplace can be used in workflows. Developers have been using custom actions from third-party repositories. What is the most effective way to control which actions are allowed?

A.Create a manual approval process for each new action.
B.Set the organization to disallow all third-party actions.
C.Configure the organization to allow only actions created by GitHub.
D.Use the 'Allow actions created by GitHub and verified partners' policy and add specific actions to the allow list.
AnswerD

This provides granular control over allowed actions.

Why this answer

Option D is correct because GitHub allows organization owners to set a policy to allow only specific actions, including those from the marketplace. Option A is incorrect because it does not restrict third-party actions. Option B is incorrect because disabling third-party actions entirely may block legitimate needs.

Option C is incorrect because manual review is not scalable.

101
MCQhard

Your company uses GitHub Advanced Security. You need to ensure that all code in the main branch is free of high-severity secrets before deployment. What is the most efficient way to enforce this?

A.Require manual review of all pull requests for secrets
B.Enable secret scanning push protection
C.Configure Dependabot to flag secrets in dependencies
D.Enable code scanning alerts for secrets
AnswerB

Push protection prevents commits that contain secrets from being pushed.

Why this answer

Option B is correct because secret scanning push protection blocks commits containing secrets. Option A is wrong because code scanning alerts are not blocked at push time. Option C is wrong because Dependabot alerts are for dependencies, not secrets.

Option D is wrong because manual review is not efficient.

102
MCQhard

A company uses Microsoft Defender for Cloud to assess the security posture of Azure Pipelines agents. They notice that self-hosted agents are flagged as having high-severity vulnerabilities. What is the recommended action to remediate these findings while minimizing downtime?

A.Disable Microsoft Defender for Cloud for the agent pool.
B.Uninstall the self-hosted agents and use only Microsoft-hosted agents.
C.Apply the security updates recommended by Microsoft Defender for Cloud to the agent VMs.
D.Replace all self-hosted agents with Microsoft-hosted agents.
AnswerC

This directly remediates the vulnerabilities on the self-hosted agents.

Why this answer

Option B is correct because using Microsoft Defender for Cloud's recommendation to update the agent VM with the latest security patches is the standard remediation. Option A is wrong because switching to Microsoft-hosted agents may not meet compliance requirements and does not remediate existing vulnerabilities. Option C is wrong because disabling Defender for Cloud would remove visibility.

Option D is wrong because uninstalling agents is not a remediation.

103
MCQmedium

Your company uses Microsoft Purview to manage data governance. You need to classify a new dataset containing personally identifiable information (PII) and apply a data loss prevention (DLP) policy. What should you do first?

A.Create a sensitivity label in Microsoft Purview
B.Add the data source to an Azure service tag
C.Define a DLP policy in Microsoft Purview
D.Register and scan the data source in Microsoft Purview
AnswerD

Scanning classifies data automatically based on built-in classifiers.

Why this answer

Option A is correct because scanning the data source in Purview automatically classifies sensitive data. Option B is wrong without scanning first. Option C is wrong because DLP policies require classification.

Option D is wrong because service tags do not classify data.

104
Multi-Selectmedium

A company is adopting Azure DevOps and needs to ensure that all pipelines comply with regulatory standards. The security team wants to enforce that every build includes a security scan and that deployment to production requires approval from a compliance officer. Which TWO actions should the DevOps engineer take?

Select 2 answers
A.Configure branch policies to require a security scan on pull requests.
B.Create a required template that includes the security scan task and mandate its use via a pipeline resource.
C.Add a variable group to store security scan results and reference it in the pipeline.
D.Configure a required reviewer approval on the production stage of the release pipeline.
E.Use a pipeline decorator to automatically run a security scan on every build.
AnswersB, D

Required templates enforce consistent steps.

Why this answer

Option B is correct because creating a required template that includes the security scan task and mandating its use via a pipeline resource ensures that every pipeline inherits the security scan step, enforcing compliance at the pipeline definition level. Option D is correct because configuring a required reviewer approval on the production stage of the release pipeline enforces that a compliance officer must explicitly approve the deployment, meeting the regulatory requirement for production deployments.

Exam trap

The trap here is that candidates often confuse branch policies (Option A) with build-level enforcement, not realizing that branch policies only apply to pull request validation, not to all builds triggered by other events like CI or scheduled triggers.

105
MCQmedium

Your team uses GitHub Actions for CI/CD. Security policies require that secrets must be automatically rotated every 90 days. Which Azure DevOps feature should you integrate to enforce this requirement?

A.Microsoft Purview Compliance Manager
B.GitHub Actions secrets with scheduled workflows
C.Azure Key Vault with rotation policy
D.Azure Managed Identities
AnswerC

Azure Key Vault supports secret rotation policies that can be configured to rotate secrets automatically.

Why this answer

Option C is correct because Azure Key Vault supports automatic secret rotation policies. Option A is wrong because Microsoft Purview is for data governance, not secret rotation. Option B is wrong because Managed Identities are for authentication, not rotation.

Option D is wrong because GitHub Actions secrets do not support automatic rotation natively.

106
MCQeasy

Your team uses Azure Pipelines to deploy to multiple environments. The compliance team requires that all deployments to the production environment are approved by a security officer. Which feature should you use?

A.Configure approvals and checks on the production environment in Azure Pipelines.
B.Create a branch policy that requires approval for pull requests.
C.Use a service connection with a managed identity that requires approval.
D.Store the production credentials in a variable group with approval required.
AnswerA

Approvals and checks allow you to require manual sign-off before deployment to an environment.

Why this answer

Approvals and checks in Azure Pipelines allow you to require manual approval before deployment to a specific environment. Branch policies are for GitHub/Azure Repos branches. Service connections are for authentication.

Variable groups store variables, not approvals.

107
Multi-Selectmedium

Which THREE measures should be implemented to protect secrets in Azure Pipelines? (Choose three.)

Select 3 answers
A.Restrict which pipelines can access the variable group
B.Log secret values to pipeline console for debugging
C.Use variable groups with locked variables
D.Link Azure Key Vault as a variable group
E.Store secrets in code as environment variables
AnswersA, C, D

Scoping access reduces exposure.

Why this answer

Options A, B, and D are correct. Option A: Using variable groups with locked variables prevents modification. Option B: Linking Azure Key Vault centrally manages secrets.

Option D: Limiting scope of secret-using pipelines reduces exposure. Option C is wrong because logging secrets to console exposes them. Option E is wrong because storing secrets in code defeats the purpose.

108
Multi-Selecthard

Which THREE measures should you implement to protect secrets used in GitHub Actions workflows? (Choose three.)

Select 3 answers
A.Use hardcoded secrets in workflow files for simplicity.
B.Enable secret scanning to detect secrets in code pushes.
C.Use the same secret across all environments to reduce management overhead.
D.Use OpenID Connect (OIDC) to authenticate to Azure without storing credentials.
E.Store secrets as GitHub repository secrets or organization secrets.
AnswersB, D, E

Secret scanning alerts on exposed secrets.

Why this answer

Options A, C, and D are correct: Using GitHub Secrets to store secrets, using OpenID Connect to authenticate to cloud providers without storing credentials, and enabling secret scanning to detect accidentally committed secrets. Option B is incorrect because hardcoding secrets is insecure. Option E is incorrect because using the same secret across environments reduces security.

109
MCQhard

Refer to the exhibit. You are reviewing the branch policies for the main branch in Azure Repos. The team reports that while the branch naming policy works, the approval policy does not block pull requests when only one person approves. What is the most likely cause?

A.The policy is disabled in the settings
B.The policy is not applied to the main branch
C.The main branch has a separate branch policy override that allows one approval
D.The 'creatorVoteCounts' setting is false, so the creator's approval is not counted
AnswerC

Branch policies can be overridden at the branch level, which could allow fewer approvals.

Why this answer

Option C (The policy is applied to all branches, but the main branch has a separate override) is correct. The exhibit shows policies defined at the project level, but branch policies for the main branch might have been explicitly set to override the project-level policy. Option A is wrong because the policy is enabled.

Option B is wrong because the policy is set to require minimum 2 approvals, so it should block. Option D is wrong because creator vote counts being false means the creator's vote is not counted, which doesn't affect the approval count.

110
MCQeasy

A company uses Azure DevOps and needs to ensure that all pipelines use approved YAML templates from a central repository. The security team wants to prevent developers from referencing unapproved templates. What is the best way to enforce this?

A.Create a branch policy on the repository that requires all pull requests to be approved by security team members.
B.Configure a variable group with the approved template repository and require it in all pipelines.
C.Use a pipeline decorator to check the template origin and fail the pipeline if unapproved.
D.Set the 'Required template' repository setting in the Azure DevOps project to the approved central repository.
AnswerD

This built-in setting enforces that all YAML templates must come from the specified repository.

Why this answer

Option D is correct because the 'Required template' repository setting in Azure DevOps enforces that all pipelines must use a YAML template from a specified central repository. If a pipeline references a template from any other location, the pipeline will fail at runtime, providing a hard enforcement mechanism that cannot be bypassed by developers. This directly addresses the security team's requirement to prevent unapproved template references.

Exam trap

The trap here is that candidates often confuse pipeline decorators (which are custom and optional) with native enforcement settings, or they assume branch policies can control template references, when in fact only the 'Required template' setting provides a hard, built-in block at the pipeline level.

How to eliminate wrong answers

Option A is wrong because a branch policy requiring pull request approval by security team members only controls changes to the repository's code, not the templates referenced in pipelines; developers could still merge code that references unapproved templates in other repositories. Option B is wrong because a variable group can store the approved repository URL, but it does not enforce that pipelines actually use it; developers can still hardcode or override the template source in their YAML files. Option C is wrong because pipeline decorators are injected at runtime and can check template origins, but they are not a native enforcement mechanism; they require custom scripting and maintenance, and can be bypassed if the decorator is not applied to all pipelines or if the pipeline agent has sufficient permissions.

111
Drag & Dropmedium

Drag and drop the steps to perform a blue-green deployment in Azure using App Service slots into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Blue-green deployment involves creating a slot, deploying to it, validating, swapping, and monitoring.

112
Multi-Selecteasy

You are designing a plan to protect Azure DevOps pipelines from supply chain attacks. Which TWO measures should you implement?

Select 2 answers
A.Require approval for pipeline runs that use external resources
B.Use Dependabot to automatically update vulnerable dependencies
C.Implement code coverage thresholds in pull requests
D.Enable secret scanning for all repositories
E.Use release gates to validate deployment health
AnswersA, B

Approval prevents unauthorized use of external resources.

Why this answer

Options A and C are correct. Option A ensures dependencies are secure. Option C prevents unauthorized access to pipeline resources.

Option B is wrong because it does not address supply chain. Option D is wrong because it is about deployment. Option E is wrong because it is about testing.

113
MCQmedium

Your team uses Azure Pipelines to deploy to production. You need to ensure that deployment only proceeds if a security scan passes and a manual approval is obtained. What is the best approach?

A.Add pipeline variables
B.Set up service connections
C.Configure branch policies
D.Use release gates in release pipelines
AnswerD

Release gates can run automated checks and require manual approvals.

Why this answer

Option B is correct because release gates can run automated checks (security scan) and manual approvals. Option A is wrong because branch policies are for code review. Option C is wrong because service connections handle authentication, not approvals.

Option D is wrong because pipeline variables store values, not enforce gates.

114
MCQeasy

The exhibit shows a draft Azure Monitor alert rule for Key Vault secret expiry. However, the query fails to return results for secrets that have already expired. What is the most likely reason?

A.The query does not include secrets that have no expiry date set.
B.The condition `DaysToExpiry > 0` excludes secrets that have already expired.
C.The query only checks secrets that are enabled.
D.The `limit 10` clause restricts to only 10 secrets, which may miss expired ones.
AnswerB

Expired secrets have negative DaysToExpiry, so they are filtered out.

Why this answer

Option B is correct because the query filters on `DaysToExpiry > 0`, which only returns secrets with a positive number of days remaining until expiry. Once a secret has expired, its `DaysToExpiry` becomes zero or negative, so it is excluded from the results. This is a logical filter error: the condition should be `DaysToExpiry <= 0` or remove the filter entirely to include expired secrets.

Exam trap

The trap here is that candidates focus on the syntax or limits of the query (like `limit 10`) rather than recognizing that the logical filter `DaysToExpiry > 0` inherently excludes the very data the alert is supposed to detect—expired secrets.

How to eliminate wrong answers

Option A is wrong because the query does not filter on whether a secret has an expiry date set; the issue is specifically about expired secrets, not those without an expiry date. Option C is wrong because the query does not include any condition that checks the enabled status of secrets; the problem is purely with the `DaysToExpiry` filter. Option D is wrong because the `limit 10` clause only affects the number of results returned, not the logical inclusion of expired secrets; even if more secrets were returned, expired ones would still be excluded by the `DaysToExpiry > 0` condition.

115
MCQhard

You are a security engineer for a large financial institution. The organization uses Azure DevOps with multiple projects, each containing hundreds of pipelines. The security team recently discovered that several pipeline variables marked as 'Secret' were inadvertently printed to logs due to a custom script task that echoed the variable. Consequently, the compliance officer requires that all secrets used in pipelines must be centrally managed in Azure Key Vault, and any pipeline that references a variable not from Key Vault must be blocked from running. Additionally, the solution must minimize administrative overhead and provide real-time enforcement across all projects in the organization. You have the following options: Option A: Create an Azure Policy definition that audits pipelines for the use of non-Key Vault variables and attach it to the management group containing the Azure DevOps resources. Option B: Develop a custom pipeline task that checks at runtime whether all secret variables originate from Key Vault, and add it to every pipeline YAML file manually. Option C: Configure a pipeline decorator in the organization settings that injects a task at the beginning of every pipeline to validate that all secret variables are linked to Key Vault, and fail the pipeline if any are not. Option D: Use Azure DevOps Audit Logs to periodically review pipeline runs and manually identify pipelines that use non-Key Vault secrets. Which option meets the requirements most effectively?

A.Develop a custom pipeline task that checks at runtime whether all secret variables originate from Key Vault
B.Create an Azure Policy definition that audits pipelines for the use of non-Key Vault variables
C.Use Azure DevOps Audit Logs to periodically review pipeline runs
D.Configure a pipeline decorator in the organization settings that injects a task at the beginning of every pipeline to validate that all secret variables are linked to Key Vault
AnswerD

Pipeline decorators automatically apply to all pipelines and can enforce compliance in real time.

Why this answer

Option C (Configure a pipeline decorator) is correct because it provides real-time enforcement at the organization level with minimal overhead. Option A is wrong because Azure Policy does not apply to Azure DevOps pipeline configurations. Option B is wrong because manual addition to each pipeline is high overhead and error-prone.

Option D is wrong because it is reactive and does not block non-compliant runs.

116
MCQmedium

Refer to the exhibit. You executed the Azure CLI command to list variable groups. A security audit requires that all variable groups containing secrets are configured to be authorized for all pipelines. Which statement is true based on the output?

A.The variable group 'ProdVars' contains a secret variable, but the output does not indicate whether it is authorized for all pipelines
B.The variable group 'ProdVars' is not authorized for all pipelines because no such property exists
C.The variable group 'ProdVars' has exposed the secret value in the output
D.The variable group 'ProdVars' is authorized for all pipelines because it has secret variables
AnswerA

The output shows variable definitions but not authorization settings.

Why this answer

Option B (The variable group 'ProdVars' contains a secret variable, but the output does not indicate whether it is authorized for all pipelines) is correct. The JSON output does not include an 'authorize' property; you need to check the group's settings separately. Option A is wrong because the ApiKey value is null (masked).

Option C is wrong because you cannot tell from this output if it's authorized. Option D is wrong because the secret is shown as null, not exposed.

117
MCQeasy

Your company is migrating to Microsoft Entra ID and needs to manage secrets used in Azure Pipelines. Which service should you use to securely store and rotate secrets?

A.Azure Key Vault
B.GitHub Secrets
C.Azure App Configuration
D.Microsoft Purview
AnswerA

Azure Key Vault securely stores secrets and integrates with Azure Pipelines.

Why this answer

Option B is correct because Azure Key Vault is the native secret management service in Azure, integrated with Azure Pipelines via library variable groups. Option A is wrong because GitHub Secrets is for GitHub Actions, not Azure Pipelines. Option C is wrong because Azure App Configuration is for feature flags and configuration.

Option D is wrong because Microsoft Purview is for data governance.

118
MCQhard

Your organization uses GitHub Actions and has a repository containing sensitive infrastructure code. You need to ensure that only approved actions are used in workflows. Which two settings should you configure? (Select two.)

A.Allow actions created by GitHub.
B.Disable actions for the repository.
C.Allow actions from only specific approved repositories.
D.Use environment protection rules.
E.Store actions in encrypted secrets.
AnswerA, C

This restricts actions to those created by GitHub (verified creators).

Why this answer

Options A and D are correct because GitHub allows you to restrict actions to those from verified creators and to allow only actions in approved repositories. Option B is wrong because disabling actions would block all workflows. Option C is wrong because secrets do not restrict actions.

Option E is wrong because environment protection rules do not restrict actions.

119
Matchingmedium

Match each YAML pipeline trigger to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Runs pipeline on code push

Runs pipeline on pull request creation

Runs pipeline at specified times

Runs pipeline after another pipeline completes

Why these pairings

Trigger types available in Azure Pipelines YAML.

120
MCQeasy

Your team uses Azure DevOps and wants to automatically scan pull requests for secrets before they are merged. Which Azure DevOps feature should you use?

A.Azure Policy.
B.Secret scanning in Azure DevOps.
C.GitHub Advanced Security.
D.Branch policy with a required reviewer.
AnswerB

Azure DevOps has built-in secret scanning for Azure Repos.

Why this answer

Option C is correct because Azure DevOps includes a built-in secret scanner that can be integrated into pipelines. Option A is wrong because GitHub Advanced Security is for GitHub, not Azure DevOps. Option B is wrong because branch policies do not include secret scanning.

Option D is wrong because Azure Policy does not scan pull request content.

121
MCQhard

Your organization uses Azure DevOps and Azure Key Vault to manage secrets. You have a pipeline that deploys a web app to Azure App Service. The pipeline uses a variable group linked to Key Vault to retrieve the database connection string. Recently, the build started failing with the error: 'Access to Key Vault is denied. Please ensure the service connection has Get and List permissions on secrets.' The service connection uses a service principal. You have verified that the service principal has the correct Key Vault access policy with Get and List permissions. What is the most likely cause of the failure?

A.The service connection is configured to use the wrong Azure subscription.
B.The secret name in the variable group does not match the secret name in Key Vault.
C.The service principal used by the service connection does not have Contributor role on the Key Vault.
D.The build service identity does not have Get and List permissions on the Key Vault secrets.
AnswerD

The build service identity (project collection or project level) must be granted access to Key Vault for variable group resolution.

Why this answer

The error message indicates that the identity attempting to access Key Vault lacks the required permissions. Even though the service principal has the correct access policy, the pipeline may be using a different identity—the build service identity—to authenticate with Key Vault. In Azure DevOps, when a variable group is linked to Key Vault, the pipeline's build service identity (not the service connection's service principal) must have Get and List permissions on the Key Vault secrets.

This is a common misconfiguration where the service principal is granted permissions but the build service identity is not.

Exam trap

The trap here is that candidates assume the service principal configured in the service connection is the identity used to access Key Vault, but in reality, Azure DevOps uses the build service identity for variable group secret retrieval, leading to a permissions mismatch.

How to eliminate wrong answers

Option A is wrong because the Azure subscription configured in the service connection determines the scope for resource management, but Key Vault access is governed by its own access policies, not subscription-level settings. Option B is wrong because a mismatch between secret names would cause a different error (e.g., 'Secret not found') rather than an access denied error. Option C is wrong because the Contributor role on Key Vault is an Azure RBAC role that grants management-plane permissions (e.g., creating/deleting vaults), not data-plane permissions (e.g., reading secrets); Key Vault access policies or Azure RBAC data-plane roles are required for secret access.

122
MCQeasy

Your development team uses GitHub Enterprise with GitHub Actions for CI/CD. The security team wants to ensure that all secrets used in workflows are stored in GitHub Secrets and that they are not accessible to forked repositories. Currently, some workflows reference secrets directly in YAML files. You need to implement a solution that meets the following requirements: (1) Secrets must be stored in GitHub Secrets, not in YAML files. (2) Workflows triggered from forked repositories must not have access to organization secrets. (3) Auditors must be able to see which workflows access which secrets. Option A: Move all secrets to GitHub Secrets, configure the repository to require approval for all external contributions, and enable audit logging for secret usage. Option B: Move all secrets to GitHub Secrets, and in the repository settings, disable 'Allow GitHub Actions to create and approve pull requests' and enable 'Fork pull request workflows from outside collaborators' to require approval. Option C: Move all secrets to GitHub Secrets, and in the organization settings, enable 'Private repository fork policy' to only allow forks from within the organization, and use environment secrets with required reviewers. Option D: Move all secrets to GitHub Secrets, and for each workflow that uses secrets, add a condition to check if the event is from a fork, and if so, skip the step. Which option best satisfies all requirements?

A.Move all secrets to GitHub Secrets, and for each workflow that uses secrets, add a condition to check if the event is from a fork, and if so, skip the step
B.Move all secrets to GitHub Secrets, configure the repository to require approval for all external contributions, and enable audit logging for secret usage
C.Move all secrets to GitHub Secrets, and in the repository settings, disable 'Allow GitHub Actions to create and approve pull requests' and enable 'Fork pull request workflows from outside collaborators' to require approval
D.Move all secrets to GitHub Secrets, and in the organization settings, enable 'Private repository fork policy' to only allow forks from within the organization, and use environment secrets with required reviewers
AnswerB

This meets all requirements: secrets in GitHub Secrets, fork access controlled via approval, and audit logging available.

Why this answer

Option A is correct. By moving secrets to GitHub Secrets, they are not in YAML. Requiring approval for external contributions ensures forked repos do not get access to secrets (since secrets are not passed to workflows triggered by pull requests from forks unless explicitly approved).

Audit logging tracks secret usage. Option B does not address fork access to secrets. Option C restricts forks but does not prevent secret exposure if a fork is made.

Option D is a workaround but not a policy-level solution.

123
MCQmedium

Your organization must comply with SOC 2 requirements. You are using Azure DevOps and need to ensure that all pipeline runs are logged and that logs are retained for at least one year. Which configuration should you implement?

A.Increase the retention period of pipeline logs in the Azure DevOps UI.
B.Configure diagnostic settings for the Azure DevOps organization.
C.Disable the option to delete pipelines.
D.Enable audit streaming to a Log Analytics workspace and set retention to 365 days.
AnswerD

Audit streaming allows long-term retention and compliance.

Why this answer

Option D is correct because enabling Azure DevOps audit streaming to a Log Analytics workspace allows long-term retention and compliance. Option A is wrong because the default retention is shorter. Option B is wrong because disabling pipeline deletion does not affect log retention.

Option C is wrong because diagnostic settings in Azure are for Azure resources, not Azure DevOps pipelines.

124
MCQeasy

Your organization requires that all code changes be signed using a valid code signing certificate before they can be merged. Which feature in GitHub should you enable to enforce this?

A.Dependabot.
B.Commit signature verification.
C.Code scanning.
D.Secret scanning.
AnswerB

This requires all commits to be signed with a verified key.

Why this answer

Option A is correct because commit signature verification in GitHub enforces that commits are signed with a verified GPG or S/MIME key. Option B is wrong because secret scanning detects secrets, not signature enforcement. Option C is wrong because Dependabot handles dependency updates.

Option D is wrong because code scanning analyzes code for vulnerabilities.

125
MCQhard

Your organization uses GitHub Advanced Security. A developer reports that a secret scanning alert for an Azure DevOps Personal Access Token (PAT) is a false positive. What should you do to handle this?

A.Disable secret scanning for the repository.
B.Delete the PAT from the repository and revoke it.
C.Mark the alert as false positive in the GitHub UI.
D.Ignore the alert and leave it open.
AnswerC

This hides the alert and improves detection accuracy.

Why this answer

Option B is correct because marking the alert as false positive in the GitHub UI hides it and helps train the detection. Option A is wrong because deleting the PAT doesn't address the alert. Option C is wrong because disabling secret scanning removes detection entirely.

Option D is wrong because ignoring the alert leaves it open.

126
MCQeasy

Your organization uses Microsoft Entra ID (formerly Azure AD) for identity management. You need to ensure that only authorized users can access the Azure DevOps organization. What is the most secure way to manage access?

A.Require all users to use multi-factor authentication (MFA) and enable Conditional Access policies.
B.Disable external user access and only allow internal users.
C.Use IP address restrictions to limit access to the corporate network.
D.Add users to the Azure DevOps organization and assign them to the 'Basic' access level.
AnswerA

Conditional Access policies provide secure, conditional access.

Why this answer

Option D is correct because Conditional Access policies provide granular access control based on conditions like location, device compliance, and risk. Option A is incorrect because it does not enforce additional security. Option B is incorrect because manual review is not scalable.

Option C is incorrect because disabling external users is not the most secure; it still allows all internal users.

127
MCQeasy

Your organization uses Azure DevOps and Microsoft Entra ID. The compliance team needs to ensure that access to Azure DevOps projects is governed by conditional access policies. Which Azure DevOps integration should you use?

A.Link the Azure DevOps organization to the Microsoft Entra ID tenant and configure conditional access policies in Microsoft Entra ID.
B.Configure service hooks to enforce conditional access.
C.Assign managed identities to users for conditional access.
D.Use OAuth tokens to authenticate users.
AnswerA

Linking the Azure DevOps organization to the Microsoft Entra ID tenant allows conditional access policies to be applied to all users.

Why this answer

Azure DevOps supports Microsoft Entra ID conditional access policies, which apply to all users accessing Azure DevOps through the organization's tenant. Service hooks and OAuth tokens are for automation, not access control. Managed identities are for Azure resources, not user access.

128
MCQhard

A financial services company uses Azure DevOps to manage CI/CD pipelines for a critical application. The security team requires that all production deployments be approved by two different managers, and that the build artifacts are immutable and signed. Currently, the pipeline uses a manual approval gate with one approver and stores artifacts in Azure Artifacts. What should the DevOps engineer implement to meet the security requirements?

A.Store artifacts in Azure Key Vault and use access policies to control deployment.
B.Use branch policies to require two reviewers on pull requests.
C.Configure a second manual approval gate and enable immutable feed in Azure Artifacts.
D.Add a pipeline decorator that injects a validation step for code signing.
AnswerC

This enforces two approvals and ensures artifacts cannot be overwritten.

Why this answer

Option C is correct because it directly addresses both security requirements: adding a second manual approval gate ensures two different managers must approve production deployments, and enabling the immutable feed in Azure Artifacts prevents any artifact from being overwritten or deleted, guaranteeing immutability. Code signing is not explicitly required by the question, but the immutable feed ensures artifact integrity, and the two-approver gate satisfies the dual-manager approval mandate.

Exam trap

The trap here is that candidates may confuse branch policies (which control code review) with deployment approval gates (which control release to production), or think that storing artifacts in Key Vault or adding a code-signing decorator alone satisfies the dual-approval and immutability requirements.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault is designed for managing secrets and keys, not for storing build artifacts; it does not provide immutable artifact storage or deployment approval gates. Option B is wrong because branch policies requiring two reviewers on pull requests control code changes in the repository, not production deployment approvals; they do not enforce approval gates on the pipeline release process. Option D is wrong because a pipeline decorator injects a validation step for code signing, which addresses artifact signing but does not add a second manual approval gate or enforce immutable artifact storage.

129
MCQhard

Your team uses GitHub Enterprise to manage source code. You need to implement a security and compliance plan that ensures all commits are signed using GPG keys and that secrets are scanned before code is merged. Which GitHub features should you combine?

A.Enable secret scanning alerts and require signed commits via branch protection rules.
B.Enable Dependabot alerts and require pull request reviews before merging.
C.Configure branch protection rules to require code owners review and enable automatic security fixes.
D.Enable push protection for secret scanning and configure branch protection rules with 'Require signed commits' and 'Vigilant mode'.
AnswerD

Push protection blocks secrets at push time. Vigilant mode marks unsigned commits as unverified and branch protection can block unverified commits.

Why this answer

Push protection in secret scanning prevents secrets from being pushed. Commit signature verification with Vigilant mode blocks unsigned commits. Branch protection rules enforce both.

Secret scanning alerts only notify after a push. Dependabot and code owners address dependency and review requirements, not signing or secret prevention.

130
MCQeasy

You need to ensure that only signed-in users can view Azure DevOps project wikis. Which setting should you configure?

A.Configure wiki permissions to deny anonymous users
B.Set project visibility to 'Private'
C.Set repository visibility to 'Private'
D.Use Microsoft Entra ID Application Proxy
AnswerB

Private projects require authentication to view.

Why this answer

Option A is correct because project visibility controls who can view the project. Option B is wrong because repository security is for code, not wikis. Option C is wrong because Microsoft Entra ID Application Proxy is for on-prem apps.

Option D is wrong because wiki permissions are per-wiki, not a global setting.

131
MCQhard

Your organization uses Microsoft Entra ID for identity and Azure DevOps for source control. You need to enforce that all code changes to the main branch require a pull request with at least two approvals and no failing checks. What should you configure?

A.Configure a Conditional Access policy in Microsoft Entra ID
B.Add an environment protection rule in Azure Pipelines
C.Set up a branch policy on the main branch in Azure Repos
D.Use a service hook to notify reviewers when a push occurs
AnswerC

Branch policies in Azure Repos can require a minimum number of reviewers and enforce build validation.

Why this answer

Option B is correct because Azure DevOps branch policies can require a minimum number of reviewers and check for build validation. Option A is wrong because Entra ID Conditional Access policies manage sign-in, not code reviews. Option C is wrong because environment protection rules in GitHub are for deployments, not pull requests.

Option D is wrong because service hooks are for integration, not policy enforcement.

132
MCQhard

Your organization uses Azure DevOps with classic pipelines. Security audit requires that all pipeline variables containing secrets (e.g., API keys) are stored in Azure Key Vault and referenced dynamically. Currently, secrets are stored as plain text in the pipeline UI. You need to migrate to Key Vault with minimal downtime and ensure that secret values are never exposed in logs. What should you do?

A.Store secrets in a secure file in Azure DevOps.
B.Create a variable group linked to Key Vault, mark variables as 'secret', and reference them in pipelines. Update pipeline steps to use the variable group.
C.Use the 'Azure Key Vault' task to download secrets as pipeline variables.
D.Add each secret as a pipeline variable with the 'secret' type.
AnswerB

Key Vault integration masks secrets and keeps them out of logs.

Why this answer

Option A is correct because linking Key Vault via library variable groups keeps secrets out of logs when 'Keep secret' is enabled. The 'secret' variable type in pipelines masks values. Option B is wrong because secret variables are still stored in Azure DevOps, not Key Vault.

Option C is wrong because it doesn't address log exposure. Option D is wrong because it doesn't prevent exposure in logs.

133
MCQhard

Your organization uses Microsoft Entra ID and Azure DevOps. You need to ensure that only users from specific Entra ID groups can create new Azure DevOps organizations. What should you configure?

A.Assign the Global Administrator role to the security group
B.Assign the Azure DevOps Administrator role to the security group
C.Configure Conditional Access policies to block non-group members
D.Use Azure DevOps security policies to restrict organization creation
AnswerB

This role controls who can create and manage Azure DevOps organizations.

Why this answer

Option B is correct because the Azure DevOps Administrator role in Entra ID can restrict who can create new organizations. Option A is wrong because the Global Administrator role is too broad. Option C is wrong because Azure DevOps does not have a 'Create organizations' permission.

Option D is wrong because Conditional Access policies control access to resources, not creation of organizations.

134
Multi-Selecteasy

Your organization uses Microsoft Defender for Cloud and Azure DevOps. Security teams need to automatically detect and block secrets (e.g., passwords, keys) pushed to Azure Repos. Which TWO actions should you take?

Select 2 answers
A.Enable push protection for secrets in Microsoft Defender for Cloud.
B.Set branch policies to require a pull request for all changes.
C.Store all secrets in Azure Key Vault and reference them in pipelines.
D.Enable secret scanning in GitHub Advanced Security for Azure Repos.
E.Configure Microsoft Purview Information Protection to scan repositories.
AnswersA, D

Push protection blocks secrets during push.

Why this answer

Option A (Enable push protection for secrets via Microsoft Defender for Cloud) provides real-time blocking. Option D (Configure repository-level secret scanning in GitHub Advanced Security for Azure Repos) is the feature that actually scans and blocks secrets. Option B is wrong because Microsoft Purview focuses on data classification, not real-time secret scanning.

Option C is wrong because branch policies control PRs, not pushes. Option E is wrong because key vault secrets are for storage, not scanning.

135
Multi-Selecteasy

Your team is adopting GitHub Copilot for code generation. The compliance team requires that all code generated by AI is reviewed and that proprietary code is not used as training data. Which TWO settings should you configure in your GitHub organization?

Select 2 answers
A.Configure a branch protection rule that requires all code to be reviewed before merging.
B.Disable Copilot for all repositories in the organization.
C.Disable the 'Allow GitHub to use my data for training' option in the organization's Copilot settings.
D.Enable 'Suggestions matching public code' to block suggestions that match public code.
E.Enable 'Allow GitHub to use my code snippets for product improvements' to improve Copilot.
AnswersA, C

Branch protection ensures that AI-generated code is reviewed by a human before merging.

Why this answer

GitHub Copilot for Business allows admins to disable training on user code and enforce policies. Disallowing public code suggestions from being used as training data protects proprietary code. Requiring Copilot to only suggest from approved libraries is not a feature.

Disabling Copilot entirely is not the goal. Enabling suggestions matching public code is the opposite of what is needed.

136
MCQhard

Refer to the exhibit. You receive a secret scanning alert for an Azure DevOps PAT in a GitHub repository. The push_protection_bypass is false. What does this mean and what action should you take?

A.The secret was pushed but push protection was bypassed; you need to revoke the PAT and use git filter-branch to remove it from history.
B.The secret was pushed successfully; you need to rotate the PAT and audit the commit history.
C.The secret was pushed and push protection was not bypassed; you need to open a support ticket with GitHub to remove the secret.
D.The secret was blocked from being pushed; you should revoke the PAT and investigate the incident.
AnswerD

Push protection blocked the push, so the secret never entered the repository. Revoke the PAT and investigate.

Why this answer

Push protection blocked the push, so the secret was not committed to the repository. You should revoke the PAT and investigate how it was used. The secret is not in the commit history because it was blocked.

Since it was not committed, you don't need to use git filter-branch or GitHub support to remove it.

137
Multi-Selecthard

Which TWO actions should a DevOps engineer take to ensure that Azure DevOps pipelines comply with the principle of least privilege for service connections?

Select 2 answers
A.Create a service principal with permissions scoped to the minimum required Azure resources.
B.Use the Project Collection Build Service account for all pipeline runs.
C.Use Workload identity federation to avoid managing secrets.
D.Configure the service connection to be available only to specific pipelines.
E.Use the same service connection for both build and release pipelines.
AnswersA, D

Scoped permissions enforce least privilege.

Why this answer

Option A is correct because creating a service principal with permissions scoped to the minimum required Azure resources directly implements the principle of least privilege. By assigning only the necessary roles (e.g., Contributor on a specific resource group) to the service principal used in the service connection, you ensure that the pipeline can only perform actions on those resources, reducing the attack surface. This aligns with Azure RBAC best practices for securing automated deployments.

Exam trap

The trap here is that candidates often confuse 'Workload identity federation' (which improves secret management) with 'least privilege' (which is about permission scoping), leading them to select option C instead of recognizing that federation does not automatically restrict permissions.

138
MCQhard

You are auditing an Azure Pipeline YAML file. The security team requires that deployments to the 'Prod' environment only occur from the main branch. Does this pipeline meet that requirement?

A.Yes, because the Deploy stage always runs after Build
B.No, because the Build stage should also be conditioned
C.Yes, because the condition ensures deployment only from main
D.No, because the condition should be 'succeeded()' only
AnswerC

The condition 'eq(variables['Build.SourceBranch'], 'refs/heads/main')' enforces this.

Why this answer

Option B is correct because the condition checks that the source branch is main. Option A is wrong because it does meet the requirement. Option C is wrong because the condition is correct.

Option D is wrong because the condition is correct.

139
MCQeasy

You need to ensure that only approved users can deploy to production from Azure Pipelines. What should you implement?

A.Pipeline approval gates
B.Microsoft Entra ID Conditional Access policies
C.Environment checks with required approvers
D.Branch protection rules in GitHub
AnswerC

Azure Pipelines environments support approval checks that require designated approvers to approve a deployment.

Why this answer

Option D is correct because Azure Pipelines approval gates allow requiring manual approval before deployment. Option A is wrong because branch policies control code changes, not deployments. Option B is wrong because environment checks can include approvals but are not the primary mechanism.

Option C is wrong because Microsoft Entra ID provides authentication but not approval workflows.

140
MCQhard

You are analyzing Azure DevOps audit logs with a KQL query. What is the purpose of this query?

A.List the top 5 most active users in Azure DevOps
B.Display detailed audit records of project creation with timestamps
C.Identify users who created projects and have admin role
D.Find the top 5 users who created the most projects in the last 30 days
AnswerD

The query counts successful project creations per user and returns top 5.

Why this answer

Option C is correct because the query filters for successful project creation events, groups by actor, and returns the top 5 users by count. Option A is wrong because it does not filter by role. Option B is wrong because it only counts project creation, not all operations.

Option D is wrong because it does not show creation time details.

141
MCQhard

You are a DevOps engineer for a financial services company with strict regulatory compliance requirements (e.g., PCI-DSS, SOX). The company uses Azure DevOps for CI/CD and manages multiple projects. Each project has its own set of service connections, variable groups, and agent pools. The security team recently audited the environment and found that several service connections have been granted Contributor rights at the subscription level, and some variable groups are accessible by all pipelines across all projects. Additionally, audit logs show that a former employee's service principal still has active service connections in two projects. You need to implement a security and compliance plan to address these issues. Which approach should you take?

A.Conduct a manual audit of all service connections and variable groups every quarter, and revoke any permissions that are not needed. Disable service connections associated with the former employee.
B.Immediately delete all service connections associated with the former employee and recreate them using service principals with the least privilege. Then, update all pipelines to use the new connections.
C.Restrict all service connections to use resource-group level scoped permissions instead of subscription-level. For variable groups, set them to be accessible only to specific pipelines.
D.Implement Azure Policy to enforce that service connections cannot have subscription-level Contributor role; instead, require specific resource group roles. Use Azure AD access reviews to automatically remove stale service principals. Use pipeline decorators to enforce branch policy and approval checks on variable groups that contain secrets.
AnswerD

Azure Policy enforces least privilege automatically, access reviews remove stale principals, and pipeline decorators ensure compliance for variable groups.

Why this answer

Option D is correct because it provides a comprehensive, automated, and scalable approach to enforcing least privilege and compliance. Azure Policy can audit and enforce that service connections are scoped to resource groups rather than subscriptions, preventing over-permissioned Contributor access. Azure AD access reviews automate the detection and removal of stale service principals, addressing the former employee issue without manual effort.

Pipeline decorators enforce mandatory approval checks and branch policies on variable groups containing secrets, ensuring that sensitive variables are not accessible to all pipelines across projects.

Exam trap

The trap here is that candidates often choose a manual or reactive approach (like Option A or B) because they focus on the immediate fix for the former employee, overlooking the need for automated, continuous enforcement that Azure Policy, access reviews, and pipeline decorators provide for long-term compliance.

How to eliminate wrong answers

Option A is wrong because a manual quarterly audit is reactive, error-prone, and does not scale across multiple projects; it fails to meet the strict regulatory compliance requirements that demand continuous enforcement. Option B is wrong because immediately deleting all service connections associated with the former employee could break running pipelines and does not address the root cause of over-permissioned service connections or variable group accessibility; it also lacks automation for ongoing compliance. Option C is wrong because restricting service connections to resource-group level scopes is a partial fix that does not enforce the change across existing connections, and setting variable groups to be accessible only to specific pipelines is a manual configuration that does not prevent future misconfigurations or provide audit trails.

142
MCQmedium

You are using Microsoft Defender for Cloud to secure Azure Pipelines. You need to receive alerts when a pipeline run uses a service principal with excessive permissions. Which feature should you enable?

A.Enable Azure DevOps audit logs and review them manually.
B.Create an Azure Policy to deny over-privileged service principals.
C.Enable Microsoft Defender for Cloud's identity and access monitoring.
D.Configure Microsoft Entra ID Conditional Access policies.
AnswerC

This provides alerts on risky permissions and usage.

Why this answer

Option B is correct because Defender for Cloud's identity and access monitoring can alert on over-privileged service principals used in pipelines. Option A is wrong because audit logs alone do not generate alerts. Option C is wrong because conditional access policies are for user sign-ins, not service principals in pipelines.

Option D is wrong because Azure Policy does not generate real-time alerts for pipeline runs.

← PreviousPage 2 of 2 · 142 questions total

Ready to test yourself?

Try a timed practice session using only Develop a security and compliance plan questions.