CCNA Security Compliance Plan Questions

75 of 142 questions · Page 1/2 · Security Compliance Plan topic · Answers revealed

1
MCQeasy

Your organization is adopting GitHub Copilot and wants to ensure that no proprietary code is used to train models. Which setting should you configure in the GitHub organization?

A.Enable secret scanning.
B.Enable Dependabot alerts.
C.Disable GitHub Copilot for the organization.
D.Opt out of allowing GitHub to use code snippets for product improvement.
AnswerD

This prevents Copilot from using your code for training.

Why this answer

Option B is correct because GitHub Copilot allows you to opt out of code snippet sharing for training. Option A is wrong because Copilot is not a feature that can be disabled for specific repositories only. Option C is wrong because Dependabot does not affect Copilot training.

Option D is wrong because secret scanning is unrelated.

2
MCQhard

You are analyzing Azure DevOps audit logs with the KQL query above. Your security team wants to ensure that only approved service connections are used. After running the query, you find multiple service connections created by a user who is not on the approved list. What should you do next?

A.Immediately delete all service connections created by that user.
B.Disable the user's account in Microsoft Entra ID.
C.Review each unapproved service connection's permissions and usage.
D.Modify the query to also include the user's email address.
AnswerC

This helps assess risk and determine if any are malicious.

Why this answer

Option A is correct because the first step is to review the service connections and their permissions to understand the impact. Option B is wrong because deleting all connections created by that user could break running pipelines. Option C is wrong because disabling the user might be premature without investigation.

Option D is wrong because the query already shows the creator.

3
MCQhard

Your organization uses Azure DevOps with multiple teams. You are tasked with creating a security and compliance plan. The environment includes: Azure Repos for source control, Azure Pipelines for CI/CD, and Azure Artifacts for package management. Requirements: 1) All code changes to the main branch must be reviewed by at least one member of the security team. 2) Deployment to production requires approval from a manager. 3) Secrets must be stored securely and rotated every 90 days. 4) Pipeline logs must be retained for 1 year for audit purposes. You have configured branch policies requiring a minimum number of reviewers and mandatory security team review. For production deployments, you have added a manual approval gate. Secrets are stored in Azure Key Vault with automatic rotation. However, the audit team reports that pipeline logs are only retained for 30 days. You need to extend log retention to 1 year. What should you do?

A.Export pipeline logs to Azure Blob Storage and set a lifecycle policy to retain for 365 days.
B.Configure diagnostic settings in Azure Monitor to stream pipeline logs to a Log Analytics workspace.
C.In Azure DevOps project settings, navigate to Pipelines > Retention and releases, and set the retention policy to 365 days.
D.Enable Azure DevOps audit logs and export them to a Log Analytics workspace with a 365-day retention.
AnswerC

This directly controls pipeline log retention.

Why this answer

Option B is correct because Azure DevOps pipeline log retention is configured in the project settings under 'Pipelines' > 'Retention and releases'. Option A is wrong because Azure Monitor is for Azure resources, not DevOps logs. Option C is wrong because Azure Storage does not directly store pipeline logs.

Option D is wrong because audit logs are separate from pipeline logs.

4
MCQmedium

You are reviewing a compliance policy for Azure Pipelines. What does this policy enforce?

A.Enforces MFA for all pipeline runs that use the 'MySecrets' variable group
B.Requires multi-factor authentication to approve use of secret variables in the 'MySecrets' variable group
C.Requires MFA to edit variables in the 'MySecrets' variable group
D.Blocks all access to the 'MySecrets' variable group unless MFA is used
AnswerB

The policy enforces MFA approval for the variable group.

Why this answer

Option A is correct because the policy requires MFA approval when accessing the variable group 'MySecrets'. Option B is wrong because the policy is scoped to the variable group, not all pipeline runs. Option C is wrong because it requires approval, not just MFA authentication.

Option D is wrong because it refers to a specific variable group.

5
Multi-Selectmedium

Your company uses Azure Key Vault to store secrets. Which TWO actions should you take to ensure secure access? (Select TWO.)

Select 2 answers
A.Restrict access using Key Vault access policies
B.Use managed identities to authenticate applications
C.Enable HTTP access for performance
D.Disable audit logging to reduce exposure
E.Enable soft-delete to recover deleted secrets
AnswersA, B

Access policies provide fine-grained control over who can access secrets.

Why this answer

Options B and C are correct. B: Using managed identities avoids storing credentials. C: Access policies control who can access the vault.

Option A is wrong because disabling logging reduces security monitoring. Option D is wrong because HTTP is insecure. Option E is wrong because enabling soft-delete is a recovery feature, not an access control.

6
MCQeasy

Your team uses GitHub and wants to automatically detect and block secrets pushed to repositories. Which GitHub feature should you enable?

A.Dependabot alerts
B.Code scanning
C.Push protection
D.Secret scanning
AnswerD

Secret scanning detects secrets in repositories.

Why this answer

Option B is correct because secret scanning detects and alerts on secrets in repositories. Option A is wrong because Dependabot handles dependency vulnerabilities. Option C is wrong because code scanning finds code vulnerabilities.

Option D is wrong because push protection is a separate setting that blocks pushes containing secrets, but the broader feature is secret scanning.

7
MCQmedium

Refer to the exhibit. Your organization has configured an Azure DevOps pipeline security setting that enforces a required template for all pipelines deploying to production and staging. The required template 'security-validation.yml' runs a series of security scans and compliance checks. A developer creates a new pipeline that deploys to a test environment, but the pipeline does not reference the required template. What will happen?

A.The pipeline will run normally because the required template enforcement only applies to production and staging environments.
B.The pipeline will run but the security scans will be automatically injected.
C.The pipeline will fail because it does not reference the required template.
D.The pipeline will prompt the developer to add the required template before running.
AnswerA

The enforcement scope is limited to production and staging, so test pipelines are not affected.

Why this answer

The required template enforcement is scoped to 'production' and 'staging' environments. Pipelines targeting other environments like 'test' are not required to use the template. The pipeline will run without the security template.

It will not be blocked or fail unless it explicitly targets production or staging.

8
MCQmedium

Your organization uses Azure DevOps to manage CI/CD pipelines. The security team requires that all pipeline runs use a specific service connection that references a managed identity in Microsoft Entra ID. However, some developers have been using personal access tokens (PATs) in their pipelines, bypassing the managed identity. What should you implement to enforce the use of the managed identity service connection?

A.Configure a branch policy on the main branch to require a specific service connection.
B.Use a pipeline decorator to validate the service connection and fail the pipeline if an unauthorized connection is used.
C.Restrict the use of PATs by setting an agent pool-level permission.
D.Store the service connection ID in a variable group and reference it in each pipeline.
AnswerB

Pipeline decorators run before every job and can enforce security rules, such as requiring a specific service connection.

Why this answer

Azure DevOps pipeline decorators can inject a task at the beginning of every pipeline to validate that only approved service connections are used, rejecting pipelines that use PATs or other unauthorized connections. Branch policies protect branches but don't control service connection usage. Agent pools and variable groups don't enforce service connection selection.

9
Drag & Dropmedium

Drag and drop the steps to configure Azure Monitor alerts for application performance into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Alert setup begins with enabling monitoring, creating rule, setting condition, action groups, and testing.

10
MCQeasy

Your organization uses Microsoft Purview to classify and protect sensitive data. You need to ensure that source code in Azure DevOps repositories containing credit card numbers is detected and flagged. What should you configure?

A.Create a Data Loss Prevention (DLP) policy in Microsoft 365.
B.Set up Microsoft Sentinel to monitor Azure DevOps logs.
C.Configure a Microsoft Purview Data Classification scan for Azure DevOps repositories.
D.Enable Microsoft Defender for Cloud to scan repositories.
AnswerC

Purview can scan repos for sensitive data.

Why this answer

Option C is correct because Microsoft Purview Data Classification can scan repositories for sensitive data using built-in or custom sensitive information types. Option A is incorrect because DLP policies are for endpoints, not repositories. Option B is incorrect because Microsoft Sentinel is a SIEM.

Option D is incorrect because Microsoft Defender for Cloud is for cloud security posture.

11
MCQhard

You are reviewing an Azure Policy assignment in a DevOps environment. The exhibit shows the policy assignment JSON. The policy set includes the built-in policy 'Allowed Locations' with effect Deny. During a pipeline deployment, a resource creation fails with a policy violation error. The resource being deployed is a storage account in the 'centralus' region. What is the most likely reason for the failure?

A.The policy assignment is misconfigured because it does not specify a policy set definition.
B.The resource being deployed is in a region that is not allowed by the policy assignment parameters.
C.The resource group is located in a region that overrides the policy assignment.
D.The policy set definition does not include the 'Allowed Locations' policy.
AnswerB

The allowedLocations parameter only includes eastus and westus, so centralus is denied.

Why this answer

The policy assignment includes the built-in 'Allowed Locations' policy with the Deny effect. The resource being deployed (a storage account) is in the 'centralus' region, but the policy assignment parameters likely specify a list of allowed regions that does not include 'centralus'. Since the Deny effect prevents any non-compliant resource creation, the deployment fails with a policy violation error.

This is the most direct and common cause of such failures in Azure Policy.

Exam trap

The trap here is that candidates may assume the resource group's location influences policy evaluation, but Azure Policy evaluates each resource's location independently, and the resource group's location is irrelevant unless explicitly referenced in the policy rule.

How to eliminate wrong answers

Option A is wrong because the exhibit shows the policy assignment JSON includes a 'policySetDefinitionId' field, so the assignment is correctly linked to a policy set definition. Option C is wrong because the resource group's location does not override a policy assignment; Azure Policy evaluates resources individually based on the policy rules, not the resource group's location. Option D is wrong because the policy set definition explicitly includes the 'Allowed Locations' policy, as shown in the exhibit's 'policyDefinitions' array.

12
MCQmedium

Your team uses GitHub for source control and GitHub Actions for CI/CD. Security policy requires that all code changes must be signed by a verified contributor using a GPG key. You need to enforce this requirement at the organization level. However, some developers use SSH keys for authentication, and you want to allow them to continue. What should you do?

A.In GitHub organization settings, enable 'Require signed commits' and 'Require SSH keys for authentication'.
B.Enforce S/MIME signing via Microsoft Entra ID Conditional Access.
C.Add a branch protection rule for the default branch requiring signed commits.
D.Configure a GitHub Action that rejects unsigned commits in CI.
AnswerA

Org-wide setting enforces signed commits; SSH keys are allowed.

Why this answer

Option B is correct because enabling 'Require signed commits' on the organization enforces GPG signing. Requiring SSH keys is separate. Option A is wrong because branch protection rules only apply per branch, not org-wide.

Option C is wrong because SSH keys are for authentication, not signing. Option D is wrong because it's not an organization-level enforcement.

13
Multi-Selecthard

Your organization uses Azure Key Vault to store secrets and certificates used in Azure Pipelines. You need to implement a security and compliance plan that ensures secrets are rotated automatically and access is audited. Which THREE actions should you take?

Select 3 answers
A.Enable soft-delete and purge protection on the Key Vault.
B.Use a resource lock on the Key Vault to prevent deletion.
C.Use a Key Vault access policy to grant developers full access.
D.Use Managed Identity to authenticate Azure Pipelines to Key Vault.
E.Configure Key Vault certificate auto-rotation with a specified lifetime.
AnswersA, D, E

Soft-delete and purge protection are critical for compliance to recover deleted secrets and prevent permanent loss.

Why this answer

Key Vault supports automatic certificate rotation with expiration dates. Soft-delete and purge protection prevent permanent deletion. Managed identities allow pipelines to access Key Vault without secrets in code.

Resource locks prevent accidental deletion but not rotation or auditing. Access policies or RBAC control access but don't enable rotation.

14
MCQmedium

Your organization uses Microsoft Defender XDR to secure Azure DevOps pipelines. You need to ensure that any build pipeline triggered by a pull request automatically runs a security scan and fails if critical vulnerabilities are found. What should you configure?

A.Code scanning alerts in GitHub
B.Azure Policy for Pipelines
C.Branch protection rule with required status check
D.Pipeline security gate
AnswerC

Branch protection rules can enforce that a security scan pipeline passes before merging.

Why this answer

Option B (Branch protection rule with status check) is correct because you can add a required status check that runs a security scan pipeline, and the PR cannot be merged if the check fails. Option A is for Azure resources, not pipelines. Option C is for code scanning in GitHub, not Azure Pipelines.

Option D is not a real feature.

15
MCQmedium

Your company uses Microsoft Sentinel for security monitoring. Azure DevOps pipelines deploy resources to production. You need to create an automated response that triggers when Sentinel detects a high-severity alert related to unauthorized pipeline changes. The response should temporarily disable the service connection used by the pipeline and notify the security team. What should you do?

A.Configure a Sentinel analytics rule with the alert and use automated response to send an email.
B.Set up an Azure DevOps service hook that triggers on pipeline events.
C.Use Azure Policy to deny changes to service connections.
D.Create a Sentinel playbook using Azure Logic Apps that calls the Azure DevOps REST API to update the service connection status.
AnswerD

Playbook can disable the service connection and notify.

Why this answer

Option C is correct because Sentinel playbooks (based on Logic Apps) can automate responses, including disabling service connections via Azure DevOps REST API. Option A is wrong because alerts alone don't run actions. Option B is wrong because service hooks trigger on events, not Sentinel alerts.

Option D is wrong because Azure Policy can't disable service connections.

16
MCQhard

You are evaluating an Azure Policy assignment for Azure Pipelines. What does this policy audit?

A.Whether secure files are rotated within 90 days
B.Whether pipelines use secure files with extensions other than .pfx, .p12, or .cer
C.Whether secure files are encrypted at rest
D.Whether secure files are used in production pipelines
AnswerB

The policy audits for allowed file extensions.

Why this answer

Option A is correct because the policy audits that only specific secure file types are allowed. Option B is wrong because it does not restrict number of files. Option C is wrong because it does not require encryption.

Option D is wrong because it does not restrict pipeline use.

17
MCQhard

Your company uses GitHub Enterprise and wants to implement a secret scanning policy to detect and block secrets (e.g., API keys) in code pushes. The policy must allow exceptions for test repositories that use fake secrets. What is the recommended approach?

A.Use a pre-commit hook to detect secrets and allow developers to bypass it.
B.Implement a GitHub Actions workflow that scans for secrets and fails the push.
C.Enable secret scanning for all repositories, then manually disable it for test repositories.
D.Configure secret scanning with custom patterns and use the 'secret_scanning_push_protection' setting with an allow-list for test repositories.
AnswerD

This allows exceptions while blocking real secrets.

Why this answer

Option B is correct because GitHub secret scanning can be configured with custom patterns and allow-listed repositories. Option A is incorrect because disabling for test repos would be manual and not scalable. Option C is incorrect because pre-commit hooks are client-side and not enforceable server-side.

Option D is incorrect because GitHub Actions cannot directly block pushes; secret scanning is a separate feature.

18
MCQeasy

Your organization uses Microsoft Defender for Cloud to monitor Azure resources. The compliance team needs to ensure that all Azure DevOps projects have their pipelines scanned for security issues before deployment. Which integration should you use?

A.Configure branch policies in Azure Repos to require a security scan.
B.Enable GitHub Advanced Security for Azure DevOps in Microsoft Defender for Cloud.
C.Configure deployment gates in Azure Pipelines to require a security scan.
D.Use Azure Policy to enforce scanning on Azure DevOps pipelines.
AnswerB

This integration provides code scanning and secret scanning for Azure DevOps pipelines and repos.

Why this answer

Microsoft Defender for Cloud can integrate with Azure DevOps via the GitHub Advanced Security for Azure DevOps feature (now part of Defender for Cloud), which enables code scanning, secret scanning, and dependency scanning in Azure Repos and pipelines. Defender for Cloud does not directly manage branch policies, service connections, or deployment gates.

19
MCQmedium

You need to implement a compliance framework that ensures Azure Pipelines build agents are always patched with the latest security updates. What should you use?

A.Azure Update Management to schedule patching
B.Azure VM Image Builder to create patched images
C.Azure Policy to enforce that agents must be patched
D.Azure Automation State Configuration to enforce desired state
AnswerA

Azure Update Management can schedule patching for VMs.

Why this answer

Option C is correct because Azure Update Management can patch VMs used as build agents. Option A is wrong because VM image builder creates images but doesn't patch running agents. Option B is wrong because Azure Policy evaluates compliance but doesn't apply patches.

Option D is wrong because Azure Automation State Configuration applies desired state configuration but is not primarily for patching.

20
MCQmedium

You are designing a compliance plan for Azure DevOps. The compliance officer requires that all changes to build pipelines are audited and cannot be reverted without approval. What should you implement?

A.Enable Azure DevOps audit logs
B.Store pipeline YAML in a repository with branch policies
C.Use release approval gates
D.Set pipeline retention policies
AnswerB

Branch policies require approvals for changes to the pipeline definition.

Why this answer

Option D is correct because Azure DevOps audit logs track changes, but to prevent unauthorized reverts, you need branch policies on the pipeline definition branch. Option A is wrong because audit logs only record events, they don't prevent reverts. Option B is wrong because approval gates are for releases, not pipeline changes.

Option C is wrong because pipeline settings don't prevent reverts.

21
MCQhard

You are deploying a web app to Azure App Service using Azure Pipelines. The security team requires that all secrets are stored in Azure Key Vault and retrieved at deployment time. What is the best approach?

A.Add an Azure Key Vault task in the pipeline to download secrets
B.Store secrets in pipeline variables and mark them as secret
C.Use Variable Groups linked to Key Vault
D.Reference Key Vault secrets directly in App Service configuration
AnswerA

This retrieves secrets directly from Key Vault during the pipeline run.

Why this answer

Option C is correct because using a Key Vault task in the pipeline retrieves secrets and makes them available as variables. Option A is wrong because it does not integrate with Key Vault. Option B is wrong because it stores secrets in the pipeline library, not Key Vault.

Option D is wrong because it relies on App Service configuration, not pipeline retrieval.

22
Multi-Selectmedium

Which THREE measures should you implement to protect secrets (e.g., API keys, passwords) used in Azure Pipelines?

Select 3 answers
A.Store secrets as plain text in a secure Git repo with restricted access
B.Mark variables as 'Secret' in pipeline YAML or UI definitions
C.Use environment variables in the pipeline to pass secrets at runtime
D.Use service connections with managed identity instead of personal access tokens
E.Store secrets in Azure Key Vault and reference them via a Key Vault task
AnswersB, D, E

Secret variables are masked in logs and output.

Why this answer

Option A, Option C, and Option D are correct. Option A (Use Azure Key Vault to store secrets) is a best practice. Option C (Mark variables as 'Secret' in pipeline definitions) prevents secrets from being exposed in logs.

Option D (Use service connections with managed identity instead of personal access tokens) reduces secret exposure. Option B is wrong because storing secrets in Git is insecure. Option E is wrong because environment variables are not encrypted by default.

23
MCQmedium

Your organization uses GitHub Actions for CI/CD. The security team requires that all workflows are stored in a central repository and that only approved actions can be used. What should you implement?

A.Configure the repository to use only self-hosted runners.
B.Store all workflows in a central repository and use branch protection rules.
C.In the organization settings, configure the 'Actions permissions' to 'Allow specified actions' and add the approved actions to the allow list.
D.Enable 'Allow GitHub Actions to create and approve pull requests' in the repository settings.
AnswerC

This restricts workflows to only use actions from the allow list, enforcing security.

Why this answer

GitHub Actions allow you to restrict actions to only those in a specific organization or marketplace list via the 'Allow specified actions' policy. Setting 'Allow GitHub Actions to create and approve pull requests' is not relevant. Using reusable workflows in a central repository ensures standardization, but to restrict actions, you need the allow list policy.

Self-hosted runners do not enforce which actions are used.

24
MCQhard

Your company is deploying Azure DevOps pipelines for a critical financial application. Compliance requires that all pipeline runs are immutable and auditable. You must ensure that once a pipeline completes, its logs, artifacts, and test results cannot be modified or deleted by anyone, including administrators, for 7 years. You also need to prevent any pipeline runs from being deleted. Azure DevOps retention policies are currently set to 30 days. What should you do?

A.Use Azure Policy to enforce immutability on the storage account backing Azure DevOps artifacts, and set pipeline retention policy to 9999 days.
B.Assign the 'Project Collection Administrators' group a custom role that denies delete permissions.
C.Set branch policies to require approval before any deletion.
D.Configure Azure DevOps to export all logs to Azure Log Analytics with a 7-year retention.
AnswerA

Azure Policy enforces immutability; long retention prevents deletion.

Why this answer

Option C is correct because Azure Policy can enforce retention locks on storage containers used by Azure DevOps pipelines, making logs immutable. Additionally, setting the retention policy to 'maximum' (9999 days) ensures runs are not deleted. Option A is wrong because export to Log Analytics doesn't prevent deletion.

Option B is wrong because branch policies don't affect retention. Option D is wrong because manual deletion is still possible with short retention.

25
MCQmedium

Your team uses Azure DevOps and wants to enforce branch protection policies for all repositories in a GitHub Advanced Security-enabled organization. Which approach should you use to ensure that pull requests require a successful status check from a required workflow?

A.Use GitHub Actions secrets to store the required status check name.
B.Define a repository rule in GitHub that requires a successful status check from a required workflow.
C.Create a branch protection rule in each repository's settings.
D.Configure branch policies in Azure DevOps project settings.
AnswerB

GitHub repository rules can enforce branch protection policies across repositories in an organization.

Why this answer

Option C is correct because GitHub repository rules allow you to define branch protection policies that require status checks, including required workflows. Option A is wrong because Azure DevOps branch policies are for Azure Repos, not GitHub. Option B is wrong because GitHub Actions secrets are for storing sensitive data, not for branch policies.

Option D is wrong because branch protection rules in GitHub are per-repository, but repository rules allow organization-wide enforcement.

26
Multi-Selecthard

Which TWO actions should you take to ensure that Azure Pipelines artifacts are securely stored and access is audited?

Select 2 answers
A.Configure the storage account firewall to only allow access from Azure Pipelines IP ranges
B.Use Azure Policy to enforce that artifacts are only deployed to production storage accounts
C.Enable Azure Artifacts retention policies to automatically delete old artifact versions
D.Enable customer-managed keys (CMK) for artifact encryption
E.Configure audit logging for artifact downloads via Azure DevOps audit logs
AnswersC, E

Retention policies minimize the risk of old artifacts being compromised.

Why this answer

Option B and Option E are correct. Option B (Enable Azure Artifacts retention policies) ensures old artifacts are removed, reducing attack surface. Option E (Configure audit logging for artifact downloads) provides audit trail.

Option A is wrong because Azure Pipelines does not support storage account firewall for artifacts. Option C is wrong because artifacts are already encrypted at rest. Option D is wrong because artifacts are not deployed to production via storage accounts.

27
MCQmedium

Your team uses Azure Pipelines to deploy a web app to Azure App Service. You need to ensure that secrets (e.g., connection strings) are not exposed in the pipeline logs. What is the recommended approach?

A.Remove all logging from the pipeline.
B.Use secret pipeline variables and reference them in the pipeline.
C.Store secrets in Azure Key Vault and retrieve them in the pipeline, then log them for debugging.
D.Store secrets as environment variables in the pipeline.
AnswerB

Secret variables are masked in logs.

Why this answer

Option B is correct because Azure Pipelines allows you to mark variables as 'secret' to mask them in logs. Option A is incorrect because environment variables can still be logged. Option C is incorrect because Key Vault is for storing secrets, but if logged they can be exposed.

Option D is incorrect because removing logging is not practical.

28
Multi-Selectmedium

Your organization is implementing a security compliance plan for Azure DevOps. Which TWO actions help enforce the principle of least privilege?

Select 2 answers
A.Allow all team members to edit security permissions
B.Use Azure DevOps security groups to grant minimal permissions
C.Use built-in roles without customizing
D.Restrict who can create new agent pools to a small admin team
E.Grant Project Collection Administrators group to all developers
AnswersB, D

This follows least privilege by granting only necessary permissions.

Why this answer

Options A and C are correct. Option A limits access to only what is needed. Option C restricts administrative roles.

Option B is wrong because it grants more permissions. Option D is wrong because it broadens access. Option E is wrong because it does not enforce least privilege.

29
Multi-Selecthard

Which TWO actions should you take to ensure that Azure Pipelines artifacts are scanned for vulnerabilities before production deployment? (Choose two.)

Select 2 answers
A.Run dependency scanning on the artifact manifest
B.Sign the artifacts with a code signing certificate
C.Use Microsoft Defender for Cloud to scan the artifact during the pipeline
D.Scan the infrastructure as code templates
E.Run static code analysis on the source code
AnswersA, C

Dependency scanning detects known vulnerabilities in dependencies.

Why this answer

Options B and C are correct. Option B: Dependency scanning identifies vulnerabilities in dependencies. Option C: Incorporating Microsoft Defender for Cloud scanning into the pipeline scans container images and other artifacts.

Option A is wrong because code signing ensures integrity but not vulnerability scanning. Option D is wrong because static analysis finds code issues, not artifacts. Option E is wrong because infrastructure scanning is for IaC, not artifacts.

30
MCQmedium

Your organization requires compliance with SOC 2 and needs to audit all changes to Azure Pipelines. What should you enable?

A.Azure Policy
B.Microsoft Purview
C.Azure Blueprints
D.Azure DevOps audit logs
AnswerD

Audit logs track changes to pipelines and other resources.

Why this answer

Option A is correct because Azure DevOps audit logs capture pipeline changes and can be exported for compliance. Option B is wrong because Azure Policy enforces governance, not auditing. Option C is wrong because Microsoft Purview is for data governance.

Option D is wrong because Azure Blueprints are deprecated.

31
MCQhard

Your team uses GitHub Actions for CI/CD and must ensure that only approved contributors can merge code to the main branch. You need to enforce a policy where every pull request must be reviewed by at least two members of the security team. Which branch protection rule should you configure?

A.Require pull request reviews before merging
B.Require status checks to pass before merging
C.Dismiss stale pull request approvals
D.Require a minimum number of reviewers
AnswerD

This enforces at least two reviewers from the security team.

Why this answer

Option C is correct because 'Require a minimum number of reviewers' enforces that at least two reviewers approve before merging. Option A is wrong because 'Require pull request reviews before merging' alone doesn't specify the number of reviewers. Option B is wrong because 'Dismiss stale pull request approvals' deals with re-review when new commits are pushed.

Option D is wrong because 'Require status checks' requires CI checks, not reviews.

32
MCQhard

Your company uses Azure DevOps and must comply with SOC 2. The auditor requires proof that all production deployments went through a change management process with approval. What should you implement?

A.Use branch policies to require pull request approvals
B.Set pipeline retention policies to keep deployment records
C.Enable audit logging for all pipelines
D.Configure release approval gates in Azure Pipelines
AnswerD

Approval gates enforce a formal approval step before deployment.

Why this answer

Option B is correct because release approval gates provide a formal approval process before deployment. Option A is wrong because audit logs record events but don't enforce approval. Option C is wrong because branch policies control code changes, not deployments.

Option D is wrong because pipeline retention policies control artifact storage.

33
MCQeasy

Your organization uses Microsoft Entra ID. You want to ensure that only users from specific countries can access Azure DevOps. Which security feature should you configure?

A.Microsoft Entra ID Conditional Access policies
B.Azure Network Security Group (NSG) rules
C.Azure DevOps security groups with allowed IP ranges
D.Microsoft Intune compliance policies
AnswerA

Conditional Access can restrict access based on location.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID can restrict access based on location. Option A is wrong because Azure DevOps permissions are not geo-aware. Option B is wrong because network security groups are for network traffic, not user access.

Option C is wrong because Microsoft Intune manages devices, not user location access.

34
Multi-Selecthard

Your company uses GitHub and must comply with data residency requirements. Which THREE actions should you take to ensure data stays within a specific geographic region?

Select 3 answers
A.Use self-hosted runners in the desired region
B.Use GitHub Enterprise Cloud with data residency add-on
C.Enable GitHub Actions for all repositories
D.Enable push protection for secrets
E.Configure repository visibility and storage location in GitHub settings
AnswersA, B, E

Self-hosted runners keep data within the region.

Why this answer

Options B, C, and D are correct. Option B uses GitHub Enterprise Cloud with data residency. Option C configures the repository to a specific region.

Option D uses a region-specific runner. Option A is wrong because GitHub Actions does not restrict data storage by region. Option E is wrong because push protection does not affect data residency.

35
MCQmedium

Your organization uses Microsoft Purview to manage sensitive data in Azure DevOps repositories. The compliance team needs to automatically classify and label source code that contains personally identifiable information (PII). Which solution should you use?

A.Use Azure Policy to enforce PII labeling on repositories.
B.Use Microsoft Purview Information Protection to automatically scan and label repositories.
C.Use Microsoft Sentinel to detect PII in repositories.
D.Use Microsoft Defender for Cloud to scan for PII.
AnswerB

Purview Information Protection can automatically classify and label sensitive data in source code.

Why this answer

Microsoft Purview Information Protection can automatically classify and label sensitive data, including source code. Microsoft Sentinel is for security information and event management, not classification. Microsoft Defender for Cloud is for cloud security posture management.

Azure Policy enforces rules on Azure resources, not on source code content.

36
MCQeasy

Your team uses Azure Pipelines to deploy to multiple environments. You need to ensure that deployment to the production environment requires approval from the security team. What should you configure?

A.Add a branch policy to the production branch
B.Add an environment approval check for the production environment
C.Use a condition in the YAML pipeline to check a variable
D.Configure a service connection with restricted permissions
AnswerB

Environment approvals require designated users to approve the deployment.

Why this answer

Option D is correct because Azure Pipelines environment approvals allow you to require manual approval before deployment. Option A is wrong because branch policies apply to code changes, not deployments. Option B is wrong because YAML conditions are for runtime decisions, not manual approval.

Option C is wrong because service connections manage credentials, not approvals.

37
Multi-Selecthard

You are designing a security compliance plan for a GitHub Enterprise environment. Which THREE practices should you implement? (Select THREE.)

Select 3 answers
A.Disable two-factor authentication for automation accounts
B.Allow repository admins to bypass branch protection rules
C.Configure branch protection rules to require pull request reviews
D.Enable Dependabot alerts for dependency vulnerability monitoring
E.Enable secret scanning to detect accidental credential commits
AnswersC, D, E

Branch protection rules enforce code quality and review processes.

Why this answer

Options A, B, and D are correct. A: Dependabot alerts help manage vulnerabilities in dependencies. B: Secret scanning detects exposed secrets.

D: Branch protection rules enforce code review and status checks. Option C is wrong because disabling 2FA is insecure. Option E is wrong because allowing admins to bypass policies undermines compliance.

38
Multi-Selectmedium

Your organization uses Azure DevOps and Azure Policy to enforce compliance. You need to ensure that all Azure resources deployed by Azure DevOps pipelines have specific tags (e.g., CostCenter and Environment) applied. Which TWO approaches can achieve this? (Choose TWO.)

Select 2 answers
A.Configure the service connection to only allow deployments with tags.
B.Create an Azure Policy with the 'audit' effect to report non-compliant resources.
C.Create an Azure Policy with the 'deny' effect that requires the tags to be present at resource creation.
D.Add a pipeline task after resource creation that applies the required tags using Azure CLI or PowerShell.
E.Configure a branch policy on the main branch to require tag verification in pull requests.
AnswersC, D

Deny policy blocks deployment of non-compliant resources.

Why this answer

Option C is correct because an Azure Policy with the 'deny' effect prevents the creation of any resource that does not include the required tags (e.g., CostCenter and Environment). This enforces compliance at the moment of deployment, blocking non-compliant resources from being provisioned by Azure DevOps pipelines. Option D is correct because adding a pipeline task (using Azure CLI or PowerShell) after resource creation programmatically applies the required tags, ensuring resources are tagged even if the initial deployment omitted them.

Exam trap

The trap here is that candidates often confuse Azure Policy effects (audit vs. deny) and overlook that a post-deployment task can also enforce tagging, leading them to select only the deny policy or incorrectly choose audit as a compliance enforcement mechanism.

39
MCQhard

Your organization uses Azure DevOps and wants to enforce that all pipelines use a specific set of approved tasks. How can you achieve this?

A.Use the task restrictions feature in Azure DevOps to block unapproved tasks
B.Assign permissions to the task group to limit who can add tasks
C.Create a YAML template with the approved tasks and require all pipelines to use it
D.Configure a service hook to notify when an unapproved task is used
AnswerA

Task restrictions can block or warn on unapproved tasks at the organization level.

Why this answer

Option B is correct because Azure DevOps allows you to mark tasks as deprecated or use built-in task restrictions. Option A is wrong because YAML templates do not enforce task usage. Option C is wrong because permissions control access, not task selection.

Option D is wrong because notifications do not enforce rules.

40
MCQmedium

You are designing a security compliance plan for Azure Pipelines. The plan must ensure that no pipeline can use variables containing secrets unless those variables are stored in Azure Key Vault and referenced via a variable group linked to Key Vault. What is the best way to enforce this across all pipelines in an Azure DevOps organization?

A.Create a YAML template that mandates the use of Key Vault references.
B.Implement an Azure Policy that audits variable groups and requires Key Vault integration.
C.Require manual approval for all pipeline runs that use variables.
D.Use branch policies to prevent merging code that contains secrets.
AnswerB

Azure Policy can enforce compliance across all Azure DevOps resources.

Why this answer

Option D is correct because using Azure Policy to audit and enforce Key Vault usage in variable groups ensures compliance across the organization. Option A is wrong because manual reviews are not scalable. Option B is wrong because YAML templates can be bypassed.

Option C is wrong because branch policies do not control variable usage.

41
MCQmedium

Your team uses Azure Pipelines to deploy to Azure Kubernetes Service (AKS). The security team requires that all container images be scanned for vulnerabilities before deployment. You have configured a container registry with Microsoft Defender for Cloud integration. What should you add to your pipeline to ensure only compliant images are deployed?

A.Set up Azure Policy to deny deployments of images without scan results.
B.Add a task that runs a vulnerability scan on the image after deployment.
C.Configure the AKS cluster to scan images after pulling.
D.Use the 'Azure Container Registry' task with the 'Scan' option to check vulnerabilities and fail the pipeline if critical vulnerabilities exist.
AnswerD

This blocks non-compliant images before deployment.

Why this answer

Option B is correct because you can use the 'ACR Task' or a script to check scan results before deployment. Option A is incorrect because scanning is not done at build time by default. Option C is incorrect because scanning the running container is too late.

Option D is incorrect because security policies in Azure Policy can block non-compliant resources but are not pipeline-level.

42
MCQhard

Refer to the exhibit. You run a KQL query in Microsoft Sentinel to audit Azure Container Registry login failures. The result shows 15 failed push attempts to the 'contoso/webapp' repository and 3 failed pull attempts to 'contoso/api'. What is the most likely security implication?

A.The audit logs are not enabled for the container registry.
B.The container registry is misconfigured and allowing anonymous pushes.
C.The 'contoso/api' repository has been successfully pulled by an unauthorized user.
D.An attacker is attempting to push malicious images to the 'contoso/webapp' repository.
AnswerD

Multiple failed push attempts are a sign of unauthorized access attempts.

Why this answer

Multiple failed push attempts could indicate an attacker trying to push malicious images. Failed pulls are less concerning. The query does not show successful pushes.

The failures are not necessarily due to misconfiguration; they are authentication failures. Audit logs are already enabled, and RBAC assignment is a mitigation, not the most likely implication.

43
Multi-Selecteasy

Which TWO tools can be used to enforce branch protection policies in GitHub repositories? (Choose two.)

Select 2 answers
A.Azure Pipelines branch policies
B.Microsoft Intune compliance policies
C.GitHub branch protection rules
D.Microsoft Purview data classification
E.GitHub Actions workflows
AnswersA, C

Azure Pipelines can enforce branch policies on GitHub repositories.

Why this answer

Options A and C are correct. Option A: GitHub branch protection rules are built-in. Option C: Azure Pipelines can enforce policies via branch policy checks.

Option B is wrong because GitHub Actions can run checks but not enforce policies. Option D is wrong because Microsoft Intune manages devices. Option E is wrong because Microsoft Purview is for data governance.

44
MCQmedium

You receive a GitHub Dependabot alert as shown. The repository 'my-app' is internal. What is the best immediate action to mitigate the risk?

A.Dismiss the alert as it is a false positive
B.Create a private fork of the repository
C.Enable secret scanning on the repository
D.Update the lodash dependency to the latest patched version
AnswerD

This directly fixes the vulnerability.

Why this answer

Option A is correct because updating the dependency to a patched version is the best mitigation. Option B is wrong because dismissing the alert ignores the risk. Option C is wrong because creating a private fork does not fix the vulnerability.

Option D is wrong because enabling secret scanning does not address dependency vulnerabilities.

45
MCQmedium

You are designing a compliance strategy for Azure DevOps pipelines that deploy to production. The company policy requires that all production deployments must be reviewed by a security lead. Additionally, the deployment must use a specific release pipeline that has been pre-approved. How should you implement this?

A.Create a branch policy that requires the security lead to approve the pull request before merging.
B.Define a 'production' environment in Azure DevOps and configure an approval check that requires the security lead. Have the pipeline deploy to that environment.
C.Use a Classic release pipeline with a pre-deployment approval gate for the production stage.
D.Store the approved pipeline definition in a variable group and reference it in all pipelines.
AnswerB

Environment approvals provide the required manual review gate.

Why this answer

Option B is correct because Azure DevOps environments allow you to define approval checks that must be satisfied before a deployment proceeds. By creating a 'production' environment and adding a pre-deployment approval check requiring the security lead, you enforce the mandatory review. The pipeline then deploys to that environment, ensuring only the pre-approved release pipeline is used.

Exam trap

The trap here is that candidates often confuse branch policies (which control code changes) with deployment approvals (which control release execution), leading them to choose Option A instead of the environment-based approval check in Option B.

How to eliminate wrong answers

Option A is wrong because a branch policy requiring pull request approval only controls code merging, not the actual deployment to production; it does not enforce a pre-approved release pipeline or a security lead review at deployment time. Option C is wrong because Classic release pipelines are legacy and do not integrate with modern YAML-based environments and their approval checks; the question implies a modern pipeline approach, and Classic pipelines lack the same granular environment-based approval controls. Option D is wrong because storing the pipeline definition in a variable group does not enforce any approval or review process; it merely centralizes configuration and does not prevent unauthorized deployments.

46
MCQeasy

Your team uses Microsoft Defender for Cloud to monitor Azure resources. You need to ensure that all Azure DevOps pipelines are scanned for security misconfigurations before deployment. Which integration should you enable?

A.Connect Azure DevOps to Microsoft Sentinel.
B.Enable the 'Defender for DevOps' integration in Microsoft Defender for Cloud.
C.Deploy Microsoft Intune policies to Azure DevOps agents.
D.Configure Microsoft Purview to scan Azure DevOps repositories.
AnswerB

This integration scans pipelines for misconfigurations.

Why this answer

Option A is correct because Microsoft Defender for Cloud can integrate with Azure DevOps to scan infrastructure as code templates. Option B is incorrect because Microsoft Sentinel is a SIEM, not a scanner. Option C is incorrect because Microsoft Purview is for data governance.

Option D is incorrect because Microsoft Intune manages devices.

47
MCQmedium

Your company is migrating from on-premises TFS to Azure DevOps Services in the cloud. The security policy mandates that all access to Azure DevOps must go through a conditional access policy that requires multi-factor authentication (MFA) for users outside the corporate network. Additionally, the policy requires that service accounts (used for automated deployments) must use device-based authentication and cannot be interactive. You are configuring Microsoft Entra ID (formerly Azure AD) conditional access. The Azure DevOps organization is connected to the corporate Entra ID tenant. You have the following options: Option A: Create a conditional access policy that applies to all users and service principals, requiring MFA for all cloud apps, and exclude the Azure DevOps app from the policy. Option B: Create a conditional access policy that targets the Azure DevOps app, grant access requiring MFA for all users, and create a separate policy for service accounts that requires device compliance. Option C: Create a conditional access policy that applies to the Azure DevOps app, requiring MFA for all users, and exclude service accounts by user group. Then create a separate policy for service accounts that requires a compliant device. Option D: Use Azure DevOps IP address restrictions to block external traffic and rely on VPN for external users. Which option best meets the requirements?

A.Create a conditional access policy that applies to all users and service principals, requiring MFA for all cloud apps, and exclude the Azure DevOps app
B.Create a conditional access policy that targets the Azure DevOps app, grant access requiring MFA for all users, and create a separate policy for service accounts that requires device compliance
C.Use Azure DevOps IP address restrictions to block external traffic and rely on VPN for external users
D.Create a conditional access policy that applies to the Azure DevOps app, requiring MFA for all users, and exclude service accounts by user group. Then create a separate policy for service accounts that requires a compliant device
AnswerD

This correctly enforces MFA for users and device compliance for service accounts.

Why this answer

Option C is correct. It correctly applies MFA to all users except service accounts, and uses device compliance for service accounts. Option A excludes the Azure DevOps app, which would not enforce MFA.

Option B applies MFA to service accounts as well, which is not allowed for automated accounts. Option D does not provide MFA and is less secure.

48
MCQhard

Refer to the exhibit. You have configured a Conditional Access policy in Microsoft Entra ID to require MFA for Azure DevOps. However, users report that they can still access Azure DevOps without MFA when using a PAT for authentication. What is the most likely reason?

A.The policy should include 'Require device to be marked as compliant'.
B.PATs are not subject to Conditional Access policies because they use legacy authentication.
C.The policy should be scoped to 'All cloud apps' instead of just Azure DevOps.
D.The Conditional Access policy is not enabled.
AnswerB

PATs are considered legacy authentication and do not satisfy the MFA requirement; they are not evaluated by Conditional Access.

Why this answer

Conditional Access policies do not apply to legacy authentication protocols or tokens like PATs. PATs are considered non-interactive and bypass device-based policies. The policy is correctly configured for interactive sessions, but PATs are not subject to the same conditions.

Enabling additional client app conditions or using a trusted location would not help. Blocking legacy authentication is a separate policy.

49
MCQeasy

Your team uses GitHub repositories and wants to ensure that all code changes are signed by a verified contributor before merging. Which branch protection rule should you enable?

A.Require signed commits
B.Require pull request reviews before merging
C.Require linear history
D.Restrict who can push to matching branches
AnswerA

This ensures commits are signed with a verified key.

Why this answer

Option B is correct because requiring signed commits ensures that only commits signed by a verified GPG or S/MIME key are accepted. Option A is wrong because it only requires pull request reviews, not commit signing. Option C is wrong because it restricts who can push, not signing.

Option D is wrong because it enforces linear history, not signing.

50
MCQmedium

Your organization uses Azure DevOps for a multi-tier web application. The application consists of a React frontend, a Node.js API, and a SQL database. The security team has mandated the following: (1) All code changes must be scanned for secrets before merging to the main branch. (2) Infrastructure-as-code templates (ARM) must be validated for security compliance before deployment. (3) Production deployments must use a service connection with a managed identity that has only the required permissions. You have set up a CI/CD pipeline with two stages: Build and Release. The Build stage runs on pull requests and the Release stage deploys to a production environment. Recently, a developer accidentally committed a secret (API key) to a configuration file. The secret was not caught by the pipeline, and the code was merged to main. You need to prevent this in the future. What should you do?

A.Configure a branch policy to require at least two reviewers on pull requests to the main branch.
B.Implement a manual approval gate on the Release stage to review each deployment for secrets.
C.Use a pipeline decorator to inject a validation step that runs Azure Policy on the code repository.
D.Add a 'Credential Scanner' task to the Build pipeline and configure it to fail the build if any secrets are found. Also, move all secrets to Azure Key Vault and reference them via variable groups.
AnswerD

Automated secret scanning prevents secrets from being merged, and Key Vault centralizes secret management.

Why this answer

Option D is correct because it directly addresses the root cause: secrets were not being scanned before merge. The Credential Scanner task (part of Microsoft Security Code Analysis) scans for hardcoded secrets and can fail the build, preventing the merge. Moving secrets to Azure Key Vault and referencing them via variable groups (linked to the vault) ensures secrets are never stored in the repository, eliminating the risk of accidental commits.

Exam trap

The trap here is that candidates may confuse Azure Policy (which governs Azure resource compliance) with code scanning tools, or mistakenly think that manual reviews or approval gates are sufficient to catch secrets before merge, when automated scanning is required by the mandate.

How to eliminate wrong answers

Option A is wrong because requiring two reviewers does not prevent a secret from being committed; reviewers may not catch a secret in a configuration file. Option B is wrong because a manual approval gate on the Release stage only catches secrets after they have already been merged to main, which violates the mandate to scan before merging. Option C is wrong because Azure Policy is used for governance of Azure resources (e.g., ARM template compliance), not for scanning code repositories for secrets; a pipeline decorator cannot run Azure Policy on a Git repository.

51
MCQhard

Your company uses GitHub and wants to implement a compliance framework that requires signed commits for all repositories. Developers use various IDEs and Git clients. What is the best way to enforce signed commits across the organization?

A.Set the repository to 'Require pull request reviews before merging' and rely on reviewers to check commit signatures.
B.Ask developers to configure GPG keys and sign commits manually.
C.Enable 'Require signed commits' in the branch protection rules for the default branch.
D.Use a GitHub Action that fails if commits are unsigned.
AnswerC

This enforces signed commits on the branch.

Why this answer

Option C is correct because GitHub allows repository administrators to enable 'Require signed commits' in branch protection rules. Option A is incorrect because it is not enforceable; commits can be unsigned. Option B is incorrect because it only encourages, not enforces.

Option D is incorrect because it does not enforce signing.

52
MCQeasy

Your team uses GitHub and wants to automatically detect exposed credentials in code. Which GitHub feature should you enable?

A.Code scanning.
B.Dependabot.
C.Secret scanning.
D.GitHub Actions.
AnswerC

Secret scanning detects secrets like API keys and tokens.

Why this answer

Option A is correct because secret scanning detects credentials and other secrets in repositories. Option B is wrong because Dependabot handles dependency vulnerabilities. Option C is wrong because code scanning finds code quality issues.

Option D is wrong because GitHub Actions is for CI/CD, not scanning for secrets.

53
MCQhard

A financial services company uses Azure DevOps and requires that all secrets (e.g., API keys, connection strings) be stored in Azure Key Vault. They have a pipeline that runs automated tests and deploys to staging. The pipeline uses a variable group linked to Key Vault to retrieve secrets. Recently, the pipeline failed with the error: 'Secret 'DbPassword' not found in Key Vault 'kv-prod'. Ensure the secret exists and the service principal has List permission.' The secret exists in the vault. What is the most likely cause?

A.The variable group is linked to the wrong Key Vault instance.
B.The variable name in the variable group does not exactly match the secret name in Key Vault (case-sensitive).
C.The service principal does not have Get permission on the secret.
D.The Key Vault is in a different Azure region than the Azure DevOps organization.
AnswerB

Azure DevOps maps variable names to secret names, and the match is case-sensitive.

Why this answer

Option B is correct because variable groups linked to Azure Key Vault in Azure DevOps require an exact case-sensitive match between the variable name in the variable group and the secret name in Key Vault. Even though the secret 'DbPassword' exists in the vault, if the variable group defines the variable as 'dbpassword' or 'DBPassword', the lookup will fail with the 'not found' error. The error message explicitly states the secret was not found, which is the typical symptom of a case mismatch, not a permissions or connectivity issue.

Exam trap

The trap here is that candidates assume the error 'secret not found' always means the secret is missing or permissions are wrong, but Azure DevOps specifically tests the case-sensitive mapping between variable group variable names and Key Vault secret names, which is a subtle but critical detail.

How to eliminate wrong answers

Option A is wrong because the error message specifically names Key Vault 'kv-prod', indicating the pipeline is targeting that vault; if the variable group were linked to a different vault, the error would reference that other vault's name. Option C is wrong because the error message mentions 'List permission', not 'Get permission'; the service principal must have both Get and List permissions on secrets, but the error explicitly says 'List permission' is required, and the secret exists, so the issue is not a missing Get permission. Option D is wrong because Azure Key Vault and Azure DevOps can operate across different Azure regions without any impact on secret retrieval; region mismatch does not cause 'secret not found' errors.

54
Multi-Selecteasy

Which TWO compliance frameworks are directly supported by Microsoft Purview Compliance Manager for Azure DevOps?

Select 2 answers
A.ISO 27001
B.HIPAA
C.PCI DSS
D.FedRAMP High
E.SOC 2
AnswersA, E

ISO 27001 is a standard template in Purview Compliance Manager.

Why this answer

Option A and Option D are correct. Option A (SOC 2) and Option D (ISO 27001) are included in Purview Compliance Manager templates. Option B (PCI DSS) is not directly mapped to Azure DevOps in Purview.

Option C (FedRAMP High) is for Azure infrastructure, not Azure DevOps specifically. Option E (HIPAA) is not directly mapped to Azure DevOps in Purview.

55
MCQhard

Your company, Contoso Ltd., is a financial services firm that must comply with PCI DSS. You manage a Azure DevOps organization with over 200 projects. Each project uses a service principal to deploy to Azure using service connections stored in library variable groups. Recently, an auditor flagged that a developer used a service principal with Contributor rights on a production subscription to accidentally delete a storage account. The developer had been granted access to the variable group containing that service principal's credentials. You are tasked with implementing a security and compliance plan to prevent this from recurring. The solution must minimize administrative overhead and follow the principle of least privilege. Current environment: All service principals are created in Azure AD and assigned to variable groups. Developers are granted 'User' access level in Azure DevOps and are members of various teams. You have the ability to create Azure AD groups and custom roles. Which course of action should you take?

A.Remove all variable groups and require developers to use their own Azure AD accounts for deployments, granting them Contributor rights only on non-production environments.
B.Require all pipeline runs that use production service connections to be approved by a security team via Azure Pipelines approval gates.
C.Implement Azure DevOps pipeline decorators to inject a security task that checks the service connection's role before each deployment, and fail the pipeline if the role is Contributor or higher.
D.Create custom Azure RBAC roles with minimal required permissions for each service principal, restrict service connections to specific pipelines using Azure DevOps security settings (e.g., 'Use' permission), and assign developers only the 'Use' permission to the service connections they need, not the variable groups containing credentials.
AnswerD

This follows least privilege and limits access to only necessary pipelines.

Why this answer

Option D is correct because it enforces the principle of least privilege by creating custom Azure RBAC roles with minimal permissions, restricting service connections to specific pipelines via Azure DevOps security settings (e.g., 'Use' permission), and assigning developers only the 'Use' permission to the service connections rather than the variable groups containing credentials. This prevents developers from directly accessing or modifying the service principal credentials, eliminating the risk of accidental or malicious use of high-privilege roles like Contributor.

Exam trap

The trap here is that candidates often confuse approval gates (Option B) as a sufficient security control, but they fail to address the root cause—excessive permissions on the service principal itself—and overlook the need to restrict access to the service connection credentials at the Azure DevOps permission level.

How to eliminate wrong answers

Option A is wrong because removing variable groups and granting developers Contributor rights on non-production environments still violates least privilege—developers should not have Contributor rights on any environment if they only need to deploy, and using their own Azure AD accounts for deployments introduces security risks like credential exposure and lack of audit separation. Option B is wrong because requiring approval gates for all pipeline runs using production service connections adds administrative overhead and does not prevent a developer from accidentally using a Contributor role in a pipeline that has been approved; it only adds a manual check, not a technical control. Option C is wrong because pipeline decorators that check the service connection's role before each deployment can be bypassed if the developer modifies the pipeline YAML or if the decorator is not applied to all pipelines; also, failing the pipeline after the role check does not prevent the service principal from having excessive permissions in the first place.

56
MCQmedium

You are reviewing a pipeline YAML file. The variable 'prod-db-password' is stored in a variable group linked to Azure Key Vault. However, the pipeline fails with an error that the secret cannot be accessed. What is the most likely cause?

A.The YAML syntax for referencing the variable is incorrect.
B.The pipeline's authorized service principal lacks 'Get' permission on the Key Vault.
C.The variable group 'prod-variables' does not exist.
D.The secret name in Key Vault does not match 'prod-db-password'.
AnswerB

Without proper access, the pipeline cannot retrieve the secret.

Why this answer

Option C is correct because the pipeline's service principal needs permission to access the Key Vault secrets. Option A is wrong because the variable group is already linked. Option B is wrong because the syntax is correct.

Option D is wrong because the secret name in Key Vault might differ, but the error indicates access issue.

57
MCQmedium

You are using GitHub Advanced Security. The security team wants to prevent developers from introducing code with high-severity vulnerabilities. What is the best way to enforce this?

A.Enable Dependabot and require pull request reviews for dependency updates
B.Enable code scanning and configure a quality gate to fail PRs with high-severity alerts
C.Enable push protection for all repositories
D.Enable secret scanning and block pushes with high-confidence secrets
AnswerB

This blocks PRs with high-severity code vulnerabilities.

Why this answer

Option A is correct because code scanning with a quality gate can block PRs with high-severity findings. Option B is wrong because secret scanning deals with secrets. Option C is wrong because Dependabot focuses on dependency vulnerabilities.

Option D is wrong because push protection is for secrets.

58
Multi-Selecthard

Your organization is implementing a security compliance plan for Azure DevOps. Which TWO actions should you take to ensure that only authorized users can modify build pipelines?

Select 2 answers
A.Require all users to use Personal Access Tokens (PATs)
B.Configure branch policies to require reviews for changes to pipeline YAML files
C.Set pipeline permissions to restrict editing to specific security groups
D.Enable audit logging for all pipeline changes
E.Enable OpenID Connect (OIDC) for pipeline authentication
AnswersB, C

Branch policies require approvals for changes to pipeline definitions.

Why this answer

Options C and E are correct because pipeline permissions in Azure DevOps control who can edit pipelines, and branch policies protect the pipeline definition. Option A is wrong because PATs are for authentication, not authorization. Option B is wrong because OIDC is for authentication.

Option D is wrong because audit logs track changes but don't prevent unauthorized modifications.

59
Multi-Selectmedium

Your team is implementing a security and compliance plan for Azure DevOps. Which TWO actions should you take to meet regulatory requirements for audit logging and access control?

Select 2 answers
A.Enable anonymous access to project boards for external stakeholders.
B.Enable Azure DevOps audit log to track changes to security policies and user permissions.
C.Configure Azure AD Conditional Access policy to require multi-factor authentication for Azure DevOps.
D.Grant all users Project Collection Administrator role to simplify access management.
E.Disable auditing for the project to reduce log volume.
AnswersB, C

Audit logs are essential for compliance tracking.

Why this answer

Enabling the Azure DevOps audit log (option B) is essential for regulatory compliance because it records changes to security policies, user permissions, and other critical events, providing an immutable trail for forensic analysis and reporting. This directly meets audit logging requirements by capturing who did what and when, which is necessary for standards like SOC 2, ISO 27001, or GDPR.

Exam trap

Microsoft often tests the misconception that enabling anonymous access or simplifying permissions (like granting admin roles to all users) is acceptable for compliance, when in fact these actions directly violate audit logging and access control requirements.

60
Multi-Selectmedium

Your team uses Azure DevOps and needs to ensure that secrets are not exposed in pipeline logs. Which THREE practices should you implement?

Select 3 answers
A.Use logging commands to mask secrets in scripts
B.Enable pipeline log encryption
C.Mark variables as 'secret' in pipeline variables
D.Store secrets in YAML variable files
E.Use Azure Key Vault to store secrets
AnswersA, C, E

Logging commands like '##vso[task.setvariable]' can mask output.

Why this answer

Options B, C, and D are correct because using variables with 'secret' type hides them in logs, Azure Key Vault securely stores secrets, and logging commands can mask secrets. Option A is wrong because storing secrets in YAML files is insecure. Option E is wrong because pipeline logs are not encrypted by default.

61
Multi-Selecteasy

Which TWO practices should you follow to ensure compliance with regulatory requirements (e.g., PCI DSS) when using Azure DevOps? (Choose two.)

Select 2 answers
A.Manually track changes to pipelines in a spreadsheet.
B.Allow all users to create and modify pipelines without restrictions.
C.Enable Azure DevOps audit logging to track changes to pipelines and policies.
D.Disable audit logging to reduce storage costs.
E.Use branch policies to enforce code reviews and approvals for all changes.
AnswersC, E

Audit logs provide an immutable record of changes.

Why this answer

Options A and C are correct: Enabling audit logging tracks all changes, and using branch policies enforces code review. Option B is incorrect because allowing all users to create pipelines reduces control. Option D is incorrect because disabling auditing is contrary to compliance.

Option E is incorrect because manual logging is not reliable.

62
MCQmedium

Your team uses GitHub. You need to automatically remove a user's access to all repositories when they leave the company. What is the most efficient approach?

A.Assign the user to a 'Leaver' team and remove all repository permissions
B.Manually remove the user from each repository
C.Configure SAML single sign-on (SSO) with Microsoft Entra ID
D.Enable SCIM provisioning from Microsoft Entra ID to GitHub
AnswerD

SCIM automatically provisions and deprovisions users based on Microsoft Entra ID group membership.

Why this answer

Option D is correct because linking GitHub to Microsoft Entra ID via SCIM automates deprovisioning. Option A is wrong because manual removal is not efficient. Option B is wrong because SAML SSO provides authentication but not automatic deprovisioning.

Option C is wrong because GitHub organization roles are not automatically updated.

63
MCQmedium

Your team uses GitHub Enterprise and GitHub Actions for CI/CD. You need to implement a security compliance plan. The organization has the following requirements: 1) All code pushed to the main branch must be scanned for secrets and vulnerabilities. 2) Developers must use signed commits. 3) Only approved GitHub Actions can be used. 4) Dependencies must be scanned for vulnerabilities. You have enabled secret scanning and code scanning (CodeQL) on all repositories. You have configured branch protection rules to require signed commits using GPG keys. To restrict actions, you have set an allowed list of actions in the organization settings. You have enabled Dependabot alerts. However, during an audit, a reviewer notes that secret scanning alerts are not being reviewed within 30 days. You need to ensure that secret scanning alerts are triaged within 30 days. What should you do?

A.Assign secret scanning alerts to the security team using the 'Assign to' feature in the alerts view.
B.Set up a webhook to send secret scanning alerts to a security team's email.
C.Disable secret scanning on repositories that do not contain secrets.
D.Configure secret scanning to automatically close alerts after 30 days.
AnswerA

Assignment ensures ownership and tracking of triage.

Why this answer

Option D is correct because GitHub secret scanning alerts can be assigned to specific teams for triage, ensuring accountability. Option A is wrong because auto-closing alerts may miss genuine secrets. Option B is wrong because disabling secret scanning is counterproductive.

Option C is wrong because webhooks are for notifications, not triage assurance.

64
MCQhard

You are a DevOps engineer at a healthcare company that must comply with HIPAA. The company uses Azure DevOps with YAML pipelines to deploy a multi-tier application to Azure Kubernetes Service (AKS). The application stores sensitive patient data. The security team requires that all secrets (e.g., database passwords, API keys) must be stored in Azure Key Vault and never hardcoded in the pipeline. The pipeline currently uses a service principal (SP1) for AKS deployments. The pipeline has a variable group 'VG-Prod' linked to Key Vault 'KV-Prod' with secrets: 'DbPassword', 'ApiKey'. The pipeline runs successfully in non-production environments. However, when you run the pipeline for production, it fails at the stage that deploys to AKS with the error: 'Error: failed to get secret 'DbPassword' from Key Vault: Forbidden'. You have verified that the secret exists and the variable group is correctly linked. The service principal SP1 has the 'Get' and 'List' permissions on KV-Prod secrets. The AKS cluster is in a different subscription than the Key Vault. What is the most likely cause and how should you fix it?

A.The variable group VG-Prod is not properly linked to KV-Prod; re-link it.
B.The build service identity does not have 'Get' and 'List' permissions on KV-Prod; add the build service identity to the Key Vault access policy.
C.The secret 'DbPassword' does not exist in KV-Prod; create it.
D.The service principal SP1 does not have 'Get' and 'List' permissions on KV-Prod; add them.
AnswerB

The build service identity (e.g., 'Project Collection Build Service') needs access to Key Vault for variable group resolution.

Why this answer

The pipeline fails because the build service identity (the Azure DevOps agent's identity) lacks 'Get' and 'List' permissions on KV-Prod. Even though the variable group is linked to Key Vault, the pipeline's build service identity must be explicitly granted access to the Key Vault's access policy to retrieve secrets. The service principal SP1 is used for AKS deployments, not for Key Vault secret retrieval; the variable group resolution uses the build service identity, not SP1.

Exam trap

The trap here is that candidates often assume the service principal used for AKS deployments (SP1) is also used for Key Vault secret retrieval, but Azure DevOps uses the build service identity for variable group resolution, requiring separate permissions on the Key Vault.

How to eliminate wrong answers

Option A is wrong because the variable group is correctly linked (the pipeline runs in non-production, and the error is 'Forbidden', not 'not found' or 'misconfigured link'). Option C is wrong because the secret 'DbPassword' exists (verified in the scenario) and the error is an authorization failure, not a missing secret. Option D is wrong because SP1 is the service principal for AKS deployments, not for Key Vault access; the build service identity is the one that needs permissions on KV-Prod to resolve secrets in the variable group.

65
MCQhard

Your team is adopting a shift-left security approach in Azure Pipelines. They want to automatically detect secrets, such as API keys or connection strings, in source code before code is committed. Which Azure DevOps feature should be configured to scan pull requests for secrets and block the PR if any are found?

A.Azure Policy for Repos
B.Credential Scanner task in pipeline
C.Dependency Scanning
D.Secret Scanning
AnswerD

Secret Scanning (part of GitHub Advanced Security) detects secrets in PRs and can block them.

Why this answer

Option D (Secret Scanning) is correct because GitHub Advanced Security (GHAS) provides secret scanning that can be configured to run on pull requests and block PRs containing secrets. Option A (Azure Policy) is for Azure resource compliance, not code-level scanning. Option B (Credential Scanner) is a legacy tool that is not directly integrated into PR gates.

Option C (Dependency Scanning) identifies vulnerable dependencies, not secrets.

66
MCQhard

Your team uses GitHub Actions and needs to enforce that all workflows must use approved actions from a curated list. What is the best way to implement this?

A.Configure branch protection rules
B.Set up an allowed list of actions in organization settings
C.Enable Dependabot alerts
D.Use OpenID Connect (OIDC)
AnswerB

This restricts workflows to only approved actions.

Why this answer

Option D is correct because GitHub's 'Actions allowed list' restricts workflows to approved actions only. Option A is wrong because branch protection rules apply to branches, not actions. Option B is wrong because OIDC is for authentication.

Option C is wrong because Dependabot is for dependency updates.

67
Multi-Selecteasy

Your team uses Azure Pipelines and needs to comply with SOC 2 requirements. Which TWO features should you use to meet audit log requirements? (Select TWO.)

Select 2 answers
A.Configure network security groups to block public access
B.Automate secret rotation for service connections
C.Enable Azure DevOps audit logging
D.Create service principals for pipeline authentication
E.Stream audit logs to Azure Monitor Log Analytics
AnswersC, E

Audit logging provides a record of user and service actions.

Why this answer

Options A and B are correct. A: Azure DevOps audit logs track user actions. B: Azure Monitor logs can be used to store and analyze audit data.

Option C is wrong because secret rotation is not logging. Option D is wrong because network security groups are for network traffic, not audit logs. Option E is wrong because service principals are for authentication, not logging.

68
MCQeasy

Your team uses GitHub Enterprise with GitHub Actions. Compliance requires that all contributors sign commits with a verified GPG key. You have enabled 'Require signed commits' on the repository. However, a developer reports that their commits are being rejected even though they have configured a GPG key. The error says 'Commit must have a valid signature.' The developer's GPG key is listed in their GitHub account settings. What is the most likely cause?

A.The developer's GPG key has expired.
B.The developer's GPG key is not uploaded to GitHub.
C.The developer's local Git email does not match the email associated with the GPG key in GitHub.
D.GitHub only supports S/MIME, not GPG.
AnswerC

Email mismatch causes unverified signature.

Why this answer

Option B is correct because GitHub requires the commit to be signed with the GPG key associated with the committer's email. If the email in the git config doesn't match the one in GitHub, the signature is considered unverified. Option A is wrong because SSH keys are not used for commit signing.

Option C is wrong because GitHub supports GPG signing. Option D is wrong because the key is already associated.

69
MCQeasy

Your organization needs to ensure that all containers built in Azure Pipelines are scanned for vulnerabilities before being pushed to a container registry. Which step should you add to the pipeline?

A.Add a step to use 'Microsoft Defender for Cloud' container image scanning.
B.Add a step to create an Azure Container Registry task for scanning.
C.Add a step to push the image to Docker Hub for scanning.
D.Add a step to run Trivy to scan the image.
AnswerA

Microsoft Defender for Cloud provides vulnerability scanning for container images in Azure Pipelines.

Why this answer

Microsoft Defender for Cloud's vulnerability scanner can be integrated into Azure Pipelines to scan container images for vulnerabilities before push. Trivy is a third-party tool, not native. Docker Hub scanning is external.

Azure Container Registry tasks are for post-push scanning.

70
Matchingmedium

Match each Azure DevOps extension type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SonarQube analysis

Burnup chart

Slack integration on work item update

Terraform task for Azure Pipelines

Why these pairings

Extension categories in Azure DevOps Marketplace.

71
MCQmedium

Your team uses GitHub Actions for CI/CD and needs to ensure that secrets such as Azure service principal credentials are not exposed in logs. What is the best practice to prevent secret exposure?

A.Store secrets as GitHub Actions secrets and reference them in workflows
B.Store secrets in the workflow YAML file
C.Use environment protection rules to mask secrets
D.Encrypt workflow logs after the run completes
AnswerA

GitHub automatically redacts secrets in logs when referenced correctly.

Why this answer

Option C is correct because GitHub automatically redacts secrets in workflow logs. Option A is wrong because storing secrets in YAML files is insecure. Option B is wrong because environment protection rules are for approvals, not redaction.

Option D is wrong because encrypting logs does not prevent exposure in transit.

72
Multi-Selectmedium

Your team uses GitHub Advanced Security to identify vulnerabilities in code. Which TWO actions can you take to ensure that critical security alerts are addressed before code is merged?

Select 2 answers
A.Enable secret scanning push protection.
B.Create a repository rule that allows bypassing pull request requirements.
C.Configure branch protection rules to require status checks from code scanning.
D.Enable Dependabot auto-merge for pull requests.
E.Use pull request annotations to display code scanning alerts.
AnswersC, E

Status checks from code scanning can block merges if critical alerts are found.

Why this answer

Branch protection rules can require passing status checks from code scanning and secret scanning. Pull request annotations show alerts directly in the PR. Dependabot auto-merge and repository rules for bypassing are not relevant for blocking merges based on security alerts.

73
MCQeasy

Your DevOps team is using Microsoft Defender for Cloud to monitor Azure resources. Which of the following is a security recommendation that Defender for Cloud might provide?

A.Allow all inbound traffic on port 22 for SSH
B.Enable Transparent Data Encryption (TDE) on SQL databases
C.Disable auditing on storage accounts to reduce overhead
D.Configure web apps to use HTTP instead of HTTPS
AnswerB

TDE is a security best practice recommended by Defender for Cloud.

Why this answer

Option A is correct because Defender for Cloud includes recommendations such as enabling encryption on Azure SQL databases. Option B is wrong because Defender for Cloud does not recommend disabling logging. Option C is wrong because using HTTP instead of HTTPS is insecure.

Option D is wrong because allowing all inbound traffic is a security risk.

74
MCQeasy

Your organization is adopting DevSecOps and wants to integrate security scanning into the CI/CD pipeline. Which tool should you use to scan container images for vulnerabilities?

A.Azure Monitor
B.GitHub Copilot
C.Microsoft Defender for Cloud
D.Azure Logic Apps
AnswerC

Defender for Cloud includes vulnerability scanning for container images.

Why this answer

Option A is correct because Microsoft Defender for Cloud can scan container images in Azure Container Registry. Option B is wrong because GitHub Copilot is an AI pair programmer. Option C is wrong because Azure Monitor is for observability.

Option D is wrong because Azure Logic Apps is for workflows.

75
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Azure DevOps repositories. The compliance team has identified that source code containing credit card numbers (PCI data) was accidentally committed to a public repository. You need to implement a solution that meets the following requirements: (1) Automatically scan all new commits in Azure Repos for sensitive data types like credit card numbers. (2) If sensitive data is detected, automatically block the push and notify the security team. (3) The solution must be integrated with Microsoft Purview and Azure DevOps. Option A: Configure a branch policy in Azure Repos that runs a custom Azure Function via a service hook when a push occurs, and the function uses Purview APIs to scan the commit. Option B: Enable Microsoft Purview Data Loss Prevention for Azure DevOps, which automatically scans and blocks pushes containing sensitive data. Option C: Use GitHub Advanced Security secret scanning for Azure Repos, and configure a webhook to notify the security team. Option D: Install a third-party extension from Azure DevOps Marketplace that provides content scanning and configure it to block pushes. Which option is the most appropriate and efficient?

A.Enable Microsoft Purview Data Loss Prevention for Azure DevOps, which automatically scans and blocks pushes containing sensitive data
B.Configure a branch policy in Azure Repos that runs a custom Azure Function via a service hook when a push occurs, and the function uses Purview APIs to scan the commit
C.Install a third-party extension from Azure DevOps Marketplace that provides content scanning and configure it to block pushes
D.Use GitHub Advanced Security secret scanning for Azure Repos, and configure a webhook to notify the security team
AnswerA

This is the native Microsoft solution that meets all requirements.

Why this answer

Option B is correct. Microsoft Purview DLP for Azure DevOps (in preview/GA) provides native scanning and blocking of sensitive data in commits. Option A is complex and not native.

Option C is for GitHub, not Azure Repos. Option D might not be native and may not integrate with Purview.

Page 1 of 2 · 142 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Compliance Plan questions.