AZ-400 Microsoft Azure DevOps Solutions Questions and Answers

An analytics feature in a monitoring solution would allow you to parse logs from multiple sources and analyze them to identify the root cause of issues in your Azure pipelines. This feature would typically provide tools for searching, filtering, and visualizing log data, as well as for identifying patterns and anomalies. With analytics, you can also create custom dashboards and alerts to monitor your pipelines and quickly identify and troubleshoot any issues.

Box 1: Master

The Master branch contains production code. All development code is merged into master in sometime.

Box 2: Develop

The Develop branch contains pre-production code. When the features are finished then they are merged into develop.

Instead implement continuous integration.

Note: WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.

1. Open Microsoft Azure Portal and Log into your Azure account.

2. Select network security group (NSG) named az400-9940427-nsg1

3. Select Settings, Outbound security rules, and click Add

4. Click Advanced

5. Change the following settings:

Destination Port range: 8080

Protocol. TCP

Action: Allow

Note: By default, Azure DevOps Server uses TCP Port 8080.

Personal access tokens (PATs) give you access to Azure DevOps and Team Foundation Server (TFS), without using your username and password directly. These tokens have an expiration date from when they ' re created. You can restrict the scope of the data they can access. Use PATs to authenticate if you don ' t already have SSH keys set up on your system or if you need to restrict the permissions that are granted by the credential.

Graphical user interface, text, application Description automatically generated

Woodgrove Bank plans to implement the following changes to the identity environment:

Configure App1 to use a service principal.

Scenario: Implement Project4 and configure the project to push Docker images to Azure Container Registry.

You use Azure Container Registry Tasks commands to quickly build, push, and run a Docker container image natively within Azure, showing how to offload your " inner-loop " development cycle to the cloud. ACR Tasks is a suite of features within Azure Container Registry to help you manage and modify container images across the container lifecycle.

Box 1: Azure Container Registry

Azure services like Azure Container Registry (ACR) and Azure Container Instances (ACI) can be used and connected from independent container orchestrators like kubernetes (k8s). You can set up a custom ACR and connect it to an existing k8s cluster to ensure images will be pulled from the private container registry instead of the public docker hub.

Box 2: An Azure service principal

When you ' re using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), an authentication mechanism needs to be established. You can set up AKS and ACR integration during the initial creation of your AKS cluster. To allow an AKS cluster to interact with ACR, an Azure Active Directory service principal is used.

The Register-AzureRmAutomationDscNode cmdlet registers an Azure virtual machine as an APS Desired State Configuration (DSC) node in an Azure Automation account.

Scenario: The Azure DevOps organization includes:

The Docker extension

A deployment pool named Pool7 that contains 10 Azure virtual machines that run Windows Server 2016

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Scenario:

Step 1: Sign in to Azure Develops by using an account that is assigned the Administrator service connection security role.

Note: Under Agent Phase, click Deploy Service Fabric Application. Click Docker Settings and then click Configure Docker settings. In Registry Credentials Source, select Azure Resource Manager Service Connection. Then select your Azure subscription.

Step 2: Create a personal access token..

A personal access token or PAT is required so that a machine can join the pool created with the Agent Pools (read, manage) scope.

Step 3: Install and register the Azure Pipelines agent on an Azure virtual machine.

By running a Azure Pipeline agent in the cluster, we make it possible to test any service, regardless of type.

Box 1: Hosted macOS

Hosted macOS pool (Azure Pipelines only): Enables you to build and release on macOS without having to configure a self-hosted macOS agent. This option affects where your data is stored.

Box 2: Hosted

Hosted pool (Azure Pipelines only): The Hosted pool is the built-in pool that is a collection of Microsoft-hosted agents.

The first thing to do is to declare your Sonar Qube server as a service endpoint in your VSTS/DevOps project settings.

Step 1: Create a Desired State Configuration (DSC) configuration file that has an extension of .ps1.

Step 2: Run the Import-AzureRmAutomationDscConfiguration Azure Powershell cmdlet

The Import-AzureRmAutomationDscConfiguration cmdlet imports an APS Desired State Configuration (DSC) configuration into Azure Automation. Specify the path of an APS script that contains a single DSC configuration.

Example:

PS C:\ > Import-AzureRmAutomationDscConfiguration -AutomationAccountName " Contoso17 " -ResourceGroupName " ResourceGroup01 " -SourcePath " C:\DSC\client.ps1 " -Force

This command imports the DSC configuration in the file named client.ps1 into the Automation account named Contoso17. The command specifies the Force parameter. If there is an existing DSC configuration, this command replaces it.

Step 3: Run the Start-AzureRmAutomationDscCompilationJob Azure Powershell cmdlet

The Start-AzureRmAutomationDscCompilationJob cmdlet compiles an APS Desired State Configuration (DSC) configuration in Azure Automation.

Woodgrove Bank plans to implement the following changes to the DevOps environment:

Migrate all the source code from TFS1 to GitHub.

The Git-TFS tool is a two-way bridge between Team Foundation Version Control and Git, and can be used to perform a migration.

Scenario:

Graphical user interface, text, application Description automatically generated

Woodgrove Bank identifies the following technical requirements:

The Azure DevOps dashboard must display the metrics shown in the following table:

Box 1: Velocity

Velocity displays your team velocity. It shows what your team delivered as compared to plan.

Box 2: Release pipeline overview

Release pipeline overview shows the status of environments in a release definition.

Box 3: Query tile

Query tile displays the total number of results from a query.

Step 1: Create a repository

A Git repository, or repo, is a folder that you ' ve told Git to help you track file changes in. You can have any number of repos on your computer, each stored in their own folder.

Step 2: Create a branch

Branch policies help teams protect their important branches of development. Policies enforce your team ' s code quality and change management standards.

Step 3: Add a build validation policy

When a build validation policy is enabled, a new build is queued when a new pull request is created or when changes are pushed to an existing pull request targeting this branch. The build policy then evaluates the results of the build to determine whether the pull request can be completed.

Scenario:

Implement a code flow strategy for Project2 that will:

Enable Team2 to submit pull requests for Project2.

Enable Team2 to work independently on changes to a copy of Project2.

Ensure that any intermediary changes performed by Team2 on a copy of Project2 will be subject to the same restrictions as the ones defined in the build policy of Project2.

Scenario: Access to Azure DevOps must be restricted to specific IP addresses.

Azure DevOps is authenticated through Azure Active Directory. You can use Azure AD ' s conditional access to prevent logins from certain geographies and address ranges.

A picture containing text Description automatically generated

Box 1: Azure Boards

Azure Boards can be used to track work with Kanban boards, backlogs, team dashboards, and custom reporting

You can create multiple Trello boards, which are spaces to store tasks (for different work contexts, or even private boards)

You can easily share Trello boards with another person.

Box 2: Azure Pipelines

You can use Bamboo to implement CI/CD (Continuous Integration and Continuous Delivery) for a simple Azure function app using Atlassian Bamboo. Bamboo does continuous delivery of the project from source code to deployment. It has stages including Build, Test and Deploy.

Software teams in every industry are upgrading their continuous delivery pipeline with Bamboo. Easy build import from popular open source tools, user and group import from JIRA, seamless integration with Bitbucket, and native support for Git, Hg, and SVN means you ' ll be building and deploying like a champ.

Box 3: GitHub repositories

Bitbucket can be used as the Git repository, but you can use any other Git repository (Like TFS Git) for source control of the code.

Scenario: Deploy App2 to an Azure virtual machine named VM1.

A personal access token (PAT) is used as an alternate password to authenticate into Azure DevOps.

Graphical user interface, text, application Description automatically generated

Setting 1: Threshold value

Set to 80 %

Scenario: An Azure Monitor alert for VM1 must be configured to meet the following requirements:

Be triggered when average CPU usage exceeds 80 percent for 15 minutes.

Calculate CPU usage averages once every minute.

Setting 2: Aggregation granularity

Set to 15 minutes.

To enable streaming of diagnostic telemetry for a single or a pooled database, follow these steps:

1. Go to Azure SQL database resource.

2. Select Diagnostics settings.

3.Select Turn on diagnostics if no previous settings exist, or select Edit setting to edit a previous setting. You can create up to three parallel connections to stream diagnostic telemetry.

4. Select Add diagnostic setting to configure parallel streaming ofdiagnostics data to multiple resources.

5. Enter a setting name for your own reference.

6. Select a destination resource for the streaming diagnostics data: Archive to storage account, Stream to an event hub, or Send to Log Analytics.

7. For the standard, event-based monitoring experience, select the following check boxes for database diagnostics log telemetry: QueryStoreRuntimeStatistics

8. For an advanced, one-minute-based monitoring experience, select the check box for Basic metrics.

9. SelectSave.

1. Open Microsoft Azure Portal and Log into your Azure account.

2. Select network security group (NSG) named az400-9940427-nsg1

3. Select Settings, Outbound security rules, and click Add

4. Click Advanced

5. Change the following settings:

Destination Port range: 8080

Protocol. TCP

Action: Allow

Note: Bydefault, Azure DevOps Server uses TCP Port 8080.

You can usea system-assigned managed identity for a Windows virtual machine (VM) to access Azure Key Vault.

Sign in to Azure portal

Locate virtual machine VM1.

Select Identity

Enable the system-assigned identity for VM1 by setting the Status to On.

Note:Enabling a system-assigned managed identity is a one-click experience. You can either enable it during the creation of a VM or in the properties of an existing VM.

To store signed images in an Azure Container Registry (ACR) instance and support your planned images while minimizing costs, you need to modify the SKU of your ACR instance to one that supports content trust and image signing. Here’s how you can do it:

Determine the Appropriate SKU:

Content trust and image signing are features of thePremiumservice tier of Azure ContainerRegistry1.

If cost minimization is a priority, ensure that the Premium tier is necessary for your use case. If you require content trust, the Premium tier is the appropriate choice.

Modify the SKU of the ACR Instance:

Navigate to the Azure Portal.

Go to your ACR instanceaz40038443478act1.

SelectUpdatefrom the overview pane.

Choose thePremiumSKU from the SKU drop-down menu2.

Review the changes and pricing, then save the configuration.

By upgrading to the Premium SKU, you’ll be able to store signed images in your ACR instance. Remember to monitor your usage and costs to ensure they align with your budget and requirements.

Step 1: Understand the Requirements

You need to create a self-hosted agent for Azure Pipelines.

It will be hosted in a pod (for example, in Kubernetes).

All pipelines in Project1 should be able to use this agent pool named Pool1 .

Step 2: Create the Agent Pool in Azure DevOps

Go to your Azure DevOps organization : https://dev.azure.com/{YourOrganizationName}

In the bottom-left corner, click on the Organization settings gear icon.

In the left menu, click on Agent pools .

Click on Add pool .

Provide the following:

Pool name: Pool1

Pool type: Self-hosted

Grant access permission to all pipelines: Checked (so that all Project1 pipelines can use this pool)

Click Create .

Now you have an empty agent pool named Pool1 .

Step 3: Prepare the Self-hosted Agent as a Pod

You need to deploy an Azure Pipelines agent container as a pod . Here’s how to do it:

Option 1: Using Kubernetes directly (YAML deployment)

Create a Kubernetes deployment YAML file for the agent pod:

apiVersion: apps/v1

kind: Deployment

metadata:

name: azure-pipelines-agent

labels:

app: azure-pipelines-agent

spec:

replicas: 1

selector:

matchLabels:

app: azure-pipelines-agent

template:

metadata:

labels:

app: azure-pipelines-agent

spec:

containers:

- name: agent

image: mcr.microsoft.com/azure-pipelines/vsts-agent:latest

env:

- name: AZP_URL

value: " https://dev.azure.com/{YourOrganizationName} "

- name: AZP_TOKEN

valueFrom:

secretKeyRef:

name: azure-pipelines-token

key: token

- name: AZP_POOL

value: " Pool1 "

- name: AZP_AGENT_NAME

value: " agent-pod "

Create a Kubernetes secret for the personal access token (PAT) :

kubectl create secret generic azure-pipelines-token --from-literal=token= < your-PAT >

Note:

Replace < your-PAT > with a PAT that has “Agent Pools (Read & manage)” scope.

Replace {YourOrganizationName} with your actual Azure DevOps organization.

Deploy the pod:

bash

Copy

kubectl apply -f azure-pipelines-agent.yaml

Step 4: Validate the Agent Connection

Go back to Organization Settings > Agent pools > Pool1 in Azure DevOps.

You should see the agent pod connected and listed as online .

Step 5: Use the Pool in Pipelines

By default, all pipelines in Project1 will now have access to the Pool1 agent pool because you granted access during the pool creation.

In your pipeline YAML files, specify the pool name to use the self-hosted agent:

yaml

Copy

pool:

name: Pool1

1. Open Microsoft Azure Portal

2. Log into your Azure account, select App Services in the Azure portal left navigation, and then select configureaz400-9940427-func1.

3. On the app page, select Deployment Center in the left menu.

4. On the Build provider page, select Azure Pipelines (Preview), and then select Continue.

5. On the Configure page, in the Code section:

For GitHub, drop down and select the Organization, Repository, and Branch you want to deploy continuously.

6. Select Continue.

7. On the Test page, choose whether to enable load tests, and then select Continue.

8. Depending on your App Service plan pricing tier, you may see a Deployto staging page. Choose whether to enable deployment slots, and then select Continue.

9. After you configure the build provider, review the settings on the Summary page, and then select Finish.

To configure a virtual machine template in your DevTest Labs environment namedaz400-38443478-dtl1with Windows Server 2016 Datacenter that includes the Selenium tooland the Google Chrome browser, follow these steps:

Create a Custom Image with Windows Server 2016 Datacenter:

In the Azure Portal, go to your DevTest Labaz400-38443478-dtl1.

Navigate toConfiguration and policies > Custom images.

Use an existing VM or create a new one with Windows Server 2016 Datacenter.

After setting up the VM, capture it to create a custom image1.

Install Selenium and Google Chrome on the VM:

Connect to the VM via RDP.

Download and install the Selenium WebDriver for your preferred programming language from the official Selenium website2.

For Google Chrome, download the offline installer from the official website and install it on the VM3.

Generalize the VM:

Run thesysprepcommand to generalize the VM, which prepares it to be used as a template.

Shutdown the VM aftersysprepcompletes.

Capture the Generalized VM to Create a Template:

In the Azure Portal, navigate to the VM and selectCapture.

Provide the required details and create the image.

Add Selenium and Google Chrome Artifacts to the Template:

Go back to the DevTest Labaz400-38443478-dtl1.

SelectArtifactsand add Selenium and Google Chrome artifacts to the template.

Ensure these artifacts are configured to install during the VM creation process.

Create VMs from the Template:

Now, when youcreate a new VM in the DevTest Lab, select the custom image you created.

The VM will be provisioned with Windows Server 2016 Datacenter, and the Selenium tool and Google Chrome browser will be installed automatically.

By following these steps, you can ensure that all virtual machines created from this template in your DevTest Lab will have the required operating system, tools, and browser installed. Remember to replace placeholder names with the actual names of your resources where necessary.

To create an instance of Azure Application Insights namedaz400-38443478-mainand configure it to receive telemetry data from an Azure web app with the same name, you’ll need to follow these steps:

Create a Log Analytics Workspace:

Go to theAzure Portal.

Search for Log Analytics Workspaces and select Add.

Select a Subscription and either use an existing Resource Group or create a new one.

Provide a unique name for your Log Analytics workspace.

Choose the Region that is appropriate for you.

Review the settings and then selectCreate1.

Create an Azure Application Insights Instance:

In the Azure Portal, navigate to Application Insights.

Click on + Create.

Fill in the instance details, ensuring the name isaz400-38443478-main.

Link the instance to the Log Analytics workspace you created in the previous step.

Review and create the Application Insights instance2.

Configure the Azure Web App to Send Telemetry Data:

Go to the Azure Web Appaz400-38443478-main.

Under Monitoring, selectApplication Insights.

Choose to use an existing resource and select the Application Insights instance you created.

Follow the prompts to set up the connection, which may involve adding the appropriate SDK to your web app and configuring the connection string or instrumentation key.

Verify Telemetry Data Reception:

After setting up, send some test traffic to your web app.

Then, go to the Application Insights instance and check the Overview or Performance sections to see if telemetry data is being received.

Remember to replace placeholder names with the actual names of your resources where necessary. These steps will help you set up Azure Application Insights to monitor your web app effectively.

Every request made against a storage service must be authorized, unless the request is for a blob or container resource that has been made available for public or signed access. One option for authorizing a request is by using Shared Key.

Scenario: The mobile applications must be able to call the share pricing service of the existing retirement fund management system. Until the system is upgraded, the service will only support basic authentication over HTTPS.

The investment planning applications suite will include one multi-tier web application and two iOS mobile application. One mobile application will be used by employees; the other will be used by customers.

Batching CI runs

If you have many team members uploading changes often, you may want to reduce the number of runs you start. If you set batch to true, when a pipeline is running, the system waits until the run is completed, then starts another run with all changes that have not yet been built.

Example:

# specific branch build with batching

trigger:

batch: true

branches:

include:

- master

To clarify this example, let us say that a push A to master caused the above pipeline to run. While that pipeline is running, additional pushes B and C occur into the repository. These updates do not start new independent runs immediately. But after the first run is completed, all pushes until that point of time are batched together and a new run is started.

Box 1: Reader

Members of a group named Developers must be able to install packages.

Feeds have four levels of access: Owners, Contributors, Collaborators, and Readers. Owners can add any type of identity-individuals, teams, and groups-to any access level.

Box 2: Owner

Members of a group named Team Leaders must be able to create new packages and edit the permissions of package feeds.

Change the ConfigurationMode parameter from ApplyOnly to ApplyAndAutocorrect.

The Register-AzureRmAutomationDscNode cmdlet registers an Azure virtual machine as an APS Desired State Configuration (DSC) node in an Azure Automation account.

Scenario: Current Technical Issue

The test servers are configured correctly when first deployed, but they experience configuration drift over time. Azure Automation State Configuration fails to correct the configurations.

Azure Automation State Configuration nodes are registered by using the following command.

Unattended config:

The agent can be set up from a script with no human intervention. You must pass --unattended and the answers to all questions.

To configure an agent, it must know the URL to your organization or collection and credentials of someone authorized to set up agents. All other responses are optional.

Box 1: A source control system

A source control system, also called a version control system, allows developers to collaborate on code and track changes. Source control is an essential tool for multi-developer projects.

Box 2: A hosted service

To build and deploy Xcode apps or Xamarin.iOS projects, you ' ll need at least one macOS agent. If your pipelines are in Azure Pipelines and a Microsoft-hosted agent meets your needs, you can skip setting up a self-hosted macOS agent.

Scenario: The investment planning applications suite will include one multi-tier web application and two iOS mobile applications. One mobile application will be used by employees; the other will be used by customers.

Step 1: Create a Project Wiki

Navigate to Azure DevOps:

Go to Azure DevOps and sign inwith your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Create a Wiki:

In the left-hand menu, select Wiki.

Click on Create project wiki.

Enter the name Wiki1 and click Create.

Step 2: Add Mermaid Syntax to Render a Diagram

Open the Wiki Page:

Navigate to the newly created Wiki1.

Edit the Wiki Page:

Click on Edit to start editing the wiki page.

Insert Mermaid Diagram:

Use the following Mermaid syntax to render a diagram. For example, to render a simple flowchart, you canuse:

```mermaid

graph TD;

A-- > B;

A-- > C;

B-- > D;

C-- > D;

Save the Page:

Click on Save to save your changes.

Step 3: Render the TCP Handshake Diagram

Convert TCPHandshake.png to Mermaid Syntax:

Since you have a sample diagram in C:\Resources\TCPHandshake.png, you need to convert this diagram into Mermaid syntax. Here’s an example of how a TCP handshake might look in Mermaid syntax:

```mermaid

sequenceDiagram

participant Client

participant Server

Client- > > Server: SYN

Server-- > > Client: SYN-ACK

Client- > > Server: ACK

Add the Diagram to the Wiki:

Replace the sample Mermaid syntax with the TCP handshake diagram syntax in the wiki page.

Save the Page:

Click on Save to save your changes.

By following these steps, you will have created a project wiki named Wiki1 and used Mermaid syntax to render a diagram

Set up Advanced Threat Protection in the Azure portal

1. Sign into the Azure portal.

2.Navigate to the configuration page of the server you want to protect. In the security settings, select Advanced Data Security.

3. On the Advanced Data Security configuration page:

4. Enable Advanced Data Security on the server.

Note: Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Advanced Threat Protection can identify Potential SQL injection, Access from unusual location or data center,Access from unfamiliar principal or potentially harmful application, and Brute force SQL credentials

1. Sign in to the portal,

2. Choose template Deploy-lod9940427

3. Select Edit template, andthen paste your JSON template code into the code window.

4. Change the ASddressPrefixes to 10.0.0.0/24 in order to support only 256 total IP addresses.

addressSpace " :{ " addressPrefixes " : [ " 10.0.0.0/24 " ]},

5. Change the firstSubnet addressprefix to 10.0.0.0/26 to support only 64 total IP addresses.

" subnets " :[

{

" name " : " firstSubnet " ,

" properties " :{

" addressPrefix " : " 10.0.0.0/24 "

}

6. Select Save.

7. Select Editparameters, provide values for the parameters that are shown, and then select OK.

8 Select Subscription. Choose the subscription you want to use, and then select OK.

9. Select Resource group. Choose an existing resource group or create a new one, and then select OK.

10. Select Create. A new tile on the dashboard tracks the progress of your template deployment.

Box 1: Get-AzResource

Use the following command to examine the access control mode for all workspaces in the subscription:

PowerShell

Get-Az Resource –Resource Type Microsoft. Operational Insights/workspaces –Expand Properties | for each {s.Name + " : " + $_.Properties.features.enableLogAccessUsingOnlyResourcePermissions

Box 2: -Resource Type

Box 1: rwx

The Log Analytics agent for Linux runs as the omsagent user. To grant > write permission to the omsagent user, run the command setfacl -m u:omsagent:rwx /tmp.

Box 2: /tmp

Deploying DSC to a Linux node uses the /tmp folder.

Scenario: A branching strategy that supports developing new functionality in isolation must be used.

Feature isolation is a special derivation of the development isolation, allowing you to branch one or more feature branches from main, as shown, or from your dev branches.

When you need to work on a particular feature, it might be a good idea to create a feature branch.

The commit-msg hook is invoked by git-commit and git-merge, and can be bypassed with the --no-verify option.

Scenario: Visual Studio App Center must be used to centralize the reporting of mobile application crashes and device types in use.

In order to use App Center, you need to opt in to the service(s) that you want to use, meaning by default no services are started and you will have to explicitly call each of them when starting the SDK.

Insert the following line to start the SDK in your app ' s App Delete class in the didFinishLaunchingWithOptions method.

MSAppCenter.start( " {Your App Secret} " , withServices: [MSAnalytics.self, MSCrashes.self])

Scenario: By default, all releases must remain available for 30 days, except for production releases, which must be kept for 60 days.

Box 1: Set the default retention policy to 30 days

The Global default retention policy sets the default retention values for all the build pipelines. Authors of build pipelines can override these values.

Box 2: Set the stage retention policy to 60 days

You may want to retain more releases that have been deployed to specific stages.

Every request made against a storage service must be authorized, unless the request is for a blob or container resource that has been made available for public or signed access. One option for authorizing a request is by using Shared Key.

Scenario: The mobile applications must be able to call the share pricing service of the existing retirement fund management system. Until the system is upgraded, the service will only support basic authentication over HTTPS.

The investment planning applications suite will include one multi-tier web application and two iOS mobile application. One mobile application will be used by employees; the other will be used by customers.