AZ-400 Microsoft Azure DevOps Solutions Question and Answers

Step 1: Navigate to Project Settings

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Access Project Settings:

In the left-hand menu, scroll down and select Project settings.

Step 2: Configure Retention Policies

Navigate to Pipelines Settings:

Under Pipelines, select Settings.

Set Retention Policies:

In the Retention section, set the number of days to keep artifacts, symbols, and attachments to 60 days.

Ensure that the retention policy is applied to all relevant pipelines and branches.

Save Changes:

Click on Save to apply the retention policy1.

By following these steps, you will have successfully configured the retention policy to retain artifacts, symbols, and attachments for 60 days in Project1

To ensure that your Azure Web App named az400-38443478-main supports rolling upgrades and only 10 percent of users connect to the updated version of the app, you can use deployment slots with the following steps:

Create a Deployment Slot:

Navigate to the Azure Portal.

Go to your Web App az400-38443478-main.

Select Deployment slots in the menu.

Click on Add Slot.

Name the slot (e.g., staging) and if needed, clone settings from the production slot.

Configure the Traffic Percentage:

In the Deployment Slots menu, you will see a column for Traffic %.

Set the traffic percentage to 10% for the staging slot1.

This will route only 10% of the traffic to the updated version of the app in the staging slot.

Deploy the Updated App to the Staging Slot:

Deploy your updated application to the staging slot.

Test the application in the staging slot to ensure it’s working as expected.

Complete the Rolling Upgrade:

Once you’re satisfied with the performance and stability of the app in the staging slot, you can gradually increase the percentage of traffic until you’re ready to swap with the production slot.

To swap slots, go to the Deployment slots menu and click on Swap with the production slot.

By using deployment slots, you can achieve rolling upgrades with minimal administrative effort, as it allows you to test the new version on a subset of users before fully releasing it. Remember to adjust the traffic percentage and monitor the application’s performance throughout the process.

To configure your Azure Function az400-38443478-funct to automatically update whenever new code is committed to the main branch of the specified GitHub repository, you can use GitHub Actions for continuous deployment. Here’s how to set it up:

Create a GitHub Actions Workflow:

In your GitHub repository, navigate to the .github/workflows/ directory.

Create a new file for your workflow (e.g., azure-function-cd.yml).

Define the Workflow:

In the workflow file, define the steps for the build and deployment process.

Use the Azure/functions-action to deploy to your Azure Function App.

Set up triggers for the main branch to initiate the workflow on every commit.

Generate Deployment Credentials:

In the Azure Portal, navigate to your Function App az400-38443478-funct.

Download the publish profile from the Overview section by clicking on Get publish profile.

Store the Publish Profile as a GitHub Secret:

In your GitHub repository, go to Settings > Secrets and variables > Actions.

Create a new secret (e.g., AZURE_FUNCTIONAPP_PUBLISH_PROFILE) and paste the content of the publish profile.

Configure the Workflow to Use the Secret:

In the workflow file, reference the secret to authenticate the deployment to Azure.

Here’s a sample GitHub Actions workflow snippet:

name: Deploy Azure Function

on:

push:

branches:

- main

jobs:

build-and-deploy:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v2

- name: Set up Python version

uses: actions/setup-python@v2

with:

python-version: '3.x'

- name: Install dependencies

run: |

pip install -r requirements.txt

- name: Deploy to Azure Functions

uses: Azure/functions-action@v1

with:

app-name: az400-38443478-funct

publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }}

package: .

Replace the app-name with the name of your Azure Function App and ensure the Python version and dependencies match your application’s requirements.

By following these steps, your Azure Function will automatically update whenever new code is pushed to the main branch of the GitHub repository. This setup minimizes manual effort and ensures that your function app is always running the latest code.

Step 1: Create an Action Group

Navigate to Azure Portal:

Go to Azure Portal and sign in with your credentials.

Access Azure Monitor:

In the left-hand menu, select Monitor.

Create Action Group:

Under Alerts, select Action groups.

Click on + Create.

Configure Basic Settings:

Subscription: Select your subscription.

Resource Group: Select RG1 lod42147S09.

Action Group Name: Enter DevOpsAG.

Display Name: Enter a display name for the action group.

Step 2: Define Actions

Add Email Notifications:

Click on Add action.

Action Type: Select Email/SMS message/Push/Voice.

Action Name: Enter a name for the action (e.g., EmailAdmins).

Email: Enter admin1@contoso.com and admin2@contoso.com.

Click OK.

Notify Resource Owners:

Click on Add action again.

Action Type: Select Email/SMS message/Push/Voice.

Action Name: Enter a name for the action (e.g., NotifyOwners).

Email: Select Notify all owners.

Click OK.

Step 3: Enable Common Alert Schema

Common Alert Schema:

In the Advanced tab, enable the Common alert schema option1.

Step 4: Review and Create

Review:

Review all the settings you have configured.

Create:

Click on Review + create and then Create.

By following these steps, you will have successfully created an action group named DevOpsAG that emails the specified users and notifies resource owners using the common alert schema

To prepare a Network Security Group (NSG) named az400-38443478-nsg1 for hosting an Azure DevOps pipeline agent, while allowing only the required outbound port for Azure DevOps and denying all other inbound and outbound access to the Internet, follow these steps:

Create the NSG:

Navigate to the Azure Portal.

Go to Network Security Groups and click on + Create.

Fill in the details, including the name az400-38443478-nsg1, and create the NSG.

Configure Outbound Security Rules:

Once the NSG is created, go to its settings.

Navigate to Outbound security rules.

Click on + Add to create a new rule.

Set the Destination port ranges to 443, which is the required port for Azure DevOps12.

Set the Protocol to TCP.

Set the Action to Allow.

Assign a Priority number (e.g., 100) that does not conflict with existing rules.

Provide a meaningful Name for the rule (e.g., AllowAzureDevOps).

Configure Default Rules to Deny All Other Traffic:

In the same Outbound security rules section, edit the default rule to deny all traffic.

Change the Action to Deny for the rule with the lowest priority (highest number).

Ensure that this rule applies to all protocols, source and destination IP ranges, and port ranges.

Associate the NSG with the Appropriate Resource:

Associate the NSG with the subnet or network interface of the virtual machine or resource where the Azure DevOps pipeline agent will be hosted.

By following these steps, you will ensure that the Azure DevOps pipeline agent can communicate with Azure DevOps services over the required port while blocking all other inbound and outbound Internet access, adhering to the principle of least privilege and security best practices.

To store signed images in an Azure Container Registry (ACR) instance and support your planned images while minimizing costs, you need to modify the SKU of your ACR instance to one that supports content trust and image signing. Here’s how you can do it:

Determine the Appropriate SKU:

Content trust and image signing are features of the Premium service tier of Azure Container Registry1.

If cost minimization is a priority, ensure that the Premium tier is necessary for your use case. If you require content trust, the Premium tier is the appropriate choice.

Modify the SKU of the ACR Instance:

Navigate to the Azure Portal.

Go to your ACR instance az40038443478act1.

Select Update from the overview pane.

Choose the Premium SKU from the SKU drop-down menu2.

Review the changes and pricing, then save the configuration.

By upgrading to the Premium SKU, you’ll be able to store signed images in your ACR instance. Remember to monitor your usage and costs to ensure they align with your budget and requirements.

Step 1: Write the KQL Query

Open Azure Data Explorer:

Navigate to Azure Data Explorer and sign in with your credentials.

Access the Securitylogs Database:

Open the Securitylogs database.

Write the Query:

Use the following KQL query to count the number of inbound requests for each source IP address:

InboundBrowsing

| where Timestamp between (datetime(2021-10-01) .. datetime(2021-12-31))

| summarize NumberOfRequests = count() by SourceIP

| project SourceIP, NumberOfRequests

Step 2: Export the Query Results

Run the Query:

Execute the query in Azure Data Explorer.

Export the Results:

Once the query results are displayed, click on the Export button.

Choose the export format (e.g., CSV) and specify the export path as C:\Samples.

By following these steps, you will have successfully written a KQL query to count the number of inbound requests for each source IP address during the last three months of 2021 and exported the results to C:\Samples

Scenario: By default, all releases must remain available for 30 days, except for production releases, which must be kept for 60 days.

Box 1: Set the default retention policy to 30 days

The Global default retention policy sets the default retention values for all the build pipelines. Authors of build pipelines can override these values.

Box 2: Set the stage retention policy to 60 days

You may want to retain more releases that have been deployed to specific stages.

References: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/retention

Step 1: Initialize the Default Main Branch

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Initialize the Main Branch:

Go to Repos > Files.

If the main branch does not exist, you will see an option to initialize it. Click on Initialize and follow the prompts to create the main branch1.

Step 2: Create a New Branch for the Pipeline

Navigate to Branches:

Go to Repos > Branches.

Click on New branch.

Create the Branch:

Enter azure-pipelines as the branch name.

Select main as the base branch.

Click Create2.

Step 3: Create a New Azure Pipelines YAML Pipeline

Navigate to Pipelines:

Go to Pipelines > New pipeline.

Select the Repository:

Choose Azure Repos Git and select the relevant repository.

Configure the Pipeline:

Select Starter pipeline.

Replace the default YAML with the ASP.NET template. You can find the ASP.NET template in the Azure Pipelines documentation or use the following example:

trigger:

- main

pool:

vmImage: 'windows-latest'

variables:

buildConfiguration: 'Release'

steps:

- task: UseDotNet@2

inputs:

packageType: 'sdk'

version: '5.x'

installationPath: $(Agent.ToolsDirectory)/dotnet

- script: |

dotnet build --configuration $(buildConfiguration)

displayName: 'Build project'

- script: |

dotnet test --no-build --configuration $(buildConfiguration)

displayName: 'Run tests'

Save the Pipeline:

Click on Save and enter azure-pipelines as the branch name.

Click on Save and run to save the pipeline to the new branch named azure-pipelines3.

By following these steps, you will have successfully initialized the main branch, created a new branch named azure-pipelines, and set up a new Azure Pipelines YAML pipeline using the ASP.NET template

To configure a virtual machine template in your DevTest Labs environment named az400-38443478-dtl1 with Windows Server 2016 Datacenter that includes the Selenium tool and the Google Chrome browser, follow these steps:

Create a Custom Image with Windows Server 2016 Datacenter:

In the Azure Portal, go to your DevTest Lab az400-38443478-dtl1.

Navigate to Configuration and policies > Custom images.

Use an existing VM or create a new one with Windows Server 2016 Datacenter.

After setting up the VM, capture it to create a custom image1.

Install Selenium and Google Chrome on the VM:

Connect to the VM via RDP.

Download and install the Selenium WebDriver for your preferred programming language from the official Selenium website2.

For Google Chrome, download the offline installer from the official website and install it on the VM3.

Generalize the VM:

Run the sysprep command to generalize the VM, which prepares it to be used as a template.

Shut down the VM after sysprep completes.

Capture the Generalized VM to Create a Template:

In the Azure Portal, navigate to the VM and select Capture.

Provide the required details and create the image.

Add Selenium and Google Chrome Artifacts to the Template:

Go back to the DevTest Lab az400-38443478-dtl1.

Select Artifacts and add Selenium and Google Chrome artifacts to the template.

Ensure these artifacts are configured to install during the VM creation process.

Create VMs from the Template:

Now, when you create a new VM in the DevTest Lab, select the custom image you created.

The VM will be provisioned with Windows Server 2016 Datacenter, and the Selenium tool and Google Chrome browser will be installed automatically.

By following these steps, you can ensure that all virtual machines created from this template in your DevTest Lab will have the required operating system, tools, and browser installed. Remember to replace placeholder names with the actual names of your resources where necessary.

Step 1: Sign Up for Azure DevOps

Navigate to Azure DevOps.

Click on Start Free.

Enter the credentials:

Email: UserUsefl-42147509@ExamUsers.com

Password: eWrSalD2!

Follow the prompts to complete the sign-up process using the default settings.

Step 2: Create an Azure DevOps Organization

Once signed in, you will be prompted to create a new organization.

Enter a name for your organization and select your region.

Click on Continue to create the organization.

Step 3: Create a Private Project

In your new organization, click on New Project.

Name the project Project1.

Set the visibility to Private.

Click on Create.

Step 4: Add an External User as a Stakeholder

Go to the Organization Settings.

Under General, select Users.

Click on Add users.

Enter the email address: Usfrr2-42147S09@ExamUsers.com.

Set the access level to Stakeholder.

Add the user to the most restrictive group, which is typically the Readers group.

Click on Add to complete the process.

Step 5: Verify the User Addition

Ensure that the external user has been added successfully by checking the Users list.

Confirm that the user has the Stakeholder access level and is part of the Readers group.

By following these steps, you should be able to complete the task successfully. If you encounter any issues, feel free to ask for further assistance!

Batching CI runs

If you have many team members uploading changes often, you may want to reduce the number of runs you start. If you set batch to true, when a pipeline is running, the system waits until the run is completed, then starts another run with all changes that have not yet been built.

Example:

# specific branch build with batching

trigger:

batch: true

branches:

include:

- master

To clarify this example, let us say that a push A to master caused the above pipeline to run. While that pipeline is running, additional pushes B and C occur into the repository. These updates do not start new independent runs immediately. But after the first run is completed, all pushes until that point of time are batched together and a new run is started.

Scenario: Visual Studio App Center must be used to centralize the reporting of mobile application crashes and device types in use.

In order to use App Center, you need to opt in to the service(s) that you want to use, meaning by default no services are started and you will have to explicitly call each of them when starting the SDK.

Insert the following line to start the SDK in your app's App Delete class in the didFinishLaunchingWithOptions method.

MSAppCenter.start("{Your App Secret}", withServices: [MSAnalytics.self, MSCrashes.self])

References: https://docs.microsoft.com/en-us/appcenter/sdk/getting-started/ios

Step 1: Initialize the Default Main Branch

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Initialize the Main Branch:

Go to Repos > Files.

If the main branch does not exist, you will see an option to initialize it. Click on Initialize and follow the prompts to create the main branch1.

Step 2: Enable Squash Merge for the Main Branch

Navigate to Branch Policies:

Go to Repos > Branches.

Find the main branch and click on the … (ellipsis) next to it.

Select Branch policies.

Enable Squash Merge:

Under Policies, scroll down to the Merge strategy section.

Select Squash merge as the required merge strategy2.

Save Changes:

Click on Save changes to apply the policies.

Step 3: Verify the Squash Merge Policy

Create a Pull Request:

Make a change in a branch and create a pull request to merge it into the main branch.

Complete the Pull Request:

Ensure that the pull request uses the squash merge strategy by selecting Squash commit under the Merge type in the Complete pull request dialog

Woodgrove Bank identifies the following technical requirements:

The Azure DevOps dashboard must display the metrics shown in the following table:

Box 1: Velocity

Velocity displays your team velocity. It shows what your team delivered as compared to plan.

Box 2: Release pipeline overview

Release pipeline overview shows the status of environments in a release definition.

Box 3: Query tile

Query tile displays the total number of results from a query.

Woodgrove Bank plans to implement the following changes to the identity environment:

Configure App1 to use a service principal.

Change the ConfigurationMode parameter from ApplyOnly to ApplyAndAutocorrect.

The Register-AzureRmAutomationDscNode cmdlet registers an Azure virtual machine as an APS Desired State Configuration (DSC) node in an Azure Automation account.

Scenario: Current Technical Issue

The test servers are configured correctly when first deployed, but they experience configuration drift over time. Azure Automation State Configuration fails to correct the configurations.

Azure Automation State Configuration nodes are registered by using the following command.

References: https://docs.microsoft.com/en-us/powershell/module/azurerm.automation/register-azurerma utomationdscnode?view=azurermps-6.13.0

Scenario: Access to Azure DevOps must be restricted to specific IP addresses.

Azure DevOps is authenticated through Azure Active Directory. You can use Azure AD's conditional access to prevent logins from certain geographies and address ranges.

Woodgrove Bank plans to implement the following changes to the DevOps environment:

Migrate all the source code from TFS1 to GitHub.

The Git-TFS tool is a two-way bridge between Team Foundation Version Control and Git, and can be used to perform a migration.

Box 1: rwx

The Log Analytics agent for Linux runs as the omsagent user. To grant >write permission to the omsagent user, run the command setfacl -m u:omsagent:rwx /tmp.

Box 2: /tmp

Deploying DSC to a Linux node uses the /tmp folder.

Every request made against a storage service must be authorized, unless the request is for a blob or container resource that has been made available for public or signed access. One option for authorizing a request is by using Shared Key.

Scenario: The mobile applications must be able to call the share pricing service of the existing retirement fund management system. Until the system is upgraded, the service will only support basic authentication over HTTPS.

The investment planning applications suite will include one multi-tier web application and two iOS mobile application. One mobile application will be used by employees; the other will be used by customers.

References: https://docs.microsoft.com/en-us/rest/api/storageservices/a uthorize-with-shared-key

Box 1: A source control system

A source control system, also called a version control system, allows developers to collaborate on code and track changes. Source control is an essential tool for multi-developer projects.

Box 2: A hosted service

To build and deploy Xcode apps or Xamarin.iOS projects, you'll need at least one macOS agent. If your pipelines are in Azure Pipelines and a Microsoft-hosted agent meets your needs, you can skip setting up a self-hosted macOS agent.

Scenario: The investment planning applications suite will include one multi-tier web application and two iOS mobile applications. One mobile application will be used by employees; the other will be used by customers.

References:

https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-osx?view=azure-devops

Box 1: A Build task

Trigger a build

You have a Java code provisioned by the Azure DevOps demo generator. You will use WhiteSource Bolt extension to check the vulnerable components present in this code.

Go to Builds section under Pipelines tab, select the build definition WhiteSourceBolt and click on Queue to trigger a build.

To view the build in progress status, click on ellipsis and select View build results.

Box 2: WhiteSource Bolt

WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.

References:

https://www.azuredevopslabs.co m/labs/vstsextend/whitesource/

Box 1: Get-AzResource

Use the following command to examine the access control mode for all workspaces in the subscription:

PowerShell

Get-Az Resource –Resource Type Microsoft. Operational Insights/workspaces –Expand Properties | for each {s.Name + ": " + $_.Properties.features.enableLogAccessUsingOnlyResourcePermissions

Box 2: -Resource Type

Box 1: Reader

Members of a group named Developers must be able to install packages.

Feeds have four levels of access: Owners, Contributors, Collaborators, and Readers. Owners can add any type of identity-individuals, teams, and groups-to any access level.

Box 2: Owner

Members of a group named Team Leaders must be able to create new packages and edit the permissions of package feeds.

The commit-msg hook is invoked by git-commit and git-merge, and can be bypassed with the --no-verify option.

Scenario: A branching strategy that supports developing new functionality in isolation must be used.

Feature isolation is a special derivation of the development isolation, allowing you to branch one or more feature branches from main, as shown, or from your dev branches.

When you need to work on a particular feature, it might be a good idea to create a feature branch.

Scenario:

Step 1: Sign in to Azure Develops by using an account that is assigned the Administrator service connection security role.

Note: Under Agent Phase, click Deploy Service Fabric Application. Click Docker Settings and then click Configure Docker settings. In Registry Credentials Source, select Azure Resource Manager Service Connection. Then select your Azure subscription.

Step 2: Create a personal access token..

A personal access token or PAT is required so that a machine can join the pool created with the Agent Pools (read, manage) scope.

Step 3: Install and register the Azure Pipelines agent on an Azure virtual machine.

By running a Azure Pipeline agent in the cluster, we make it possible to test any service, regardless of type.

References:

https://doc s.microsoft.com/en-us/azure/service-fabric/service-fabric-tutorial-deploy-container-app-with-cicd-vsts

https://mohitgoyal.co/2 019/01/10/run-azure-devops-private-agents-in-kubernetes-clusters/

Unattended config:

The agent can be set up from a script with no human intervention. You must pass --unattended and the answers to all questions.

To configure an agent, it must know the URL to your organization or collection and credentials of someone authorized to set up agents. All other responses are optional.

Every request made against a storage service must be authorized, unless the request is for a blob or container resource that has been made available for public or signed access. One option for authorizing a request is by using Shared Key.

Scenario: The mobile applications must be able to call the share pricing service of the existing retirement fund management system. Until the system is upgraded, the service will only support basic authentication over HTTPS.

The investment planning applications suite will include one multi-tier web application and two iOS mobile application. One mobile application will be used by employees; the other will be used by customers.

References: https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key

Step 1: Create a Desired State Configuration (DSC) configuration file that has an extension of .ps1.

Step 2: Run the Import-AzureRmAutomationDscConfiguration Azure Powershell cmdlet

The Import-AzureRmAutomationDscConfiguration cmdlet imports an APS Desired State Configuration (DSC) configuration into Azure Automation. Specify the path of an APS script that contains a single DSC configuration.

Example:

PS C:\>Import-AzureRmAutomationDscConfiguration -AutomationAccountName "Contoso17"-ResourceGroupName "ResourceGroup01" -SourcePath "C:\DSC\client.ps1" -Force

This command imports the DSC configuration in the file named client.ps1 into the Automation account named Contoso17. The command specifies the Force parameter. If there is an existing DSC configuration, this command replaces it.

Step 3: Run the Start-AzureRmAutomationDscCompilationJob Azure Powershell cmdlet

The Start-AzureRmAutomationDscCompilationJob cmdlet compiles an APS Desired State Configuration (DSC) configuration in Azure Automation.

References:

https://docs.microsoft. com/en-us/powershell/module/azurerm.automation/import-azurermautomationdscconfiguration

https://docs.microsoft.com/en-us/powers hell/module/azurerm.automation/start-azurermautomationdsccompilationjob

Scenario: Implement Project3, Project5, Project6, and Project7 based on the planned changes

Step 1: Open the release pipeline editor.

In the Releases tab of Azure Pipelines, select your release pipeline and choose Edit to open the pipeline editor.

Step 2: Enable Gates.

Choose the pre-deployment conditions icon for the Production stage to open the conditions panel. Enable gates by using the switch control in the Gates section.

Step 3: Add Query Work items.

Choose + Add and select the Query Work Items gate.

Configure the gate by selecting an existing work item query.

Note: A case for release gate is:

Incident and issues management. Ensure the required status for work items, incidents, and issues. For example, ensure deployment occurs only if no priority zero bugs exist, and validation that there are no active incidents takes place after deployment.

References:

https://docs.microsoft.com/en-us/azure/devops/pipelines/release/deploy-using-approvals?view=azure-devops#configure-gate

The first thing to do is to declare your Sonar Qube server as a service endpoint in your VSTS/DevOps project settings.

References: https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Extension+for+vsts-TFS

Scenario:

References: https://docs.microsoft.com/en-us/azure/devops/pipelines/build/triggers

Step 1: Create a repository

A Git repository, or repo, is a folder that you've told Git to help you track file changes in. You can have any number of repos on your computer, each stored in their own folder.

Step 2: Create a branch

Branch policies help teams protect their important branches of development. Policies enforce your team's code quality and change management standards.

Step 3: Add a build validation policy

When a build validation policy is enabled, a new build is queued when a new pull request is created or when changes are pushed to an existing pull request targeting this branch. The build policy then evaluates the results of the build to determine whether the pull request can be completed.

Scenario:

Implement a code flow strategy for Project2 that will:

Enable Team2 to submit pull requests for Project2.

Enable Team2 to work independently on changes to a copy of Project2.

Ensure that any intermediary changes performed by Team2 on a copy of Project2 will be subject to the same restrictions as the ones defined in the build policy of Project2.

References: https://docs.microsoft.com/en-us/azure/devops/repos/git/man age-your-branches

Scenario: Implement Project4 and configure the project to push Docker images to Azure Container Registry.

You use Azure Container Registry Tasks commands to quickly build, push, and run a Docker container image natively within Azure, showing how to offload your "inner-loop" development cycle to the cloud. ACR Tasks is a suite of features within Azure Container Registry to help you manage and modify container images across the container lifecycle.

References:

https://do cs.microsoft.com/en-us/azure/container-registry/container-registry-quickstart-task-cli

Step 1: Initialize the Default Main Branch

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Initialize the Main Branch:

Go to Repos > Files.

If the main branch does not exist, you will see an option to initialize it. Click on Initialize and follow the prompts to create the main branch1.

Step 2: Install the Microsoft Security DevOps Extension

Navigate to Extensions:

In Azure DevOps, click on the Shopping Bag icon in the top right corner and select Browse Marketplace.

Search for the Extension:

Search for Microsoft Security DevOps.

Install the Extension:

Click on Get it free.

Select your organization (User1-42147509) and click Install.

Follow the prompts to complete the installation2.

Step 3: Create a New Starter Pipeline

Navigate to Pipelines:

Go to Pipelines > New pipeline.

Select the Repository:

Choose Azure Repos Git and select the relevant repository.

Configure the Pipeline:

Select Starter pipeline and replace the default YAML with the following starter code:

trigger:

- starter

pool:

vmImage: 'windows-latest'

steps:

- task: MicrosoftSecurityDevOps@1

inputs:

command: 'run'

policy: 'azuredevops'

publish: true

Save the Pipeline:

Click on Save and enter starter as the branch name.

Click on Save and run to save the pipeline to the new branch named starter3.

By following these steps, you will have successfully initialized the main branch, installed the Microsoft Security DevOps extension, and created a new starter pipeline named starter1 that includes the specified task

Step 1: Initialize the Default Main Branch

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Initialize the Main Branch:

Go to Repos > Files.

If the main branch does not exist, you will see an option to initialize it. Click on Initialize and follow the prompts to create the main branch.

Step 2: Implement an Approval Process for the Main Branch

Navigate to Branch Policies:

Go to Repos > Branches.

Find the main branch and click on the … (ellipsis) next to it.

Select Branch policies.

Enable Required Reviewers:

Under Policies, enable Minimum number of reviewers.

Set the minimum number of reviewers to 2 to enforce the four-eyes principle.

Add Required Reviewers:

Add the users who should review the changes. Ensure that at least one approval is required on every iteration.

Enable Reset Code Reviewer Votes:

Enable the Reset code reviewer votes when there are new changes option to ensure that any new changes require re-approval.

Save Changes:

Click on Save changes to apply the policies.

Step 3: Verify the Approval Process

Create a Pull Request:

Make a change in a branch and create a pull request to merge it into the main branch.

Review and Approve:

Ensure that the pull request requires at least two reviewers to approve it before it can be merged.

By following these steps, you will have successfully initialized the main branch and implemented an approval process that adheres to the four-eyes principle, ensuring that every iteration has at least one approval

To ensure that your Azure Web App named az400-38443478-main can retrieve secrets from an Azure Key Vault named az400-3844J478-kv1 using a system managed identity with the principle of least privilege, follow these detailed steps:

Enable a System Managed Identity for the Azure Web App:

Navigate to the Azure Portal.

Go to the Azure Web App az400-38443478-main.

Select Identity under the Settings section.

In the System assigned tab, switch the Status to On.

Click Save to apply the changes.

Grant the Web App Access to the Key Vault:

Go to the Azure Key Vault az400-3844J478-kv1.

Select Access policies under the Settings section.

Click on Add Access Policy.

Choose Secret permissions and select Get and List. This grants the app the ability to read secrets, adhering to the principle of least privilege.

Click on Select principal, search for your Web App name az400-38443478-main, and select it.

Click Add to add the policy.

Don’t forget to click Save to save the access policy changes.

Retrieve Secrets in the Web App Code:

In your Web App’s code, use the Azure SDK to retrieve the secrets.

For example, in a .NET application, you can use the Azure.Identity and Azure.Security.KeyVault.Secrets namespaces.

Utilize the DefaultAzureCredential class which will automatically use the system managed identity when running on Azure.

using Azure.Identity;

using Azure.Security.KeyVault.Secrets;

var client = new SecretClient(new Uri("https://az400-3844J478-kv1.vault.azure.net/ "), new DefaultAzureCredential());

KeyVaultSecret secret = await client.GetSecretAsync("my-secret-name");

string secretValue = secret.Value;

Replace "my-secret-name" with the actual name of the secret you want to retrieve.

By following these steps, your Azure Web App will be able to securely retrieve secrets from the Azure Key Vault using a system managed identity, without needing to store credentials in the code, and adhering to the principle of least privilege. Remember to replace the placeholder names with the actual names of your Web App and Key Vault.

Step 1: Create a New Team Dashboard

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Access Dashboards:

In the left-hand menu, select Dashboards.

Create a New Dashboard:

Click on New Dashboard.

Enter the name Dashboard1.

Ensure the dashboard type is set to Team Dashboard.

Click Create.

Step 2: Add the Team Members Widget

Open the Widget Catalog:

After creating the dashboard, the widget catalog will open automatically. If it doesn’t, click on Add Widget.

Search for Team Members Widget:

In the widget catalog, search for Team Members.

Add the Widget:

Click on the Team Members widget and then click Add to place it on your dashboard.

Configure the Widget:

Once added, you can resize and move the widget to your preferred location on the dashboard.

Step 3: Save and Share the Dashboard

Save the Dashboard:

Click on Save to save your changes.

Share the Dashboard:

You can share the dashboard URL with your team members or set permissions to control who can view or edit the dashboard.

By following these steps, you will have a new team dashboard named Dashboard1 that displays the members of the default project team for Project1

Step 1: Create a Project Wiki

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Create a Wiki:

In the left-hand menu, select Wiki.

Click on Create project wiki.

Enter the name Wiki1 and click Create.

Step 2: Add Mermaid Syntax to Render a Diagram

Open the Wiki Page:

Navigate to the newly created Wiki1.

Edit the Wiki Page:

Click on Edit to start editing the wiki page.

Insert Mermaid Diagram:

Use the following Mermaid syntax to render a diagram. For example, to render a simple flowchart, you can use:

```mermaid

graph TD;

A-->B;

A-->C;

B-->D;

C-->D;

Save the Page:

Click on Save to save your changes.

Step 3: Render the TCP Handshake Diagram

Convert TCPHandshake.png to Mermaid Syntax:

Since you have a sample diagram in C:\Resources\TCPHandshake.png, you need to convert this diagram into Mermaid syntax. Here’s an example of how a TCP handshake might look in Mermaid syntax:

```mermaid

sequenceDiagram

participant Client

participant Server

Client->>Server: SYN

Server-->>Client: SYN-ACK

Client->>Server: ACK

Add the Diagram to the Wiki:

Replace the sample Mermaid syntax with the TCP handshake diagram syntax in the wiki page.

Save the Page:

Click on Save to save your changes.

By following these steps, you will have created a project wiki named Wiki1 and used Mermaid syntax to render a diagram

To create an instance of Azure Application Insights named az400-38443478-main and configure it to receive telemetry data from an Azure web app with the same name, you’ll need to follow these steps:

Create a Log Analytics Workspace:

Go to the Azure Portal.

Search for Log Analytics Workspaces and select Add.

Select a Subscription and either use an existing Resource Group or create a new one.

Provide a unique name for your Log Analytics workspace.

Choose the Region that is appropriate for you.

Review the settings and then select Create1.

Create an Azure Application Insights Instance:

In the Azure Portal, navigate to Application Insights.

Click on + Create.

Fill in the instance details, ensuring the name is az400-38443478-main.

Link the instance to the Log Analytics workspace you created in the previous step.

Review and create the Application Insights instance2.

Configure the Azure Web App to Send Telemetry Data:

Go to the Azure Web App az400-38443478-main.

Under Monitoring, select Application Insights.

Choose to use an existing resource and select the Application Insights instance you created.

Follow the prompts to set up the connection, which may involve adding the appropriate SDK to your web app and configuring the connection string or instrumentation key.

Verify Telemetry Data Reception:

After setting up, send some test traffic to your web app.

Then, go to the Application Insights instance and check the Overview or Performance sections to see if telemetry data is being received.

Remember to replace placeholder names with the actual names of your resources where necessary. These steps will help you set up Azure Application Insights to monitor your web app effectively.

The Register-AzureRmAutomationDscNode cmdlet registers an Azure virtual machine as an APS Desired State Configuration (DSC) node in an Azure Automation account.

Scenario: The Azure DevOps organization includes:

The Docker extension

A deployment pool named Pool7 that contains 10 Azure virtual machines that run Windows Server 2016

References: https://docs.microsoft.com/en-us/powershell/module/azurerm.automation/register-azurermautomationdscnode

A: You can use Azure Monitor to monitor base-level metrics and logs for most services in Azure. You can call Azure Automation run books by using action groups or by using classic alerts to automate tasks

based on alerts.

B: Metric Alert with Dynamic Thresholds detection leverages advanced machine learning (ML) to learn metrics' historical behavior, identify patterns and anomalies that indicate possible service issues. It

provides support of both a simple UI and operations at scale by allowing users to configure alert rules through the Azure Resource Manager API, in a fully automated manner.

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service.

ITSMC supports connections with the following ITSM tools:

ServiceNow

System Center Service Manager

Provance

Cherwell

With ITSMC, you can

Create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).

Optionally, you can sync your incident and change request data from your ITSM tool to an Azure Log Analytics workspace.

Azure Automation now ships with the Azure PowerShell module of version 0.8.6, which introduced the ability to non-interactively authenticate to Azure using OrgId (Azure Active Directory user) credential-based authentication. Using the steps below, you can set up Azure Automation to talk to Azure using this authentication type.

Step 1: Find the Azure Active Directory associated with the Azure subscription to manage:

1. Log in to the Azure portal as the service administrator for the Azure subscription you want to manage using Azure Automation. You can find this user by logging in to the Azure portal as any user with access to this Azure subscription, then clicking Settings, then Administrators.

2. Note the name of the directory associated with the Azure subscription you want to manage. You can find this directory by clicking Settings, then Subscriptions.

Step 2: Create an Azure Active Directory user in the directory associated with the Azure subscription to manage:

You can skip this step if you already have an Azure Active Directory user in this directory. and plan to use this OrgId to manage Azure.

1. In the Azure portal click on Active Directory service.

2. Click the directory name that is associated with this Azure subscription.

3. Click on the Users tab and then click the Add User button.

4. For type of user, select “New user in your organization.” Enter a username for the user to create.

5. Fill out the user’s profile. For role, pick “User.” Don’t enable multi-factor authentication. Multi-factor accounts cannot be used with Azure Automation.

6. Click Create.

7. Jot down the full username (including part after @ symbol) and temporary password.

Step 3: Allow this Azure Active Directory user to manage this Azure subscription.

1. Click on Settings (bottom Azure tab under StorSimple)

2. Click Administrators

3. Click the Add button. Type the full user name (including part after @ symbol) of the Azure Active Directory user you want to set up to manage Azure. For subscriptions, choose the Azure subscriptions you want this user to be able to manage. Click the check mark.

Step 4: Configure Azure Automation to use this Azure Active Directory user to manage this Azure subscription

Create an Azure Automation credential asset containing the username and password of the Azure Active Directory user that you have just created. You can create a credential asset in Azure Automation by clicking into an Automation Account and then clicking the Assets tab, then the Add Setting button.

Note: Once you have set up the Azure Active Directory credential in Azure and Azure Automation, you can now manage Azure from Azure Automation runbooks using this credential.

References:

https://azure.microsoft.com/sv-se/blog/azure-automation-authenticating-to-azure-using-azure-active-directory/

You can use the Azure DevTest Labs Tasks extension that's installed in Azure DevOps to easily integrate your CI/CD build-and-release pipeline with Azure DevTest Labs. The extension installs three tasks:

Create a VM

Create a custom image from a VM

Delete a VM

The process makes it easy to, for example, quickly deploy a "golden image" for a specific test task and then delete it when the test is finished.

References: https://docs.microsoft.com/en-us/azure/lab-services/devtest-lab-integrate-ci-cd-vsts

1. Open Microsoft Azure Portal

2. Select All Services, and then select DevTest Labs in the DEVOPS section.

3. From the list of labs, select the az400-9940427-dtl1 lab

4. On the home page for your lab, select + Add on the toolbar.

5. Select the Windows Server 2016 Datacenter base image for the VM.

6. Select automation options at the bottom of the page above the Submit button.

7. You see the Azure Resource Manager template for creating the virtual machine.

8. The JSON segment in the resources section has the definition for the image type you selected earlier.

References:

https://docs.microsoft.com/bs-cyrl-ba/azure//lab-services/devtest-lab-vm-powershell

1. Open Microsoft Azure Portal and Log into your Azure account.

2. Select network security group (NSG) named az400-9940427-nsg1

3. Select Settings, Outbound security rules, and click Add

4. Click Advanced

5. Change the following settings:

Destination Port range: 8080

Protocol. TCP

Action: Allow

Note: By default, Azure DevOps Server uses TCP Port 8080.

References:

https://robertsmit.wordpress.com/2017/09/11/step-by-step-azure-network-security-groups-nsg-security-center-azure-nsg-network/

https://docs.microsoft.com/en-us/azure/devops/server/architecture/required- ports?view=azure-devops

Box 1: A key Vault advanced access policy

Box 2: RBAC

Management plane access control uses RBAC.

The management plane consists of operations that affect the key vault itself, such as:

Creating or deleting a key vault.

Getting a list of vaults in a subscription.

Retrieving Key Vault properties (such as SKU and tags).

Setting Key Vault access policies that control user and application access to keys and secrets.

References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-use-key-vault

Git history: File history is replicated on the client dev machine and can be viewed even when not connected to the server. You can view history in Visual Studio and on the web portal.

Note: Azure Repos supports two types of version control: Git and Team Foundation Version Control (TFVC).

Box 1: Basic

Assign Basic to users with a TFS CAL, with a Visual Studio Professional subscription, and to users for whom you are paying for Azure Boards & Repos in an organization.

Box 2: Stakeholder

Assign Stakeholders to users with no license or subscriptions who need access to a limited set of features.

Note:

You assign users or groups of users to one of the following access levels:

Basic: provides access to most features

VS Enterprise: provides access to premium features

Stakeholders: provides partial access, can be assigned to unlimited users for free

Box 1: Azure Container Registry

Azure services like Azure Container Registry (ACR) and Azure Container Instances (ACI) can be used and connected from independent container orchestrators like kubernetes (k8s). You can set up a custom ACR and connect it to an existing k8s cluster to ensure images will be pulled from the private container registry instead of the public docker hub.

Box 2: An Azure service principal

When you're using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), an authentication mechanism needs to be established. You can set up AKS and ACR integration during the initial creation of your AKS cluster. To allow an AKS cluster to interact with ACR, an Azure Active Directory service principal is used.

References:

https://thorsten-hans.com/how -to-use-private-azure-container-registry-with-kubernetes

https://docs.microsoft.com/en-us/azure/aks/cluster-contain er-registry-integration

Box 1: Configuration

The following example shows a simple example of a configuration.

configuration IISInstall

{

node "localhost"

{

WindowsFeature IIS

{

Ensure = "Present"

Name = "Web-Server"

}

}

}

Box 2: WindowsFeature

Squash merging is a merge option that allows you to condense the Git history of topic branches when you complete a pull request. Instead of each commit on the topic branch being added to the history of the default branch, a squash merge takes all the file changes and adds them to a single new commit on the default branch.

A simple way to think about this is that squash merge gives you just the file changes, and a regular merge gives you the file changes and the commit history.

Note: Squash merging keeps your default branch histories clean and easy to follow without demanding any workflow changes on your team. Contributors to the topic branch work how they want in the topic branch, and the default branches keep a linear history through the use of squash merges. The commit history of a master branch updated with squash merges will have one commit for each merged branch. You can step through this history commit by commit to find out exactly when work was done.

References: https://docs.microsoft. com/en-us/azure/devops/repos/git/merging-with-squash

1. In Azure portal navigate to the az400-9940427-main app.

2. Scroll down to the Settings group in the left navigation.

3. Select Managed identity.

4. Within the System assigned tab, switch Status to On. Click Save.

References:

https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity

In some cases, you need to bypass policy requirements so you can push changes to the branch directly or complete a pull request even if branch policies are not satisfied. For these situations, grant the desired permission from the previous list to a user or group. You can scope this permission to an entire project, a repo, or a single branch. Manage this permission along the with other Git permissions.

References: https://docs.microsoft.com/en-us/azure/devops/repos/g it/branch-policies

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service.

ITSMC supports connections with the following ITSM tools:

ServiceNow

System Center Service Manager

Provance

Cherwell

With ITSMC, you can

Create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).

Optionally, you can sync your incident and change request data from your ITSM tool to an Azure Log Analytics workspace.

References: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview

User1: Project Administrators

You must have the permission Create Repository to publish code as wiki. By default, this permission is set for members of the Project Administrators group.

User2: Contributors

Anyone who is a member of the Contributors security group can add or edit wiki pages.

Anyone with access to the team project, including stakeholders, can view the wiki.

The basic idea behind Continuous Assurance (CA) is to setup the ability to check for "drift" from what is considered a secure snapshot of a system. Support for Continuous Assurance lets us treat security truly as a 'state' as opposed to a 'point in time' achievement. This is particularly important in today's context when 'continuous change' has become a norm.

There can be two types of drift:

Drift involving 'baseline' configuration: This involves settings that have a fixed number of possible states (often pre-defined/statically determined ones). For instance, a SQL DB can have TDE encryption turned ON or OFF…or a Storage Account may have auditing turned ON however the log retention period may be less than 365 days.

Drift involving 'stateful' configuration: There are settings which cannot be constrained within a finite set of well-known states. For instance, the IP addresses configured to have access to a SQL DB can be any (arbitrary) set of IP addresses. In such scenarios, usually human judgment is initially required to determine whether a particular configuration should be considered 'secure' or not. However, once that is done, it is important to ensure that there is no "stateful drift" from the attested configuration. (E.g., if, in a troubleshooting session, someone adds the IP address of a developer machine to the list, the Continuous Assurance feature should be able to identify the drift and generate notifications/alerts or even trigger 'auto-remediation' depending on the severity of the change).

Box 1: 5

There are five stages: Development, QA, Pre-production, Load Test and Production. They all have triggers.

Box 2: The Internal Review stage

References: https://docs.microsoft.com/en-us/azure/devops/pipelines/release/trig gers

Scenarios and use cases for gates include:

Quality validation. Query metrics from tests on the build artifacts such as pass rate or code coverage and deploy only if they are within required thresholds.

Use Quality Gates to integrate monitoring into your pre-deployment or post-deployment. This ensures that you are meeting the key health/performance metrics (KPIs) as your applications move from dev to production and any differences in the infrastructure environment or scale is not negatively impacting your KPIs.

Note: Gates allow automatic collection of health signals from external services, and then promote the release when all the signals are successful at the same time or stop the deployment on timeout. Typically, gates are used in connection with incident management, problem management, change management, monitoring, and external approval systems.

References:

https://docs.microsoft. com/en-us/azure/azure-monitor/continuous-monitoring

https://docs.microsoft.com/en-us/azure/devops/pipelines/release/approvals/gates?view=azure-devops

Defining the Release Pipeline

Once the application portion of the Release pipeline has been configured, the security scan portion can be defined. In our example, this consists of 8 tasks, primarily using the Azure CLI task to create and use the ACI instance (and supporting structures).

Otherwise specified, all the Azure CLI tasks are Inline tasks, using the default configuration options.

Box 1: requests

Failed requests (requests/failed):

The count of tracked server requests that were marked as failed.

Kusto code:

requests

| where success == 'False'

Box 2: success == false

https://github.com/microsoft/azure-pipelines-image-generation/blob/d80f81d6c98f8ce2c74b034309bb774ea8d31cfb/images/win/Vs2015-Server2012R2-Readme.md

https://github.com/actions/virtual-environments/blob/master/images/win/Windows2016-Readme.md

Deployment Mode

Location specified in the Linked artifact variable

"Build and test with a multi-stage Dockerfile: build and tests execute inside the container using a multi-stage Docker file, as such test results are not published back to the pipeline." https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/p ublish-test-results?view=azure-devops&tabs=trx%2Cyaml

To ensure that the webhook at https://contoso.com/statushook is called every time the repository named az40038443478acr1 receives a new version of an image named dotnetapp, you can follow these steps to configure a webhook in Azure Container Registry:

Navigate to the Azure Container Registry:

Go to the Azure Portal.

Find and select your Azure Container Registry instance az40038443478acr1.

Create a New Webhook:

Under Services, select Webhooks.

Click on + Add to create a new webhook.

Fill in the form with the following information:

Webhook name: Enter a unique name for your webhook.

Service URI: Enter https://contoso.com/statushook .

Custom headers: (Optional) Add any headers you want to pass along with the POST request.

Trigger actions: Select Push to trigger the webhook on image push events.

Scope: Specify the scope as az40038443478acr1:dotnetapp to target the specific image.

Status: Set to Enabled.

Save the Webhook Configuration:

Review the information and click Create to save the webhook.

Once configured, the webhook will send a POST request to https://contoso.com/statushook whenever a new version of the dotnetapp image is pushed to the az40038443478acr1 repository in your Azure Container Registry1.

This setup will automate the notification process, ensuring that the specified webhook is called with each new image version, thus fulfilling the task requirements.