AZ-400 Questions and Answers

The first thing to do is to declare your Sonar Qube server as a service endpoint in your VSTS/DevOps project settings.

The Register-AzureRmAutomationDscNode cmdlet registers an Azure virtual machine as an APS Desired State Configuration (DSC) node in an Azure Automation account.

Scenario: The Azure DevOps organization includes:

The Docker extension

A deployment pool named Pool7 that contains10 Azure virtual machines that run Windows Server 2016

Scenario:

Scenario: By default, all releases must remain available for 30 days, except for production releases, which must be kept for 60 days.

Box 1: Set the defaultretention policy to 30 days

The Global default retention policy sets the default retention values for all the build pipelines. Authors of build pipelines can override these values.

Box 2: Set the stage retention policy to 60 days

You may want to retain more releases that have been deployed to specific stages.

Scenario: Implement Project4 and configure the project to push Docker images to Azure Container Registry.

You use Azure Container Registry Tasks commands to quickly build, push, and run a Docker container image natively within Azure, showing how to offload your "inner-loop" development cycle to the cloud. ACR Tasks is a suite of features within Azure Container Registry to help you manage and modify container images across the container lifecycle.

Woodgrove Bank plans to implement the following changes to the DevOps environment:

Migrate all the source code from TFS1 to GitHub.

The Git-TFS tool is a two-way bridge between Team Foundation Version Control and Git, and can be used to perform a migration.

Scenario: Visual Studio App Center must be used to centralize the reporting of mobile application crashes and device types in use.

In order to use App Center, you need to opt in to the service(s) that you want to use, meaning by default no services are started and you will have to explicitly call each of them when starting the SDK.

Insert the following line to start the SDK in your app's App Delete class in the didFinishLaunchingWithOptions method.

MSAppCenter.start("{Your App Secret}", withServices: [MSAnalytics.self, MSCrashes.self])

Scenario:

Step 1: Sign in to Azure Develops by using an account that is assigned the Administrator service connection security role.

Note: Under Agent Phase, click Deploy Service Fabric Application. Click Docker Settings and then click Configure Docker settings. In Registry Credentials Source, select Azure Resource Manager Service Connection. Then select your Azure subscription.

Step 2: Create a personal access token..

A personal access token or PAT is required so that a machine can join the pool created with the Agent Pools (read, manage) scope.

Step 3: Install and register the Azure Pipelines agent on an Azure virtual machine.

By running a Azure Pipeline agent in thecluster, we make it possible to test any service, regardless of type.

Step 1: Createa repository

A Git repository, or repo, is a folder that you've told Git to help you track file changes in. You can have any number of repos on your computer, each stored in their own folder.

Step 2: Create a branch

Branch policies help teams protect their important branches of development. Policies enforce your team's code quality and change management standards.

Step 3: Add a build validation policy

When a build validation policy is enabled, a new build is queued when a new pull request is created or when changes are pushed to an existing pull request targeting this branch. The build policy then evaluates the results of the build to determine whether the pull request can be completed.

Scenario:

Implement a code flow strategy for Project2 that will:

Enable Team2 to submit pull requests for Project2.

Enable Team2 to work independently on changes to a copy of Project2.

Ensure that any intermediary changes performed by Team2 on a copy of Project2 will be subject to the same restrictions as the ones defined in the build policy of Project2.

Scenario: Implement Project3, Project5,Project6, and Project7 based on the planned changes

Step 1: Open the release pipeline editor.

In the Releases tab of Azure Pipelines, select your release pipeline and choose Edit to open the pipeline editor.

Step 2: Enable Gates.

Choose thepre-deployment conditions icon for the Production stage to open the conditions panel. Enable gates by using the switch control in the Gates section.

Step 3: Add Query Work items.

Choose + Add and select the Query Work Items gate.

Configure the gate by selecting an existing work item query.

Note: A case for release gate is:

Incident and issues management. Ensure the required status for work items, incidents, and issues. For example, ensure deployment occurs only if no priority zero bugs exist, and validation that there are no active incidents takes place after deployment.

Setting 1: Threshold value

Set to 80 %

Scenario: An Azure Monitor alert for VM1 must be configured to meet the following requirements:

Be triggered whenaverage CPU usage exceeds 80 percent for 15 minutes.

Calculate CPU usage averages once every minute.

Setting 2: Aggregation granularity

Set to 15 minutes.

No fast-forward merge - This option merges the commit history of the source branch when the pull request closes and creates a merge commit in the target branch.

Scenario: Access to Azure DevOps mustbe restricted to specific IP addresses.

Azure DevOps is authenticated through Azure Active Directory. You can use Azure AD's conditional access to prevent logins from certain geographies and address ranges.

Woodgrove Bank identifies the following technical requirements:

The Azure DevOps dashboard must display the metrics shown in the following table:

Box 1: Velocity

Velocity displays your team velocity. It shows what your team delivered as compared to plan.

Box 2: Release pipeline overview

Release pipeline overview shows the status of environments in a release definition.

Box 3: Query tile

Query tile displays the total number of results from a query.

Box 1: Azure Boards

Azure Boards can be used to track work with Kanban boards, backlogs, team dashboards, and custom reporting

You can create multiple Trello boards, which are spaces to store tasks (for different work contexts, or even private boards)

You can easily shareTrello boards with another person.

Box 2: Azure Pipelines

You can use Bamboo to implement CI/CD (Continuous Integration and Continuous Delivery) for a simple Azure function app using Atlassian Bamboo. Bamboo does continuous delivery of the project fromsource code to deployment. It has stages including Build, Test and Deploy.

Software teams in every industry are upgrading their continuous delivery pipeline with Bamboo. Easy build import from popular open source tools, user and group import from JIRA, seamless integration with Bitbucket, and native support for Git, Hg, and SVN means you'll be building and deploying like a champ.

Box 3: GitHub repositories

Bitbucket can be used as the Git repository, but you can use any other Git repository (Like TFS Git)for source control of the code.

Woodgrove Bank plans to implement the following changes to the identity environment:

Configure App1 to use a service principal.

Scenario: Deploy App2 to an Azure virtual machine named VM1.

A personal access token (PAT) is used as an alternatepassword to authenticate into Azure DevOps.

Every request made against a storage service must be authorized, unless the request is for a blob or container resource that has been made available for public or signed access. One option for authorizing a request is by using Shared Key.

Scenario: The mobile applications must be able to call the share pricing service of the existing retirement fund management system. Until the system is upgraded, the service will only support basic authentication over HTTPS.

The investment planning applications suite will include one multi-tier web application and two iOS mobile application. One mobile application will be used by employees; the other will be used by customers.

Change the ConfigurationMode parameter from ApplyOnly to ApplyAndAutocorrect.

The Register-AzureRmAutomationDscNode cmdlet registers an Azure virtual machine as an APS Desired State Configuration (DSC) node in an Azure Automation account.

Scenario: Current Technical Issue

The test servers are configured correctly when first deployed, but they experience configuration drift over time. Azure AutomationState Configuration fails to correct the configurations.

Azure Automation State Configuration nodes are registered by using the following command.

Scenario: A branching strategy that supports developing newfunctionality in isolation must be used.

Feature isolation is a special derivation of the development isolation, allowing you to branch one or more feature branches from main, as shown, or from your dev branches.

When you need to work on a particularfeature, it might be a good idea to create a feature branch.

The commit-msg hook is invoked by git-commit and git-merge, and can be bypassed with the --no-verify option.

Unattended config:

The agent can be set up from a script with no human intervention. You must pass--unattended and the answers to all questions.

To configure an agent, it must know the URL to your organization or collection and credentials of someone authorized to set up agents. All other responses are optional.

Box 1: rwx

The Log Analytics agent for Linux runs as the omsagent user. To grant >write permission to the omsagent user, run the command setfacl -m u:omsagent:rwx /tmp.

Box 2: /tmp

Deploying DSC to a Linux node uses the /tmp folder.

Batching CI runs

If you have many team members uploadingchanges often, you may want to reduce the number of runs you start. If you set batch to true, when a pipeline is running, the system waits until the run is completed, then starts another run with all changes that have not yet been built.

Example:

# specific branch build with batching

trigger:

batch: true

branches:

include:

- master

To clarify this example, let us say that a push A to master caused the above pipeline to run. While that pipeline is running, additional pushes B and C occur into therepository. These updates do not start new independent runs immediately. But after the first run is completed, all pushes until that point of time are batched together and a new run is started.

Box 1: Reader

Members of a group named Developers must be able to install packages.

Feeds have four levels of access: Owners, Contributors, Collaborators, and Readers. Ownerscan add any type of identity-individuals, teams, and groups-to any access level.

Box 2: Owner

Members of a group named Team Leaders must be able to create new packages and edit the permissions of package feeds.

Box 1: A source control system

A source control system, also called a version control system, allows developers to collaborate on code and track changes.Source control is an essential tool for multi-developer projects.

Box 2: A hosted service

To build and deploy Xcode apps or Xamarin.iOS projects, you'll need at least one macOS agent. If your pipelines are in Azure Pipelines and a Microsoft-hosted agentmeets your needs, you can skip setting up a self-hosted macOS agent.

Scenario: The investment planning applications suite will include one multi-tier web application and two iOS mobile applications. One mobile application will be used by employees; the other will be used by customers.

Every request made against a storage service must be authorized, unless the request is for a blob or container resource that has been made available for public or signed access. One option for authorizing a request is by using Shared Key.

Scenario: The mobile applications must be able to call the share pricing service of the existing retirement fund management system. Until the system is upgraded, the service will only support basic authentication over HTTPS.

The investment planning applications suite will include one multi-tier web application and two iOS mobile application. One mobile application will be used by employees; the other will be used by customers.

Box 1: Master

The Master branch contains production code. All development code is merged into master in sometime.

Box 2: Develop

The Develop branch containspre-production code. When the features are finished then they are merged into develop.

There are three types of Application Insights availability tests:

URL ping test: a simple test that you can create in the Azure portal.

Multi-step web test

Custom Track Availability Tests

Note: After you've deployed your web app/website, you can set up recurring tests to monitor availability and responsiveness. Azure Application Insightssends web requests to your application at regular

intervals from points around the world. It can alert you if your application isn't responding, or if it responds too slowly.

You can set up availability tests for any HTTP or HTTPS endpoint that is accessible from the public internet. You don't have to make any changes to the website you're testing. In fact, it doesn't even have to

be a site you own. You can test the availability of a REST API that your service depends on.

https://docs.microsoft.com/en-us/azure/devops/pipelines/troubleshooting/troubleshooting

You can manage technical debt with Sonar Rube and Azure DevOps.

Note: Technical debt is the set of problems in a development effort that make forward progress on customer value inefficient. Technical debt saps productivity by making code hard to understand, fragile, time-consuming to change, difficult to validate, and creates unplanned work that blocks progress. Unless they are managed, technical debt can accumulate and hurt the overall qualityof the software and the productivity of the development team in the long term

SonarQube an open source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to:

Detect Bugs

Code Smells

Security Vulnerabilities

Centralize Quality

What’s covered in this lab

Box 1: Get-AzResource

Use the followingcommand to examine the access control mode for all workspaces in the subscription:

PowerShell

Get-Az Resource –Resource Type Microsoft. Operational Insights/workspaces –Expand Properties | for each {s.Name + ": " + $_.Properties.features.enableLogAccessUsingOnlyResourcePermissions

Box 2: -Resource Type

Notifications help you and your team stay informed about activity that occurs within your projects in Azure DevOps. You can get notified when changes occur to the following items:

work items

code reviews

pull requests

source control files

builds

Step 1: Create a dependency graph for the application

By linking work items and other objects, you can track related work, dependencies, and changes made over time. All links are defined with a specific link type. For example, you can use Parent/Child links to link work items to support a hierarchical tree structure. Whereas, the Commit and Branch link types support links between work items and commits and branches, respectively.

Step 2: Group the related components.

Packages enable you to share code across your organization: you can compose a large product, develop multiple products based on a common shared framework, or create and share reusable components and libraries.

Step 3: Assign ownership to each component graph

Create a service hook for Azure DevOps with Slack to post messages to Slack in response to events inyour Azure DevOps organization, such as completed builds, code changes, pull requests, releases, work items changes, and more.

Note:

1. Go to your project Service Hooks page:

https://{orgName}/{project_name}/_settings/serviceHooks

Select CreateSubscription.

3. Choose the types of events you want to appear in your Slack channel.

4. Paste the Web Hook URL from the Slack integration that you created and select Finish.

5. Now, when the event you configured occurs in your project, a notification appears in your team's Slack channel.

Box 1: Microsoft Visual Studio App Center distribution Groups

Distribution Groups are used to control access to releases. A Distribution Group represents a set of users that can be managed jointly and can have common access to releases. Exampleof Distribution Groups can be teams of users, like the QA Team or External Beta Testers or can represent stages or rings of releases, such as Staging.

Box 2: Shared

Shared distribution groups are private or public distribution groups that are shared across multiple apps in a single organization. Shared distribution groups eliminate the need to replicate distribution groups across multiple apps.

Note: With the Deploy with App Center Task in Visual Studio Team Services, you can deploy your apps from Azure DevOps (formerly known as VSTS) to App Center. By deploying to App Center, you will be able to distribute your builds to your users.

Use a Pull request trigger.

Note: Batch changes

Select this check box if you have a lot of team members uploading changes often and you wantto reduce the number of builds you are running. If you select this option, when a build is running, the system waits until the build is completed and then queues another build of all changes that have not yet been built.

https://docs.github.com/en/actions/security-guides/encrypted-secrets "To use secrets that are larger than 48 KB, you can use a workaround to store encrypted secrets in your repository and save the decryptionpassphrase as a secret on GitHub." Because it requires less administrative privilege it's at repository level

Step 1: Create an agent pool

AzurePipelines provides a pre-defined agent pool named Azure Pipelines with Microsoft-hosted agents.

Step 2: Create a deployment group

Deployment groups make it easy to define logical groups of target machines for deployment, and install the required agent oneach machine.

Step 3: Execute the Azure Pipelines Agent extension to the virtual machines

Install the Azure Pipelines Agent Azure VM extension

Step 4: Add and configure a deployment group job for the pipeline

Tasks that you define in a deployment group job run on some or all of the target servers, depending on the arguments you specify for the tasks and the job itself.

Instead enable pipeline caching.

Note:

npm-cache is a command line utility that caches dependencies installed via npm, bower, jspm and composer.

It is useful for build processes that run [npm|bower|composer|jspm] install every time as part of their build process. Since dependencies don't change often, this often means slower build times. npm-cache helps alleviate this problem by caching previously installed dependencies on the build machine.

A: To always skip certain members of the team, select Never assign certain team members. Then, select one or more team members you'd like to always skip. In this case select the team leader.

E: The load balance algorithm chooses reviewers based on each member's total number of recent review requests and considers the number of outstanding reviews for each member. The load balance algorithm tries to ensure that each team memberreviews an equal number of pull requests in any 30day period.

Contributors have permissions to contribute fully to the project code base and work item tracking. The main permissions they don't have or those that manage or administer resources.

e:

https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions

https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions-access-work-tracking?view=azure-devops#queries-and-semantic-search

QUESTIONNO: 4

You need !0 the merge the POC branch into the default branch. The solution must meet the technical requirements. Which command should you run?

A. it push

B. git merge -- allow-unrelated-histories

C. git rebase

D. git merge --squash

Answer: C

You can create a service hook for Azure DevOps Services and TFS with Jenkins.

Smart Detection automatically warns you of potential performance problems and failure anomalies in your web application. It performs proactive analysis of the telemetry that your app sends to Application

Insights. If there is a sudden rise in failure rates, or abnormal patterns in client or server performance, you get an alert.

Enable Remote Debugging

Before we start a debugging session to our Azure Function app we need to enable the functionality.

Navigate in the Azure portal to your function app fa-11566895

Go to the “Application settings”

Under “Debugging” set Remote Debugging to On and set Remote Visual Studio version to 2017.

Task 11: Create an Artifact Feed with Specific Retention Policies

Step 1: Navigate to Artifacts

In your Azure DevOps Project (Project1), click on the Artifacts section in the left menu.

Step 2: Create a New Feed

Click on the + New feed button.

In the Name field, enter:

nginx

Copy

artifact_feed

Choose the visibility of the feed:

Project scoped (only accessible to Project1).

Or Organization scoped (accessible across your Azure DevOps organization).

Leave other settings at default unless you have specific permissions or upstream sources.

Click Create.

This creates a new feed named artifact_feed.

Step 3: Configure Retention Policies

In the Artifacts section, click on the feed named artifact_feed to open its details page.

In the top-right corner, click on the three dots (...) and select Feed settings.

Step 4: Set the Maximum Number of Versions to Retain

In the Feed settings page, find the Retention policies section.

Set Maximum number of versions per package to:

Copy

10

Click Save.

This ensures that only the latest 10 versions of any package are retained in the feed.

Step 5: Set the Downloaded Package Retention Period

In the Feed settings page, under Retention policies, find Downloaded package retention.

Set Number of days to retain downloaded packages to:

Copy

90

Click Save.

This ensures that downloaded packages will be retained in the cache for 90 days before deletion.

Sign in to the Azure portal.

Navigate to the container registry az40010480345acr1.

Under Services, select Webhooks.

Select the existing webhook https://contoso.com/statushook, and double-click on itto get its properties.

For Trigger actions select image push

Example web hook:

Set up Advanced Threat Protection in the Azure portal

1. Sign into the Azure portal.

2.Navigate to the configuration page of the server you want to protect. In the security settings, select Advanced Data Security.

3. On the Advanced Data Security configuration page:

4. Enable Advanced Data Security on the server.

Note: Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Advanced Threat Protection can identify Potential SQL injection, Access from unusual location or data center,Access from unfamiliar principal or potentially harmful application, and Brute force SQL credentials

1. Open Microsoft Azure Portal

2. Log intoyour Azure account and go to App Service and look under Monitoring then you will see Alert.

3. Select Add an alert rule

4. Configure the alert rule as per below and click Ok.

Source: Alert on Metrics

Resource Group: az400-9940427-main

Resource: az400-9940427-main

Threshold: 5

Period: Over the last 5 minutes

Webhook: https://contoso.com/notify

Task 6: Create a Service Connection for Resource Group Deployment using Managed Identity and Workload Identity Federation

Step 1: Understand the Requirements

You want to deploy resources in the RGHod489Q1628 resource group.

The service connection must:

Use the ManagedJd1 managed identity.

Use workload identity federation (OIDC-based authentication for enhanced security).

Step 2: Verify Prerequisites

You need to ensure:

The ManagedJd1 managed identity exists in your Azure subscription.

Your Azure DevOps project (Project1) is linked to an Azure Active Directory tenant (for OIDC support).

You have the Owner or User Access Administrator role on the RGHod489Q1628 resource group.

Step 3: Assign Role to Managed Identity

Go to the Azure Portal.

In the search bar, type Managed Identities and select Managed Identities.

Locate and click on the ManagedJd1 identity.

In the left menu, click Azure role assignments.

Click + Add role assignment.

Set the following:

Scope: Resource Group

Subscription: Your subscription

Resource Group: RGHod489Q1628

Role: Contributor (or appropriate role)

Click Save.

This step ensures ManagedJd1 has permissions to deploy resources to RGHod489Q1628.

Step 4: Create a Federated Credential for Workload Identity Federation

In the Azure Portal, navigate to the ManagedJd1 managed identity.

In the left menu, click Workload identity federation (preview).

Click + Add a federated credential.

Configure as follows:

Federated credential name: devops-oidc

Issuer: https://vstoken.actions.githubusercontent.com (or use the default https://pipelines.actions.githubusercontent.com for Azure DevOps)

Subject identifier: Use the following format for Azure DevOps:

css

Copy

system:azuredevops:{organizationName}:{projectName}

For example:

css

Copy

system:azuredevops:{YourOrganizationName}:{Project1}

Audience: api://AzureADTokenExchange

Click Add.

This federated credential establishes trust between your Azure DevOps project and the managed identity.

Step 5: Create a Service Connection in Azure DevOps

Go to your Azure DevOps project (Project1) in the browser.

In the left menu, click Project settings.

Under Pipelines, click Service connections.

Click New service connection.

Choose Azure Resource Manager.

Choose the authentication method:

Select Workload identity federation.

Configure the service connection:

Scope level: Resource Group.

Resource Group: RGHod489Q1628.

Subscription: Your subscription.

Authentication method: Managed Identity with workload identity federation.

Managed Identity: Enter the client ID or select ManagedJd1.

Service connection name: e.g., Project1-RGHod489Q1628-Conn.

Grant access permission to all pipelines (recommended).

Click Save.

Step 6: Validate the Service Connection

After creation, click on the new service connection to Verify it.

Ensure the connection test is successful.

You can now use this service connection in your pipelines for deploying resources to RGHod489Q1628.

Step 1: To create a general-purpose v2 storage account in the Azure portal, follow these steps:

On the Azure portal menu, select All services. In the list of resources, type Storage Accounts. As you begin typing, the list filters based on your input. Select Storage Accounts.

On the Storage Accounts window that appears, choose Add.

Select the subscription in which to create thestorage account.

Under the Resource group field, select RG1lod11566895

Next, enter a name for your storage account named: az400lod11566895stor

Select Create.

Step 2: Enable boot diagnostics on existing virtual machine

To enable Boot diagnostics on an existing virtual machine, follow these steps:

Sign in to the Azure portal, and then select the virtual machine VM1.

In the Support + troubleshooting section, select Boot diagnostics, then select the Settings tab.

In Boot diagnostics settings, change the statusto On, and from the Storage account drop-down list, select the storage account az400lod11566895stor.

Save the change.

You must restart the virtual machine for the change to take effect.

Step 1: Navigate to the Library

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Access the Library:

In the left-hand menu, select Pipelines > Library.

Step 2: Create a Variable Group

Create a New Variable Group:

On the Library page, click on + Variable group.

Configure the Variable Group:

Name: Enter varGroup1.

Description: Optionally, add a description for thevariable group.

Add Variables:

Click on + Add to add a new variable.

Variable Name: Enter serverName.

Value: Enter server1.

Click OK.

Click on + Add again to add another variable.

Variable Name: Enter dbName.

Value: Enter db1.

Click OK.

Save the Variable Group:

Click on Save to save the variable group.

By following these steps, you will have successfully created a variable groupnamed varGroup1 containing the specified variables

1. Open Microsoft Azure Portal

2. Select All Services, and then select DevTest Labs in the DEVOPS section.

3. From the list of labs, select the az400-9940427-dtl1 lab

4. On the home page for your lab, select + Add on the toolbar.

5. Select the Windows Server 2016 Datacenter base image for the VM.

6. Select automation options at the bottom of the page above the Submit button.

7. You see the Azure Resource Manager template for creating thevirtual machine.

8. The JSON segment in the resources section has the definition for the image type you selected earlier.

Step 1: Navigate to Personal Access Tokens

Sign in to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Access User Settings:

Click on your profile picture in the top right corner.

Select User settings.

Open Personal Access Tokens:

In the user settings menu, select Personalaccess tokens.

Step 2: Create a New Personal Access Token

Create a New Token:

Click on + New Token.

Configure the Token:

Name: Enter Token1.

Organization: Select the organization where you want to use the token.

Expiration: Set the expiration to 60 days.

Set Scopes:

Code: Select Read, Write, & Manage.

Build: Select Read & Execute.

Release: Select Read.

Create the Token:

Click on Create.

Step 3: Save the Token

Copy the Token:

Once the token is created, copy it immediately as it will not be displayed again.

Store the token in a secure location.

By following these steps, you will have successfully created a personal access token named Token1 with the specified capabilities and a 60-day expiration

Step1: Create a New Team Dashboard

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Access Dashboards:

In the left-hand menu, select Dashboards.

Create a New Dashboard:

Click on New Dashboard.

Enter the name Dashboard1.

Ensure the dashboard type is set to Team Dashboard.

Click Create.

Step 2: Add the Team Members Widget

Open the Widget Catalog:

After creating the dashboard, thewidget catalog will open automatically. If it doesn’t, click on Add Widget.

Search for Team Members Widget:

In the widget catalog, search for Team Members.

Add the Widget:

Click on the Team Members widget and then click Add to place it on your dashboard.

Configure the Widget:

Once added, you can resize and move the widget to your preferred location on the dashboard.

Step 3: Save and Share the Dashboard

Save the Dashboard:

Click on Save to save your changes.

Share the Dashboard:

You can share the dashboardURL with your team members or set permissions to control who can view or edit the dashboard.

By following these steps, you will have a new team dashboard named Dashboard1 that displays the members of the default project team for Project1

Step 1: Write the KQL Query

Open Azure Data Explorer:

Navigate to Azure Data Explorer and sign in with your credentials.

Access the Securitylogs Database:

Open the Securitylogs database.

Write the Query:

Use the following KQL query tocount the number of inbound requests for each source IP address:

InboundBrowsing

| where Timestamp between (datetime(2021-10-01) .. datetime(2021-12-31))

| summarize NumberOfRequests = count() by SourceIP

| project SourceIP, NumberOfRequests

Step 2: Export the Query Results

Run the Query:

Execute the query in Azure Data Explorer.

Export the Results:

Once the query results are displayed, click on the Export button.

Choose the export format (e.g., CSV) and specify the export path as C:\Samples.

By following these steps, you will have successfully written a KQL query to count the number of inbound requests for each source IP address during the last three months of 2021 and exported the results to C:\Samples

Step 1: Understand the Requirements

You want to ensure that audit events (such as user actions, project changes, security settings, etc.) from your Azure DevOps organization are logged and available in a Log Analytics workspace in Azure.

This enables centralized monitoring and security compliance.

Step 2: Prerequisites

Before starting, make sure:

You have an Azure subscription.

You have permission to create or use a Log Analytics workspace in the Azure portal.

You are a Project Collection Administrator or Organization Owner in Azure DevOps.

Step 3: Create or Identify a Log Analytics Workspace

Go to the Azure portal.

In the search bar, type Log Analytics workspaces and click the service.

Click + Create to create a new workspace (or select an existing workspace if you have one).

Provide the following:

Subscription: your Azure subscription.

Resource Group: create a new or use an existing one.

Name: a unique name for the workspace (like DevOpsAuditWorkspace).

Region: choose the same region as your Azure DevOps organization if possible.

Click Review + Create, then Create to deploy the workspace.

Step 4: Configure Azure DevOps to Stream Audit Logs

Azure DevOps can stream audit logs to your Log Analytics workspace using the Azure DevOps Audit Stream feature.

In your browser, go to your Azure DevOps organization:https://dev.azure.com/{YourOrganizationName}

In the bottom-left corner, click on the Organization Settings gear icon.

In the left menu, click on Audit logs.

In the top-right, click on Audit streams.

Click on + Add stream to create a new stream.

In the New audit stream pane, do the following:

Stream type: select Azure Monitor Logs (Log Analytics).

Azure subscription: select the subscription containing your Log Analytics workspace.

Resource group: select the resource group.

Log Analytics workspace: select the workspace created in Step 3.

Click Save.

Step 5: Validate the Audit Stream Connection

Go back to the Audit streams page in Azure DevOps to confirm the stream shows as Connected.

To validate logs:

In the Azure portal, go to your Log Analytics workspace.

In the left menu, click on Logs.

Use the query:

kusto

Copy

AzureDevOpsAuditing

| sort by TimeGenerated desc

You should see audit events from your Azure DevOps organization appear in the results.

To configure your Azure Functionaz400-38443478-functto automatically update whenever new code is committed to the main branch of the specified GitHub repository, you can use GitHub Actions for continuous deployment. Here’s how to set it up:

Create a GitHub Actions Workflow:

In your GitHub repository, navigate to the.github/workflows/directory.

Create a new file for your workflow (e.g.,azure-function-cd.yml).

Define the Workflow:

In the workflow file, define the steps for the build and deployment process.

Use theAzure/functions-actionto deploy to your Azure Function App.

Set up triggers for themainbranch to initiate the workflow on every commit.

Generate Deployment Credentials:

In the Azure Portal, navigate to your Function Appaz400-38443478-funct.

Download the publish profile from theOverviewsection by clicking onGet publish profile.

Store the Publish Profile as a GitHub Secret:

In your GitHub repository, go toSettings>Secrets and variables>Actions.

Create a new secret (e.g.,AZURE_FUNCTIONAPP_PUBLISH_PROFILE) and paste the content of the publish profile.

Configure the Workflow to Use the Secret:

In the workflow file, reference the secret to authenticate the deployment to Azure.

Here’s a sample GitHub Actions workflow snippet:

name: Deploy Azure Function

on:

push:

branches:

- main

jobs:

build-and-deploy:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v2

- name: Set up Python version

uses: actions/setup-python@v2

with:

python-version: '3.x'

- name: Install dependencies

run: |

pip install -r requirements.txt

- name: Deploy to Azure Functions

uses: Azure/functions-action@v1

with:

app-name: az400-38443478-funct

publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }}

package: .

Replace theapp-namewith the name of your Azure Function App and ensure the Python version and dependencies match your application’s requirements.

By following these steps, yourAzure Function will automatically update whenever new code is pushed to the main branch of the GitHub repository. This setup minimizes manual effort and ensures that your function app is always running the latest code.

Step 1: Create an instance of Azure Application Insights

1. Open Microsoft Azure Portal

2. Log into your Azure account, Select Create a resource > Developer tools > Application Insights.

3. Enter the following settings, and then select Review + create.

Name: az400-9940427-main

Step 2: Configure App Insights SDK

4. Open your ASP.NET Core Web App project in Visual Studio > Right-click on the AppName in theSolution Explorer > Select Add > Application Insights Telemetry.

5. Click the Get Started button

6. Select your account and subscription > Select the Existing resource you created in the Azure portal > Click Register.

Azure Automation now ships with the Azure PowerShell module of version 0.8.6, which introduced the ability to non-interactively authenticate to Azure using OrgId (Azure Active Directory user) credential-based authentication. Using the steps below, you can set up Azure Automation to talk to Azure using this authentication type.

Step 1: Find the Azure Active Directory associated with the Azure subscription to manage:

1. Log in to the Azure portal as the service administrator for the Azure subscription you want to manage using Azure Automation. You can find this user by logging in to the Azure portal as any user with access to this Azure subscription, then clicking Settings, then Administrators.

2. Note the name of the directory associated with the Azure subscription you want to manage. You can find this directory by clicking Settings, then Subscriptions.

Step 2: Create an Azure Active Directory user in the directory associated with the Azure subscription to manage:

You can skip this step if you already have an Azure Active Directory user in this directory. and plan to use this OrgId to manage Azure.

1. In the Azure portal click on Active Directory service.

2. Click the directory name that is associated with this Azure subscription.

3. Click on the Users tab and then click the Add User button.

4. For type of user, select “New user in yourorganization.” Enter a username for the user to create.

5. Fill out the user’s profile. For role, pick “User.” Don’t enable multi-factor authentication. Multi-factor accounts cannot be used with Azure Automation.

6. Click Create.

7. Jot down the full username (including part after @ symbol) and temporary password.

Step 3: Allow this Azure Active Directory user to manage this Azure subscription.

1. Click on Settings (bottom Azure tab under StorSimple)

2. Click Administrators

3. Click the Add button. Type the full user name (including part after @ symbol) of the Azure Active Directory user you want to set up to manage Azure. For subscriptions, choose the Azure subscriptions you want this user to be able to manage. Click the check mark.

Step 4: ConfigureAzure Automation to use this Azure Active Directory user to manage this Azure subscription

Create an Azure Automation credential asset containing the username and password of the Azure Active Directory user that you have just created. You can create a credential asset in Azure Automation by clicking into an Automation Account and then clicking the Assets tab, then the Add Setting button.

Note: Once you have set up the Azure Active Directory credential in Azure and Azure Automation, you can now manage Azure from Azure Automation runbooks using this credential.

Step 1: To create a general-purpose v2 storage account in the Azure portal, follow these steps:

On the Azure portal menu, select All services. In the list of resources,type Storage Accounts. As you begin typing, the list filters based on your input. Select Storage Accounts.

On the Storage Accounts window that appears, choose Add.

Select the subscription in which to create the storage account.

Under the Resource group field, select RG1lod11566895

Next, enter a name for your storage account named: az400lod11566895stor

Select Create.

Step 2: Enable boot diagnostics on existing virtual machine

To enable Boot diagnostics on an existing virtual machine, follow these steps:

1.Sign in to the Azure portal, and then select the virtual machine VM1.

2. In the Support + troubleshooting section, select Boot diagnostics, then select the Settings tab.

3. In Boot diagnostics settings, change the status to On, and from the Storage account drop-down list, select the storage account az400lod11566895stor.

4. Save the change.

You must restart the virtual machine for the change to take effect.

1. Open Microsoft Azure Portal

2. Log into your Azure account and go to App Service and look under Monitoring then you will see Alert.

3. Select Add an alert rule

4. Configure the alert rule as per belowand click Ok.

Source: Alert on Metrics

Resource Group: az400-9940427-main

Resource: az400-9940427-main

Threshold: 5

Period: Over the last 5 minutes

Webhook: https://contoso.com/notify

1.Go to the Azure portal, navigate to Traffic Manager profiles and click on the Add button to create a routing profile.

2. In the Create Traffic Manager profile, enter, or select these settings:

Name: az40011566895n1-tm

Routing method: Geographic

Resource group: RG1lod11566895

Note: Traffic Manager profiles can be configured to use the Geographic routing method so that users are directed to specific endpoints (Azure, External or Nested) based on which geographic location their DNS query originates from. This empowers Traffic Manager customers to enable scenarios where knowing a user’s geographic region and routing them based on that is important.

To store signed images in an Azure Container Registry (ACR) instance and support your planned images while minimizing costs, you need to modify the SKU of your ACR instance to one that supports content trust and image signing. Here’s how you can do it:

Determine the Appropriate SKU:

Content trust and image signing are features of thePremiumservice tier of Azure ContainerRegistry1.

If cost minimization is a priority, ensure that the Premium tier is necessary for your use case. If you require content trust, the Premium tier is the appropriate choice.

Modify the SKU of the ACR Instance:

Navigate to the Azure Portal.

Go to your ACR instanceaz40038443478act1.

SelectUpdatefrom the overview pane.

Choose thePremiumSKU from the SKU drop-down menu2.

Review the changes and pricing, then save the configuration.

By upgrading to the Premium SKU, you’ll be able to store signed images in your ACR instance. Remember to monitor your usage and costs to ensure they align with your budget and requirements.

To enable streaming of diagnostic telemetry for asingle or a pooled database, follow these steps:

1. Go to Azure SQL database resource.

2. Select Diagnostics settings.

3. Select Turn on diagnostics if no previous settings exist, or select Edit setting to edit a previous setting. You can create up to three parallel connections to stream diagnostic telemetry.

4. Select Add diagnostic setting to configure parallel streaming of diagnostics data to multiple resources.

5. Enter a setting name for your own reference.

6. Select a destination resource for the streaming diagnostics data: Archive to storage account, Stream to an event hub, or Send to Log Analytics.

7. For the standard, event-based monitoring experience, select the following check boxes for database diagnostics log telemetry: Query Store Runtime Statistics

8. For an advanced, one-minute-based monitoring experience, select the check box for Basic metrics.

9. Select Save.

Step 1: Access Azure DevOps

Open your browser and navigate to https://aex.dev.azure.com .

You will be prompted to sign in. Enter the following credentials:

Username: UserUser1-48901628@cxamUsers.com

Password: aFpJ2j-6M!

Click Next or Sign in to proceed.

Note: If you see any Microsoft security challenge (like phone or email verification), follow the instructions to complete it.

Step 2: Sign Up for Azure DevOps

After signing in, you’ll see a prompt to sign up for Azure DevOps.

Use the default settings provided by Azure DevOps for the sign-up process (region, default name, etc.).

Click Continue or Start free with Azure DevOps.

An Azure DevOps Organization is a container for your projects and resources. Default settings are usually fine for new organizations.

Step 3: Create the Organization

Enter a name for your organization. Azure DevOps will suggest a default name (like yourname or org-name), but you can change it if you prefer.

Verify the region is correct.

Click Continue to create the organization.

Your Azure DevOps organization is now created. It’s the top-level container for all your projects.

Step 4: Create a Private Project Named Project1

In your Azure DevOps portal, find the "New Project" button and click it.

Enter the following details:

Project Name: Project1

Description: (optional)

Visibility: Private

Click Create.

A private project means that only users you add can see or access it. This is important for security and privacy.

Step 5: Enforce Maximum File Size for Repositories

By default, Azure DevOps allows files up to 100 MB to be pushed. To ensure the maximum file size for repositories in Project1 is 2 MB, you can enforce this using a pipeline validation.

Azure DevOps does not provide a direct setting for file size limits. However, you can create a pipeline to validate file size on pull requests and block changes if a file exceeds 2 MB.

Here’s how to do it:

Option 1: Enforce with a pipeline validation for pull requests

In your Project1, create a new pipeline.

Use the following YAML for the pipeline:

yaml

Copy

trigger: none

pr:

branches:

include:

- "*"

jobs:

- job: CheckFileSize

pool:

vmImage: 'ubuntu-latest'

steps:

- script: |

echo "Checking file sizes in the PR..."

git fetch origin +refs/pull/*/merge:refs/remotes/origin/pr/*

large_files=$(git diff --cached --name-only | xargs -I{} du -b {} | awk '$1 > 2097152 {print $2}')

if [ -n "$large_files" ]; then

echo "Error: The following files exceed 2 MB:"

echo "$large_files"

exit 1

fi

displayName: 'Check file sizes in PR'

This pipeline will:

Run on pull requests only.

Check the size of all files in the pull request.

If any file is larger than 2 MB (2,097,152 bytes), it will fail the pipeline and block the PR.

Option 2: Local Git configuration (for each developer)

On each developer’s machine, run this command in their local repository:

bash

Copy

git config --local core.bigFileThreshold 2M

This limits the file threshold for checkout, but does not prevent large files from being pushed. Using the pipeline validation (Option 1) is more secure for team environments.

To configure a virtual machine template in your DevTest Labs environment namedaz400-38443478-dtl1with Windows Server 2016 Datacenter that includes the Selenium tooland the Google Chrome browser, follow these steps:

Create a Custom Image with Windows Server 2016 Datacenter:

In the Azure Portal, go to your DevTest Labaz400-38443478-dtl1.

Navigate toConfiguration and policies>Custom images.

Use an existing VM or create a new one with Windows Server 2016 Datacenter.

After setting up the VM, capture it to create a custom image1.

Install Selenium and Google Chrome on the VM:

Connect to the VM via RDP.

Download and install the Selenium WebDriver for your preferred programming language from the official Selenium website2.

For Google Chrome, download the offline installer from the official website and install it on the VM3.

Generalize the VM:

Run thesysprepcommand to generalize the VM, which prepares it to be used as a template.

Shutdown the VM aftersysprepcompletes.

Capture the Generalized VM to Create a Template:

In the Azure Portal, navigate to the VM and selectCapture.

Provide the required details and create the image.

Add Selenium and Google Chrome Artifacts to the Template:

Go back to the DevTest Labaz400-38443478-dtl1.

SelectArtifactsand add Selenium and Google Chrome artifacts to the template.

Ensure these artifacts are configured to install during the VM creation process.

Create VMs from the Template:

Now, when youcreate a new VM in the DevTest Lab, select the custom image you created.

The VM will be provisioned with Windows Server 2016 Datacenter, and the Selenium tool and Google Chrome browser will be installed automatically.

By following these steps, you can ensure that all virtual machines created from this template in your DevTest Lab will have the required operating system, tools, and browser installed. Remember to replace placeholder names with the actual names of your resources where necessary.

1. Open Microsoft Azure Portal, and select the Azure Container Registry instance named az4009940427acr1.

2. Under Policies, select Content Trust > Enabled > Save.

1. To enable automatictuning on a single database, navigate to the database in the Azure portal and select Automatic tuning.

2. Select the automatic tuning options you want to enable and select Apply.

Note: Individual automatic tuning settings can be separately configuredfor each database. You can manually configure an individual automatic tuning option, or specify that an option inherits its settings from the server.

Step 1: Sign Up for Azure DevOps

Navigate to Azure DevOps.

Click on Start Free.

Enter the credentials:

Email: UserUsefl-42147509@ExamUsers.com

Password: eWrSalD2!

Follow the prompts to complete the sign-up process using the default settings.

Step 2: Create an Azure DevOps Organization

Once signed in, you will be prompted to create a new organization.

Enter a name for your organization and select your region.

Click on Continue to create the organization.

Step 3: Create a Private Project

In your new organization, click on New Project.

Name the project Project1.

Set the visibility to Private.

Click on Create.

Step 4: Add an External User as a Stakeholder

Go to the Organization Settings.

Under General, select Users.

Click on Add users.

Enter the email address: Usfrr2-42147S09@ExamUsers.com.

Set the access level to Stakeholder.

Add the user to the most restrictive group, which is typically the Readers group.

Click on Add to complete the process.

Step 5: Verify the User Addition

Ensure that the external user has been added successfully by checking the Users list.

Confirm that the user has the Stakeholder access level and is part of the Readers group.

By following thesesteps, you should be able to complete the task successfully. If you encounter any issues, feel free to ask for further assistance!

Step 1: Log in to the Azure Portal

Go to https://portal.azure.com .

Log in with your Azure account.

Step 2: Create an Azure App Configuration Instance

In the search bar at the top, type “App Configuration” and select App Configuration from the search results.

Click + Create.

Fill in the required fields:

Subscription: Your Azure subscription.

Resource Group: Create a new one or select an existing one.

Name: Provide a globally unique name (for example, myappconfig-instance).

Location: Choose a region close to your application.

Click Review + Create, then Create.

The instance will take a few seconds to deploy.

Step 3: Access the App Configuration Instance

Once the deployment is complete, click Go to resource.

You are now in the App Configuration resource.

Step 4: Enable Feature Management

In the left menu, click on Feature Manager (Preview).

Click + Add to create a new feature flag.

Step 5: Create the Feature Flag

Provide the following details:

Feature flag name: feature1

Label: (optional)

Description: (optional)

State: Set to Enabled.

Click on the Add filters link if you want to add targeting filters (optional).

Click Save to create the feature flag.

Step 6: Set the Expiration Date for the Feature Flag

In the Feature Manager list, find the newly created feature1 flag.

Click on the three dots (context menu) next to feature1 and select Edit.

In the Edit feature pane, look for the Expiration date setting.If there is no direct UI for expiration date, you can store it as a custom key-value (metadata).

Here’s how to store expiration as metadata:

In the App Configuration left menu, click on Configuration Explorer.

Locate the key: .appconfig.featureflag/feature1.

Click on the key to edit.

Add a new label or add a custom key in the Content type or tags section to store expiration metadata:

Key: expiration

Value: yyyy-MM-dd (set to today + 7 days)

For example, if today is June 4, 2025, set the expiration as 2025-06-11.

To ensure that the webhook athttps://contoso.com/statushookis called every time the repository namedaz40038443478acr1receives a new version of an image nameddotnetapp, you can follow these steps to configure a webhook in Azure Container Registry:

Navigate to the Azure Container Registry:

Go to the Azure Portal.

Find and select yourAzure Container Registry instanceaz40038443478acr1.

Create a New Webhook:

UnderServices, selectWebhooks.

Click on+ Addto create a new webhook.

Fill in the form with the following information:

Webhook name: Enter a unique name for your webhook.

ServiceURI: Enterhttps://contoso.com/statushook.

Custom headers: (Optional) Add any headers you want to pass along with the POST request.

Trigger actions: SelectPushto trigger the webhook on image push events.

Scope: Specify the scope asaz40038443478acr1:dotnetappto target the specific image.

Status: Set toEnabled.

Save the Webhook Configuration:

Review the information and clickCreateto save the webhook.

Once configured, the webhook will send a POST request tohttps://contoso.com/statushookwhenever a new version of thedotnetappimage is pushed to theaz40038443478acr1repository in your Azure Container Registry1.

This setup will automate the notification process, ensuring that the specified webhook is called with each new image version, thus fulfilling the task requirements.