Microsoft DevOps Engineer Expert · Domain 4 · 13% of exam

Develop a security and compliance plan

Drill 19 practice questions focused entirely on Develop a security and compliance plan for the Microsoft AZ-400 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer19 questions
Question 1 of 19

Your company ships proprietary software and must ensure that no open-source dependency introduces a copyleft license (such as GPL) into the codebase. You want to automatically block any Azure DevOps pipeline build that pulls in a dependency with a prohibited license, and you want the results centrally visible. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 19

Your team stores its source in Azure Repos. Leadership is concerned that developers occasionally commit API keys and connection strings, and they want any exposed credentials detected automatically without requiring developers to run local tools. You have enabled GitHub Advanced Security for Azure DevOps on the repositories. Which capability of GitHub Advanced Security for Azure DevOps detects secrets that already exist in the commit history and repository content after code is pushed?

Reviewed for accuracy · Report an issue
Question 3 of 19

Your team's Azure DevOps pipeline signs a mobile app using a code-signing certificate (.p12) and an Apple provisioning profile. Currently a developer commits these binary files into the repository and the pipeline reads them directly. A security audit flagged this as a leakage risk. You must store the certificate and profile so that they are encrypted at rest, never checked into source control, and only usable by explicitly authorized pipelines. Which Azure DevOps feature should you use?

Reviewed for accuracy · Report an issue
Question 4 of 19

Your organization has 40 Azure DevOps projects. The platform team creates an ARM service connection in a shared 'Infrastructure' project that authenticates to a production subscription. Several other project teams request access to deploy through this same connection. Security requires that only explicitly approved pipelines can use the connection, and that access can be revoked per project without deleting the connection. What should you configure?

Reviewed for accuracy · Report an issue
Question 5 of 19

Your team uses an Azure Resource Manager service connection in Azure DevOps that authenticates with a service principal secret. Security policy now requires eliminating stored secrets that require manual rotation, while keeping existing pipeline YAML changes to a minimum. The subscription and target resources are in the same Azure AD tenant as your Azure DevOps organization. What should you do?

Reviewed for accuracy · Report an issue
Question 6 of 19

Your team runs a containerized application on Azure Kubernetes Service (AKS) that must read connection strings from Azure Key Vault. You have enabled workload identity on the cluster and assigned a user-assigned managed identity to the workload. Security policy requires that permissions be auditable through Azure role assignments and that individual secret access be granted with the narrowest possible scope. The Key Vault currently uses the vault access policy permission model. What should you do to meet the requirements with the least ongoing administrative effort?

Reviewed for accuracy · Report an issue
Question 7 of 19

Your organization uses Azure DevOps and GitHub across several teams. Security leadership wants a single Azure-based dashboard that surfaces posture recommendations (such as misconfigured pipelines and exposed secrets) from all these repositories and enables mapping findings to Azure workloads. Which approach meets this requirement with the least custom development?

Reviewed for accuracy · Report an issue
Question 8 of 19

Your organization has onboarded all Azure DevOps repositories to Microsoft Defender for Cloud DevOps security using the Azure DevOps connector. A security recommendation reports that a repository contains an exposed Azure Storage account key committed in a configuration file six months ago. You must remediate the finding so that the credential can no longer be used, while ensuring future commits are blocked from introducing the same type of secret before they reach the default branch. Which combination of actions should you take?

Reviewed for accuracy · Report an issue
Question 9 of 19

Your team maintains a Node.js repository on GitHub. Security leadership requires that vulnerable dependencies be automatically patched as soon as a fix is published, but they also want to avoid the noise of routine, non-security version bump pull requests that currently overwhelm reviewers. You have a dependabot.yml file that enables the package-ecosystem for npm. Which configuration approach meets both requirements?

Reviewed for accuracy · Report an issue
Question 10 of 19

Your team maintains a public repository on GitHub that accepts contributions from external forks via pull requests. The CI workflow needs to run integration tests that reference a deployment secret stored in the repository's Actions secrets. A security reviewer warns that a malicious contributor could open a pull request that exfiltrates the secret. You must ensure that secrets are never exposed to workflows triggered by pull requests from forks, while still allowing trusted maintainers to run the full pipeline. What should you do?

Reviewed for accuracy · Report an issue
Question 11 of 19

Your team's GitHub Actions workflows reference several third-party actions from the marketplace using tags such as `actions-lab/deploy@v3`. A security review flags this as a supply-chain risk because a malicious maintainer (or a compromised account) could re-point an existing tag to modified code that runs with access to your repository secrets. You must harden the workflows against tampering of already-referenced action versions while keeping the ability to receive controlled updates. Which approach best mitigates the risk?

Reviewed for accuracy · Report an issue
Question 12 of 19

Your team's GitHub Actions workflows use the automatically provided GITHUB_TOKEN to interact with the repository. A security review flags that the token has broad read/write access across many scopes by default, violating least-privilege requirements. The workflows only need to publish a package to GitHub Packages and post a comment on pull requests. What is the most effective way to restrict the token's access while keeping the workflows functional?

Reviewed for accuracy · Report an issue
Question 13 of 19

Your team has enabled GitHub Advanced Security code scanning with the default CodeQL configuration on a large C# repository. Security engineers report that the scans catch common vulnerabilities but miss several injection patterns unique to your internal data-access framework. You need the CI code-scanning runs to detect these custom patterns while continuing to run the standard security queries, with the least ongoing maintenance. What should you do?

Reviewed for accuracy · Report an issue
Question 14 of 19

Your team maintains a public repository with GitHub Advanced Security enabled. Security wants to prevent contributors from merging pull requests that introduce new dependencies with known high or critical vulnerabilities, and they want the check to run automatically on every PR before it can be merged. Which combination should you implement?

Reviewed for accuracy · Report an issue
Question 15 of 19

Your team hosts several repositories in GitHub Enterprise Cloud with GitHub Advanced Security enabled. Developers occasionally commit hardcoded API keys, and although secret scanning alerts are raised, the secrets have already reached the remote repository by the time they are detected. You need to stop credentials from ever being pushed to the remote in the first place, while allowing a developer to bypass the block only with a documented justification. What should you do?

Reviewed for accuracy · Report an issue
Question 16 of 19

Your team runs a shared GitHub Actions automation bot that opens pull requests, adds comments, and updates status checks across 40 repositories in your organization. Currently the bot authenticates with a personal access token (PAT) belonging to a departing engineer. Security requires that the replacement authentication method: not be tied to any individual user, support fine-grained per-repository permissions, and automatically issue short-lived tokens that expire. Which authentication approach should you adopt?

Reviewed for accuracy · Report an issue
Question 17 of 19

Your team runs a nightly automation script hosted on an Azure VM that clones several repositories across two GitHub organizations, opens issues, and updates commit statuses. Currently it authenticates with a developer's classic personal access token, which recently expired and broke all automation. You need an approach that scopes access to only the required repositories, is not tied to any individual employee, and provides short-lived tokens that are automatically rotated. What should you implement?

Reviewed for accuracy · Report an issue
Question 18 of 19

Your team stores database connection strings in Azure Key Vault and references them from an Azure Pipelines variable group linked to the vault. The security team requires that when a secret is rotated in Key Vault (for example, after a credential breach), running and future pipeline deployments must pick up the new value without any pipeline YAML edits, without republishing the variable group, and without storing the secret value anywhere in Azure DevOps. Which approach satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 19 of 19

Your team runs a set of Azure DevOps self-hosted agents on an Azure Virtual Machine Scale Set. Pipelines running on these agents must authenticate to Azure Key Vault and an Azure Storage account. Currently, a service principal's client secret is stored in a pipeline variable group and passed to the agents at runtime. Security has flagged that the secret is nearing expiry and requires manual rotation, and they want to eliminate stored credentials entirely for these Azure resource calls made directly from the agent VMs. What should you implement?

Reviewed for accuracy · Report an issue

More AZ-400 practice

Keep going with the other Microsoft DevOps Engineer Expert domains, or take a full timed mock exam.

← Back to AZ-400 overview