https://docs.microsoft.com/en-us/azure/security-center/features-paas

https://docs.microsoft.com/en-us/azure/security-center/container-security

Step 1: Createa repository

A Git repository, or repo, is a folder that you've told Git to help you track file changes in. You can have any number of repos on your computer, each stored in their own folder.

Step 2: Create a branch

Branch policies help teams protect their important branches of development. Policies enforce your team's code quality and change management standards.

Step 3: Add a build validation policy

When a build validation policy is enabled, a new build is queued when a new pull request is created or when changes are pushed to an existing pull request targeting this branch. The build policy then evaluates the results of the build to determine whether the pull request can be completed.

Scenario:

Implement a code flow strategy for Project2 that will:

Enable Team2 to submit pull requests for Project2.

Enable Team2 to work independently on changes to a copy of Project2.

Ensure that any intermediary changes performed by Team2 on a copy of Project2 will be subject to the same restrictions as the ones defined in the build policy of Project2.

Scenario:

Step 1: Sign in to Azure Develops by using an account that is assigned the Administrator service connection security role.

Note: Under Agent Phase, click Deploy Service Fabric Application. Click Docker Settings and then click Configure Docker settings. In Registry Credentials Source, select Azure Resource Manager Service Connection. Then select your Azure subscription.

Step 2: Create a personal access token..

A personal access token or PAT is required so that a machine can join the pool created with the Agent Pools (read, manage) scope.

Step 3: Install and register the Azure Pipelines agent on an Azure virtual machine.

By running a Azure Pipeline agent in thecluster, we make it possible to test any service, regardless of type.

Scenario:

Step 1: Create a Desired State Configuration (DSC) configuration file that has an extension of .ps1.

Step 2: Run the Import-AzureRmAutomationDscConfiguration Azure Powershell cmdlet

TheImport-AzureRmAutomationDscConfiguration cmdlet imports an APS Desired State Configuration (DSC) configuration into Azure Automation. Specify the path of an APS script that contains a single DSC configuration.

Example:

PS C:\>Import-AzureRmAutomationDscConfiguration -AutomationAccountName "Contoso17"-ResourceGroupName "ResourceGroup01" -SourcePath "C:\DSC\client.ps1" -Force

This command imports the DSC configuration in the file named client.ps1 into the Automation account named Contoso17. The command specifies the Force parameter. If there is an existing DSC configuration, this command replaces it.

Step 3: Run the Start-AzureRmAutomationDscCompilationJob Azure Powershell cmdlet

The Start-AzureRmAutomationDscCompilationJob cmdlet compiles an APS Desired State Configuration (DSC) configuration in Azure Automation.

Box 1: A source control system

A source control system, also called a version control system, allows developers to collaborate on code and track changes.Source control is an essential tool for multi-developer projects.

Box 2: A hosted service

To build and deploy Xcode apps or Xamarin.iOS projects, you'll need at least one macOS agent. If your pipelines are in Azure Pipelines and a Microsoft-hosted agentmeets your needs, you can skip setting up a self-hosted macOS agent.

Scenario: The investment planning applications suite will include one multi-tier web application and two iOS mobile applications. One mobile application will be used by employees; the other will be used by customers.

Unattended config:

The agent can be set up from a script with no human intervention. You must pass--unattended and the answers to all questions.

To configure an agent, it must know the URL to your organization or collection and credentials of someone authorized to set up agents. All other responses are optional.

Box 1: rwx

The Log Analytics agent for Linux runs as the omsagent user. To grant >write permission to the omsagent user, run the command setfacl -m u:omsagent:rwx /tmp.

Box 2: /tmp

Deploying DSC to a Linux node uses the /tmp folder.

Scenario: Visual Studio App Center must be used to centralize the reporting of mobile application crashes and device types in use.

In order to use App Center, you need to opt in to the service(s) that you want to use, meaning by default no services are started and you will have to explicitly call each of them when starting the SDK.

Insert the following line to start the SDK in your app's App Delete class in the didFinishLaunchingWithOptions method.

MSAppCenter.start("{Your App Secret}", withServices: [MSAnalytics.self, MSCrashes.self])

Every request made against a storage service must be authorized, unless the request is for a blob or container resource that has been made available for public or signed access. One option for authorizing a request is by using Shared Key.

Scenario: The mobile applications must be able to call the share pricing service of the existing retirement fund management system. Until the system is upgraded, the service will only support basic authentication over HTTPS.

The investment planning applications suite will include one multi-tier web application and two iOS mobile application. One mobile application will be used by employees; the other will be used by customers.

Step 1: Navigate to Project Settings

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Access Project Settings:

In the left-hand menu, scroll down and select Project settings.

Step 2: Configure Retention Policies

Navigate to Pipelines Settings:

Under Pipelines, select Settings.

Set Retention Policies:

In the Retention section, set the number of days to keep artifacts, symbols, and attachments to 60 days.

Ensurethat the retention policy is applied to all relevant pipelines and branches.

Save Changes:

Click on Save to apply the retention policy1.

By following these steps, you will have successfully configured theretention policy to retain artifacts, symbols, and attachments for 60 days in Project1

1. To enable automatictuning on a single database, navigate to the database in the Azure portal and select Automatic tuning.

2. Select the automatic tuning options you want to enable and select Apply.

Note: Individual automatic tuning settings can be separately configuredfor each database. You can manually configure an individual automatic tuning option, or specify that an option inherits its settings from the server.

Step 1: Create a Project Wiki

Navigate to Azure DevOps:

Go to Azure DevOps and sign inwith your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Create a Wiki:

In the left-hand menu, select Wiki.

Click on Create project wiki.

Enter the name Wiki1 and click Create.

Step 2: Add Mermaid Syntax to Render a Diagram

Open the Wiki Page:

Navigate to the newly created Wiki1.

Edit the Wiki Page:

Click on Edit to start editing the wiki page.

Insert Mermaid Diagram:

Use the following Mermaid syntax to render a diagram. For example, to render a simple flowchart, you canuse:

```mermaid

graph TD;

A-->B;

A-->C;

B-->D;

C-->D;

Save the Page:

Click on Save to save your changes.

Step 3: Render the TCP Handshake Diagram

Convert TCPHandshake.png to Mermaid Syntax:

Since you have a sample diagram in C:\Resources\TCPHandshake.png, you need to convert this diagram into Mermaid syntax. Here’s an example of how a TCP handshake might look in Mermaid syntax:

```mermaid

sequenceDiagram

participant Client

participant Server

Client->>Server: SYN

Server-->>Client: SYN-ACK

Client->>Server: ACK

Add the Diagram to the Wiki:

Replace the sample Mermaid syntax with the TCP handshake diagram syntax in the wiki page.

Save the Page:

Click on Save to save your changes.

By following these steps, you will have created a project wiki named Wiki1 and used Mermaid syntax to render a diagram

Task 6: Create a Service Connection for Resource Group Deployment using Managed Identity and Workload Identity Federation

Step 1: Understand the Requirements

You want to deploy resources in the RGHod489Q1628 resource group.

The service connection must:

Use the ManagedJd1 managed identity.

Use workload identity federation (OIDC-based authentication for enhanced security).

Step 2: Verify Prerequisites

You need to ensure:

The ManagedJd1 managed identity exists in your Azure subscription.

Your Azure DevOps project (Project1) is linked to an Azure Active Directory tenant (for OIDC support).

You have the Owner or User Access Administrator role on the RGHod489Q1628 resource group.

Step 3: Assign Role to Managed Identity

Go to the Azure Portal.

In the search bar, type Managed Identities and select Managed Identities.

Locate and click on the ManagedJd1 identity.

In the left menu, click Azure role assignments.

Click + Add role assignment.

Set the following:

Scope: Resource Group

Subscription: Your subscription

Resource Group: RGHod489Q1628

Role: Contributor (or appropriate role)

Click Save.

This step ensures ManagedJd1 has permissions to deploy resources to RGHod489Q1628.

Step 4: Create a Federated Credential for Workload Identity Federation

In the Azure Portal, navigate to the ManagedJd1 managed identity.

In the left menu, click Workload identity federation (preview).

Click + Add a federated credential.

Configure as follows:

Federated credential name: devops-oidc

Issuer: https://vstoken.actions.githubusercontent.com (or use the default https://pipelines.actions.githubusercontent.com for Azure DevOps)

Subject identifier: Use the following format for Azure DevOps:

css

Copy

system:azuredevops:{organizationName}:{projectName}

For example:

css

Copy

system:azuredevops:{YourOrganizationName}:{Project1}

Audience: api://AzureADTokenExchange

Click Add.

This federated credential establishes trust between your Azure DevOps project and the managed identity.

Step 5: Create a Service Connection in Azure DevOps

Go to your Azure DevOps project (Project1) in the browser.

In the left menu, click Project settings.

Under Pipelines, click Service connections.

Click New service connection.

Choose Azure Resource Manager.

Choose the authentication method:

Select Workload identity federation.

Configure the service connection:

Scope level: Resource Group.

Resource Group: RGHod489Q1628.

Subscription: Your subscription.

Authentication method: Managed Identity with workload identity federation.

Managed Identity: Enter the client ID or select ManagedJd1.

Service connection name: e.g., Project1-RGHod489Q1628-Conn.

Grant access permission to all pipelines (recommended).

Click Save.

Step 6: Validate the Service Connection

After creation, click on the new service connection to Verify it.

Ensure the connection test is successful.

You can now use this service connection in your pipelines for deploying resources to RGHod489Q1628.

Every request made against a storage service must be authorized, unless the request is for a blob or container resource that has been made available for public or signed access. One option for authorizing a request is by using Shared Key.

Scenario: The mobile applications must be able to call the share pricing service of the existing retirement fund management system. Until the system is upgraded, the service will only support basic authentication over HTTPS.

The investment planning applications suite will include one multi-tier web application and two iOS mobile application. One mobile application will be used by employees; the other will be used by customers.

Box 1: Reader

Members of a group named Developers must be able to install packages.

Feeds have four levels of access: Owners, Contributors, Collaborators, and Readers. Ownerscan add any type of identity-individuals, teams, and groups-to any access level.

Box 2: Owner

Members of a group named Team Leaders must be able to create new packages and edit the permissions of package feeds.

Box 1: subscribe

To start monitoring all Get repositories in a project, use the following slash command inside a channel:

/azrepos subscribe [project ur1]

Box 2: https://dev.azure.com/contoso/contoso-app

You can also monitor a specific repository using the following command:

/azrepos subscribe [repository ur1]

The repository URL can be to any page within your repositorythat has your repository name.

For example, for Get repositories, use:

/azrepos subscribe https://dev.azure.com/myorg/myproject/_git/myrepository

Box 1: A deployment group

When authoring an Azure Pipelines or TFS Release pipeline, you can specify the deployment targets for a job using a deployment group.

If the target machines are Azure VMs, you can quickly andeasily prepare them by installing the Azure Pipelines Agent Azure VM extension on each of the VMs, or by using the Azure Resource Group Deployment task in your release pipeline to create a deployment group dynamically.

Box 2: A deployment group

s:https://docs.microsoft.com/en-us/azure/devops/pipelines/release/deployment-groups

1 -> TFVS Refer : https://docs.microsoft.com/en-us/azure/devops/repos/tfvc/control-access-team-foundation-version-control?view=azure-devops

2 -> TFVS Refer :https://docs.microsoft.com/en-us/azure/devops/repos/tfvc/add-check-policies?view=azure-devops

3 -> Git Refer : https://docs.microsoft.com/en-us/azure/devops/repos/git/share-your-code-in-git-xcode?view=azure-devops

4 -> TFVS Refer :https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops#tfvc

Box 1: readiness Probe:

For containerized applications that serve traffic, you might want to verify that your container is ready to handle incoming requests. Azure Container Instances supports readiness probes to include configurations so that your container can't be accessed under certain conditions.

Create a service principal in Microsoft Entra ID.

→ Needed for authentication between GitHub Actions and Azure.

Grant secret permissions to kv1.→ Allows the service principal to read secrets from Key Vault.

Create a personal access token (PAT) in GitHub.→ Required for GitHub to authenticate securely and use the service principal in the workflow.

Box 1: A key Vault advanced access policy

Box 2: RBAC

Management plane access control uses RBAC.

The management plane consists of operationsthat affect the key vault itself, such as:

Creating or deleting a key vault.

Getting a list of vaults in a subscription.

Retrieving Key Vault properties (such as SKU and tags).

Setting Key Vault access policies that control user and application access tokeys and secrets.

Box 1: Get-AzResource

Use the followingcommand to examine the access control mode for all workspaces in the subscription:

PowerShell

Get-Az Resource –Resource Type Microsoft. Operational Insights/workspaces –Expand Properties | for each {s.Name + ": " + $_.Properties.features.enableLogAccessUsingOnlyResourcePermissions

Box 2: -Resource Type

Scenario: By default, all releases must remain available for 30 days, except for production releases, which must be kept for 60 days.

Box 1: Set the defaultretention policy to 30 days

The Global default retention policy sets the default retention values for all the build pipelines. Authors of build pipelines can override these values.

Box 2: Set the stage retention policy to 60 days

You may want to retain more releases that have been deployed to specific stages.

Box 1: Azure Boards

Azure Boards can be used to track work with Kanban boards, backlogs, team dashboards, and custom reporting

You can create multiple Trello boards, which are spaces to store tasks (for different work contexts, or even private boards)

You can easily shareTrello boards with another person.

Box 2: Azure Pipelines

You can use Bamboo to implement CI/CD (Continuous Integration and Continuous Delivery) for a simple Azure function app using Atlassian Bamboo. Bamboo does continuous delivery of the project fromsource code to deployment. It has stages including Build, Test and Deploy.

Software teams in every industry are upgrading their continuous delivery pipeline with Bamboo. Easy build import from popular open source tools, user and group import from JIRA, seamless integration with Bitbucket, and native support for Git, Hg, and SVN means you'll be building and deploying like a champ.

Box 3: GitHub repositories

Bitbucket can be used as the Git repository, but you can use any other Git repository (Like TFS Git)for source control of the code.

Woodgrove Bank identifies the following technical requirements:

The Azure DevOps dashboard must display the metrics shown in the following table:

Box 1: Velocity

Velocity displays your team velocity. It shows what your team delivered as compared to plan.

Box 2: Release pipeline overview

Release pipeline overview shows the status of environments in a release definition.

Box 3: Query tile

Query tile displays the total number of results from a query.

Woodgrove Bank plans to implement the following changes to the identity environment:

Configure App1 to use a service principal.

Setting 1: Threshold value

Set to 80 %

Scenario: An Azure Monitor alert for VM1 must be configured to meet the following requirements:

Be triggered whenaverage CPU usage exceeds 80 percent for 15 minutes.

Calculate CPU usage averages once every minute.

Setting 2: Aggregation granularity

Set to 15 minutes.

https://www.scrum.org/resources/what-is-a-sprint-retrospective

QUESTIONNO: 42

Your company uses Azure DevOps to manage the build and release processes for applications.

You use a Git repository for applications source control.

You plan to create a new branch from an existing pull request. Later, you plan to merge the new branch and the target branch of the pull request.

You need to use a pull request action to create the new branch. The solution must ensure that the branch uses only a portion of the code in the pull request.

Which pull request action should you use?

A. Set asdefault branch

B. Approve with suggestions

C. Cherry-pick

D. Reactivate

E. Revert

Answer: C

Cherry-pick a pull request

To copy changes made in a pull request to another branch in your repo, follow these steps:

In a completed pull request,select Cherry-pick, or for an active pull request, select Cherry-pick from the ... menu. Cherry-picking a pull request in this way creates a new branch with the copied changes. Merge into a target branch in a second pull request.

In Target branch, enter the branch you want to merge the copied changes.

In Topic branch name, enter a new branch to contain the copied changes, then select Cherry-pick.

Select Create pull request to merge the topic branch into the target branch to complete the cherry-pick.

nce:

https://docs.microsoft.com/en-us/azure/devops/repos/git/pull-requests

Scenario: Implement Project3, Project5,Project6, and Project7 based on the planned changes

Step 1: Open the release pipeline editor.

In the Releases tab of Azure Pipelines, select your release pipeline and choose Edit to open the pipeline editor.

Step 2: Enable Gates.

Choose thepre-deployment conditions icon for the Production stage to open the conditions panel. Enable gates by using the switch control in the Gates section.

Step 3: Add Query Work items.

Choose + Add and select the Query Work Items gate.

Configure the gate by selecting an existing work item query.

Note: A case for release gate is:

Incident and issues management. Ensure the required status for work items, incidents, and issues. For example, ensure deployment occurs only if no priority zero bugs exist, and validation that there are no active incidents takes place after deployment.

Step 1: Initialize the Default Main Branch

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Initialize the Main Branch:

Go to Repos > Files.

If themain branch does not exist, you will see an option to initialize it. Click on Initialize and follow the prompts to create the main branch.

Step 2: Implement an Approval Process for the Main Branch

Navigate to Branch Policies:

Go to Repos > Branches.

Findthe main branch and click on the … (ellipsis) next to it.

Select Branch policies.

Enable Required Reviewers:

Under Policies, enable Minimum number of reviewers.

Set the minimum number of reviewers to 2 to enforce the four-eyes principle.

Add RequiredReviewers:

Add the users who should review the changes. Ensure that at least one approval is required on every iteration.

Enable Reset Code Reviewer Votes:

Enable the Reset code reviewer votes when there are new changes option to ensure that any new changes require re-approval.

Save Changes:

Click on Save changes to apply the policies.

Step 3: Verify the Approval Process

Create a Pull Request:

Make a change in a branch and create a pull request to merge it into the main branch.

Review and Approve:

Ensurethat the pull request requires at least two reviewers to approve it before it can be merged.

By following these steps, you will have successfully initialized themain branch and implemented an approval process that adheres to the four-eyes principle, ensuring that every iteration has at least one approval

Step 1: Initialize the Default Main Branch

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Initialize theMain Branch:

Go to Repos > Files.

If the main branch does not exist, you will see an option to initialize it. Click on Initialize and follow the prompts to create the main branch1.

Step 2: Create a New Branch for the Pipeline

Navigate to Branches:

Go to Repos > Branches.

Click on New branch.

Create the Branch:

Enter azure-pipelines as the branch name.

Select main as the base branch.

Click Create2.

Step 3: Create a New Azure Pipelines YAML Pipeline

Navigate to Pipelines:

Go to Pipelines > New pipeline.

Select the Repository:

Choose Azure Repos Git and select the relevant repository.

Configure the Pipeline:

Select Starter pipeline.

Replace the default YAML with the ASP.NET template. You can find the ASP.NET template in the Azure Pipelines documentation oruse the following example:

trigger:

- main

pool:

vmImage: 'windows-latest'

variables:

buildConfiguration: 'Release'

steps:

- task: UseDotNet@2

inputs:

packageType: 'sdk'

version: '5.x'

installationPath: $(Agent.ToolsDirectory)/dotnet

- script: |

dotnet build --configuration $(buildConfiguration)

displayName: 'Build project'

- script: |

dotnet test --no-build --configuration $(buildConfiguration)

displayName: 'Run tests'

Save the Pipeline:

Click on Save and enter azure-pipelines as the branch name.

Click on Save and run to save the pipeline to the new branch named azure-pipelines3.

By following these steps, you will have successfully initialized the main branch, created a new branch named azure-pipelines, and set up a new Azure Pipelines YAML pipeline using the ASP.NET template

You can usea system-assigned managed identity for a Windows virtual machine (VM) to access Azure Key Vault.

Sign in to Azure portal

Locate virtual machine VM1.

Select Identity

Enable the system-assigned identity for VM1 by setting the Status to On.

Note:Enabling a system-assigned managed identity is a one-click experience. You can either enable it during the creation of a VM or in the properties of an existing VM.

Step 1: Understand the Requirements

You need to create a self-hosted agent for Azure Pipelines.

It will be hosted in a pod (for example, in Kubernetes).

All pipelines in Project1 should be able to use this agent pool named Pool1.

Step 2: Create the Agent Pool in Azure DevOps

Go to your Azure DevOps organization:https://dev.azure.com/{YourOrganizationName}

In the bottom-left corner, click on the Organization settings gear icon.

In the left menu, click on Agent pools.

Click on Add pool.

Provide the following:

Pool name: Pool1

Pool type: Self-hosted

Grant access permission to all pipelines: Checked (so that all Project1 pipelines can use this pool)

Click Create.

Now you have an empty agent pool named Pool1.

Step 3: Prepare the Self-hosted Agent as a Pod

You need to deploy an Azure Pipelines agent container as a pod. Here’s how to do it:

Option 1: Using Kubernetes directly (YAML deployment)

Create a Kubernetes deployment YAML file for the agent pod:

apiVersion: apps/v1

kind: Deployment

metadata:

name: azure-pipelines-agent

labels:

app: azure-pipelines-agent

spec:

replicas: 1

selector:

matchLabels:

app: azure-pipelines-agent

template:

metadata:

labels:

app: azure-pipelines-agent

spec:

containers:

- name: agent

image: mcr.microsoft.com/azure-pipelines/vsts-agent:latest

env:

- name: AZP_URL

value: "https://dev.azure.com/{YourOrganizationName} "

- name: AZP_TOKEN

valueFrom:

secretKeyRef:

name: azure-pipelines-token

key: token

- name: AZP_POOL

value: "Pool1"

- name: AZP_AGENT_NAME

value: "agent-pod"

Create a Kubernetes secret for the personal access token (PAT):

kubectl create secret generic azure-pipelines-token --from-literal=token=

Note:

Replace with a PAT that has “Agent Pools (Read & manage)” scope.

Replace {YourOrganizationName} with your actual Azure DevOps organization.

Deploy the pod:

bash

Copy

kubectl apply -f azure-pipelines-agent.yaml

Step 4: Validate the Agent Connection

Go back to Organization Settings > Agent pools > Pool1 in Azure DevOps.

You should see the agent pod connected and listed as online.

Step 5: Use the Pool in Pipelines

By default, all pipelines in Project1 will now have access to the Pool1 agent pool because you granted access during the pool creation.

In your pipeline YAML files, specify the pool name to use the self-hosted agent:

yaml

Copy

pool:

name: Pool1

Task 8: Create a Service Hook to Integrate with Azure Storage (queue1)

Step 1: Verify the Storage Account and Queue

In the Azure portal (https://portal.azure.com ):

Go to Storage accounts.

Find the storage48901628 storage account.

In the left menu, click on Queues.

Ensure that a queue named queue1 exists.If not, create it by:

Clicking + Queue.

Enter Name: queue1.

Click OK.

Step 2: Prepare the Storage Account’s Shared Access Signature (SAS)

Azure DevOps uses SAS tokens to send messages to a storage queue.

In the Azure portal, go to the storage48901628 storage account.

In the left menu, click Shared access signature.

Set the following:

Allowed services: Queue.

Allowed resource types: Object.

Allowed permissions: Add, Write.

Start and expiry date/time: Adjust as needed (e.g., 1 year).

Click Generate SAS and connection string.

Copy the Queue SAS URL (e.g., https://storage48901628.queue.core.windows.net/queue1?sv=...).

Step 3: Create the Service Hook in Azure DevOps

In your Azure DevOps Project (Project1):

In the bottom-left, click Project settings.

In the left menu, click Service hooks.

Click + Create subscription.

Step 4: Configure the Azure Storage Service Hook

In the Create a subscription wizard, choose Azure Storage Queues and click Next.

Choose the Trigger:

For example: Code pushed (or other events you want to send to the queue).

Click Next.

Configure the Action:

Queue endpoint URL: The Queue SAS URL you copied in Step 2 (including the queue1 endpoint and SAS token).

Example:

bash

Copy

https://storage48901628.queue.core.windows.net/queue1?sv=...

Step 5: Finalize and Test the Integration

Click Test to ensure Azure DevOps can send a message to the queue.

If the test succeeds, click Finish to create the service hook.

Step 6: Validate in the Azure Portal

In the Azure portal, go to storage48901628 > Queues > queue1.

You should see new messages appear in the queue whenever the configured Azure DevOps event (like push or PR) occurs.

Task 7: Create a Pipeline to Deploy a Docker Image in a New Branch

Step 1: Create a New Branch

In your Azure DevOps Project (Project1), navigate to Repos.

In the left menu, click on Branches.

Click New branch.

Enter:

Branch name: azure-pipelines

Based on: main (or your default branch)

Click Create.

This creates a new branch named azure-pipelines.

Step 2: Switch to the New Branch

In Repos, click on Files.

In the top-left branch selector, choose azure-pipelines.

Step 3: Use the Predefined Docker Pipeline Template

Azure Pipelines has predefined YAML templates for common tasks, including Docker.

Here’s how to add it:

In the azure-pipelines branch, click New file.

Name the file: azure-pipelines.yml.

Click the Show templates button in the YAML editor (if available).

Search for the Docker template in the list of predefined templates.

Select the Docker template to auto-populate the YAML file.

If the editor doesn’t show the template picker, you can manually add the following basic Docker pipeline template:

yaml

Copy

# Predefined Docker pipeline template

trigger:

- main

resources:

- repo: self

variables:

imageName: 'mydockerimage'

stages:

- stage: Build

displayName: Build and push stage

jobs:

- job: Build

pool:

vmImage: 'ubuntu-latest'

steps:

- task: Docker@2

displayName: Build and push an image to container registry

inputs:

command: buildAndPush

repository: $(imageName)

dockerfile: '**/Dockerfile'

containerRegistry: ''

tags: |

latest

Replace with your actual Azure Container Registry (ACR) or DockerHub service connection name.

Step 4: Commit the Pipeline to the New Branch

In the YAML editor, review and adjust if needed (like setting the correct container registry service connection).

In the bottom commit message box:

Message: e.g., Add Docker deployment pipeline

Ensure the branch is set to azure-pipelines.

Click Commit (not commit to main).

This creates the pipeline YAML file in the new azure-pipelines branch.

Step 5: Create the Pipeline in Azure DevOps

In the left menu, click Pipelines.

Click New pipeline.

Choose:

Azure Repos Git.

Select your repo.

Select Existing Azure Pipelines YAML file.

In the branch selector, choose the azure-pipelines branch.

Select the YAML file path (azure-pipelines.yml).

Click Continue and then Run to validate the pipeline.

To enable streaming of diagnostic telemetry for asingle or a pooled database, follow these steps:

1. Go to Azure SQL database resource.

2. Select Diagnostics settings.

3. Select Turn on diagnostics if no previous settings exist, or select Edit setting to edit a previous setting. You can create up to three parallel connections to stream diagnostic telemetry.

4. Select Add diagnostic setting to configure parallel streaming of diagnostics data to multiple resources.

5. Enter a setting name for your own reference.

6. Select a destination resource for the streaming diagnostics data: Archive to storage account, Stream to an event hub, or Send to Log Analytics.

7. For the standard, event-based monitoring experience, select the following check boxes for database diagnostics log telemetry: Query Store Runtime Statistics

8. For an advanced, one-minute-based monitoring experience, select the check box for Basic metrics.

9. Select Save.

To prepare a Network Security Group (NSG) namedaz400-38443478-nsg1for hosting an Azure DevOps pipeline agent, while allowing only the required outbound port for Azure DevOps and denying all other inbound and outbound access to the Internet, follow these steps:

Create the NSG:

Navigate to the Azure Portal.

Go toNetwork Security Groupsand click on+ Create.

Fill in the details, including the nameaz400-38443478-nsg1, and create the NSG.

ConfigureOutbound Security Rules:

Once the NSG is created, go to its settings.

Navigate toOutbound security rules.

Click on+ Addto create a new rule.

Set theDestination port rangesto443, which is the required port for Azure DevOps12.

Set theProtocoltoTCP.

Set theActiontoAllow.

Assign aPrioritynumber (e.g.,100) that does not conflict with existing rules.

Provide a meaningfulNamefor the rule (e.g.,AllowAzureDevOps).

Configure Default Rules to Deny All Other Traffic:

In the sameOutbound security rulessection, edit the default rule to deny alltraffic.

Change theActiontoDenyfor the rule with the lowest priority (highest number).

Ensure that this rule applies to all protocols, source and destination IP ranges, and port ranges.

Associate the NSG with the Appropriate Resource:

Associate the NSGwith the subnet or network interface of the virtual machine or resource where the Azure DevOps pipeline agent will be hosted.

By following these steps, you will ensure that the Azure DevOps pipeline agent can communicate with Azure DevOps services over the required port while blocking all other inbound and outbound Internet access, adhering to the principle of least privilege and security best practices.

To ensure that your Azure Web App namedaz400-38443478-maincan retrieve secrets from an Azure Key Vault namedaz400-3844J478-kv1using a system managed identity with the principle of least privilege, follow these detailed steps:

Enable a System Managed Identity for the Azure Web App:

Navigate to the Azure Portal.

Go to the Azure Web Appaz400-38443478-main.

SelectIdentityunder theSettingssection.

In theSystem assignedtab, switch theStatustoOn.

ClickSaveto apply the changes.

Grant the Web App Access to the Key Vault:

Go to the Azure Key Vaultaz400-3844J478-kv1.

SelectAccess policiesunder theSettingssection.

Click onAdd Access Policy.

ChooseSecret permissionsand selectGetandList. This grants the app the ability to read secrets, adhering to the principle of least privilege.

Click onSelect principal, search for your Web App nameaz400-38443478-main, and select it.

ClickAddto add the policy.

Don’t forget to clickSaveto save the access policy changes.

Retrieve Secrets in the Web App Code:

In your Web App’s code, use the Azure SDK to retrieve the secrets.

For example, in a .NET application,you can use theAzure.IdentityandAzure.Security.KeyVault.Secretsnamespaces.

Utilize theDefaultAzureCredentialclass which will automatically use the system managed identity when running on Azure.

using Azure.Identity;

usingAzure.Security.KeyVault.Secrets;

var client = new SecretClient(new Uri("https://az400-3844J478-kv1.vault.azure.net/ "), new DefaultAzureCredential());

KeyVaultSecret secret = await client.GetSecretAsync("my-secret-name");

string secretValue =secret.Value;

Replace"my-secret-name"with the actual name of the secret you want to retrieve.

By following these steps, your Azure Web App will be able to securely retrieve secrets from the Azure Key Vault using a system managed identity, without needingto store credentials in the code, and adhering to the principle of least privilege. Remember to replace the placeholder names with the actual names of your Web App and Key Vault.

Step 1: Write the KQL Query

Open Azure Data Explorer:

Navigate to Azure Data Explorer and sign in with your credentials.

Access the Securitylogs Database:

Open the Securitylogs database.

Write the Query:

Use the following KQL query tocount the number of inbound requests for each source IP address:

InboundBrowsing

| where Timestamp between (datetime(2021-10-01) .. datetime(2021-12-31))

| summarize NumberOfRequests = count() by SourceIP

| project SourceIP, NumberOfRequests

Step 2: Export the Query Results

Run the Query:

Execute the query in Azure Data Explorer.

Export the Results:

Once the query results are displayed, click on the Export button.

Choose the export format (e.g., CSV) and specify the export path as C:\Samples.

By following these steps, you will have successfully written a KQL query to count the number of inbound requests for each source IP address during the last three months of 2021 and exported the results to C:\Samples

1. Open Microsoft Azure Portal and Log into your Azure account.

2. Select network security group (NSG) named az400-9940427-nsg1

3. Select Settings, Outbound security rules, and click Add

4. Click Advanced

5. Change the following settings:

Destination Port range: 8080

Protocol. TCP

Action: Allow

Note: Bydefault, Azure DevOps Server uses TCP Port 8080.

1.Go to the Azure portal, navigate to Traffic Manager profiles and click on the Add button to create a routing profile.

2. In the Create Traffic Manager profile, enter, or select these settings:

Name: az40011566895n1-tm

Routing method: Geographic

Resource group: RG1lod11566895

Note: Traffic Manager profiles can be configured to use the Geographic routing method so that users are directed to specific endpoints (Azure, External or Nested) based on which geographic location their DNS query originates from. This empowers Traffic Manager customers to enable scenarios where knowing a user’s geographic region and routing them based on that is important.

Step 1: Understand the Requirements

You want to ensure that audit events (such as user actions, project changes, security settings, etc.) from your Azure DevOps organization are logged and available in a Log Analytics workspace in Azure.

This enables centralized monitoring and security compliance.

Step 2: Prerequisites

Before starting, make sure:

You have an Azure subscription.

You have permission to create or use a Log Analytics workspace in the Azure portal.

You are a Project Collection Administrator or Organization Owner in Azure DevOps.

Step 3: Create or Identify a Log Analytics Workspace

Go to the Azure portal.

In the search bar, type Log Analytics workspaces and click the service.

Click + Create to create a new workspace (or select an existing workspace if you have one).

Provide the following:

Subscription: your Azure subscription.

Resource Group: create a new or use an existing one.

Name: a unique name for the workspace (like DevOpsAuditWorkspace).

Region: choose the same region as your Azure DevOps organization if possible.

Click Review + Create, then Create to deploy the workspace.

Step 4: Configure Azure DevOps to Stream Audit Logs

Azure DevOps can stream audit logs to your Log Analytics workspace using the Azure DevOps Audit Stream feature.

In your browser, go to your Azure DevOps organization:https://dev.azure.com/{YourOrganizationName}

In the bottom-left corner, click on the Organization Settings gear icon.

In the left menu, click on Audit logs.

In the top-right, click on Audit streams.

Click on + Add stream to create a new stream.

In the New audit stream pane, do the following:

Stream type: select Azure Monitor Logs (Log Analytics).

Azure subscription: select the subscription containing your Log Analytics workspace.

Resource group: select the resource group.

Log Analytics workspace: select the workspace created in Step 3.

Click Save.

Step 5: Validate the Audit Stream Connection

Go back to the Audit streams page in Azure DevOps to confirm the stream shows as Connected.

To validate logs:

In the Azure portal, go to your Log Analytics workspace.

In the left menu, click on Logs.

Use the query:

kusto

Copy

AzureDevOpsAuditing

| sort by TimeGenerated desc

You should see audit events from your Azure DevOps organization appear in the results.

Task 12: Configure Iterations in Project1 for Azure Boards

Step 1: Navigate to Project Settings

In your Azure DevOps Project (Project1), click on the Project settings gear icon in the lower-left corner.

Step 2: Manage Project Iterations (Sprints)

In the Boards section of the Project settings, click Project configuration.

In the left menu, click on Iterations.

Step 3: Add Iterations

Click on the + New child link to add a new iteration under the root node (e.g., Project1).

Enter the following details:

Name: Sprint 1

Leave the start and end dates empty (or set them as needed for your planning).

Click Save and close.

Repeat the process:

Click + New child again.

Name: Sprint 2

Leave the start and end dates empty.

Click Save and close.

Finally, create Sprint 3 with specific dates:

Click + New child.

Name: Sprint 3

Start date: January 1 of next year (e.g., 2026-01-01).

End date: January 31 of next year (e.g., 2026-01-31).

Click Save and close.

Step 4: Assign Iterations to Work Items

With these iterations created, you can now assign them to work items (e.g., tasks, bugs, features) using Azure Boards.

In Boards, click on Work items.

Open any work item.

In the Iteration Path field, select one of your newly created iterations (Sprint 1, Sprint 2, or Sprint 3).

This ensures that work items can be tracked under the appropriate sprint.

Step 1: To create a general-purpose v2 storage account in the Azure portal, follow these steps:

On the Azure portal menu, select All services. In the list of resources,type Storage Accounts. As you begin typing, the list filters based on your input. Select Storage Accounts.

On the Storage Accounts window that appears, choose Add.

Select the subscription in which to create the storage account.

Under the Resource group field, select RG1lod11566895

Next, enter a name for your storage account named: az400lod11566895stor

Select Create.

Step 2: Enable boot diagnostics on existing virtual machine

To enable Boot diagnostics on an existing virtual machine, follow these steps:

1.Sign in to the Azure portal, and then select the virtual machine VM1.

2. In the Support + troubleshooting section, select Boot diagnostics, then select the Settings tab.

3. In Boot diagnostics settings, change the status to On, and from the Storage account drop-down list, select the storage account az400lod11566895stor.

4. Save the change.

You must restart the virtual machine for the change to take effect.

Step 1: Initialize the Default Main Branch

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Initialize the Main Branch:

Goto Repos > Files.

If the main branch does not exist, you will see an option to initialize it. Click on Initialize and follow the prompts to create the main branch1.

Step 2: Enable Squash Merge for the Main Branch

Navigate to Branch Policies:

Go to Repos > Branches.

Find the main branch and click on the … (ellipsis) next to it.

Select Branch policies.

Enable Squash Merge:

Under Policies, scroll down to the Merge strategy section.

Select Squash merge as the required mergestrategy2.

Save Changes:

Click on Save changes to apply the policies.

Step 3: Verify the Squash Merge Policy

Create a Pull Request:

Make achange in a branch and create a pull request to merge it into the main branch.

Complete the Pull Request:

Ensure that the pull request uses thesquash merge strategy by selecting Squash commit under the Merge type in the Complete pull request dialog

To ensure that the webhook athttps://contoso.com/statushookis called every time the repository namedaz40038443478acr1receives a new version of an image nameddotnetapp, you can follow these steps to configure a webhook in Azure Container Registry:

Navigate to the Azure Container Registry:

Go to the Azure Portal.

Find and select yourAzure Container Registry instanceaz40038443478acr1.

Create a New Webhook:

UnderServices, selectWebhooks.

Click on+ Addto create a new webhook.

Fill in the form with the following information:

Webhook name: Enter a unique name for your webhook.

ServiceURI: Enterhttps://contoso.com/statushook.

Custom headers: (Optional) Add any headers you want to pass along with the POST request.

Trigger actions: SelectPushto trigger the webhook on image push events.

Scope: Specify the scope asaz40038443478acr1:dotnetappto target the specific image.

Status: Set toEnabled.

Save the Webhook Configuration:

Review the information and clickCreateto save the webhook.

Once configured, the webhook will send a POST request tohttps://contoso.com/statushookwhenever a new version of thedotnetappimage is pushed to theaz40038443478acr1repository in your Azure Container Registry1.

This setup will automate the notification process, ensuring that the specified webhook is called with each new image version, thus fulfilling the task requirements.

Step 1: Navigate to the Library

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Access the Library:

In the left-hand menu, select Pipelines > Library.

Step 2: Create a Variable Group

Create a New Variable Group:

On the Library page, click on + Variable group.

Configure the Variable Group:

Name: Enter varGroup1.

Description: Optionally, add a description for thevariable group.

Add Variables:

Click on + Add to add a new variable.

Variable Name: Enter serverName.

Value: Enter server1.

Click OK.

Click on + Add again to add another variable.

Variable Name: Enter dbName.

Value: Enter db1.

Click OK.

Save the Variable Group:

Click on Save to save the variable group.

By following these steps, you will have successfully created a variable groupnamed varGroup1 containing the specified variables

To ensure that your Azure Web App namedaz400-38443478-mainsupports rolling upgrades and only 10 percent of users connect to the updated version of the app, you can use deployment slots with the followingsteps:

Create a Deployment Slot:

Navigate to the Azure Portal.

Go to your Web Appaz400-38443478-main.

SelectDeployment slotsin the menu.

Click onAdd Slot.

Name the slot (e.g.,staging) and if needed, clone settings from the production slot.

Configure the Traffic Percentage:

In the Deployment Slots menu, you will see a column forTraffic %.

Set the traffic percentage to10%for thestagingslot1.

This will route only 10% of the traffic to the updated version of the app in thestagingslot.

Deploy the Updated App to the Staging Slot:

Deploy yourupdated application to thestagingslot.

Test the application in thestagingslot to ensure it’s working as expected.

Complete the Rolling Upgrade:

Once you’re satisfied with the performance and stability of the app in thestagingslot, you can graduallyincrease the percentage of traffic until you’re ready to swap with the production slot.

To swap slots, go to theDeployment slotsmenu and click onSwapwith the production slot.

By using deployment slots, you can achieve rolling upgrades with minimal administrative effort, as it allows you to test the new version on a subset of users before fully releasing it. Remember to adjust the traffic percentage and monitor the application’s performance throughout the process.

To configure your Azure Functionaz400-38443478-functto automatically update whenever new code is committed to the main branch of the specified GitHub repository, you can use GitHub Actions for continuous deployment. Here’s how to set it up:

Create a GitHub Actions Workflow:

In your GitHub repository, navigate to the.github/workflows/directory.

Create a new file for your workflow (e.g.,azure-function-cd.yml).

Define the Workflow:

In the workflow file, define the steps for the build and deployment process.

Use theAzure/functions-actionto deploy to your Azure Function App.

Set up triggers for themainbranch to initiate the workflow on every commit.

Generate Deployment Credentials:

In the Azure Portal, navigate to your Function Appaz400-38443478-funct.

Download the publish profile from theOverviewsection by clicking onGet publish profile.

Store the Publish Profile as a GitHub Secret:

In your GitHub repository, go toSettings>Secrets and variables>Actions.

Create a new secret (e.g.,AZURE_FUNCTIONAPP_PUBLISH_PROFILE) and paste the content of the publish profile.

Configure the Workflow to Use the Secret:

In the workflow file, reference the secret to authenticate the deployment to Azure.

Here’s a sample GitHub Actions workflow snippet:

name: Deploy Azure Function

on:

push:

branches:

- main

jobs:

build-and-deploy:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v2

- name: Set up Python version

uses: actions/setup-python@v2

with:

python-version: '3.x'

- name: Install dependencies

run: |

pip install -r requirements.txt

- name: Deploy to Azure Functions

uses: Azure/functions-action@v1

with:

app-name: az400-38443478-funct

publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }}

package: .

Replace theapp-namewith the name of your Azure Function App and ensure the Python version and dependencies match your application’s requirements.

By following these steps, yourAzure Function will automatically update whenever new code is pushed to the main branch of the GitHub repository. This setup minimizes manual effort and ensures that your function app is always running the latest code.

1. Open Microsoft Azure Portal

2. Log into your Azure account and go to App Service and look under Monitoring then you will see Alert.

3. Select Add an alert rule

4. Configure the alert rule as per belowand click Ok.

Source: Alert on Metrics

Resource Group: az400-9940427-main

Resource: az400-9940427-main

Threshold: 5

Period: Over the last 5 minutes

Webhook: https://contoso.com/notify

1. Open Microsoft Azure Portal

2. Log intoyour Azure account and go to App Service and look under Monitoring then you will see Alert.

3. Select Add an alert rule

4. Configure the alert rule as per below and click Ok.

Source: Alert on Metrics

Resource Group: az400-9940427-main

Resource: az400-9940427-main

Threshold: 5

Period: Over the last 5 minutes

Webhook: https://contoso.com/notify

To store signed images in an Azure Container Registry (ACR) instance and support your planned images while minimizing costs, you need to modify the SKU of your ACR instance to one that supports content trust and image signing. Here’s how you can do it:

Determine the Appropriate SKU:

Content trust and image signing are features of thePremiumservice tier of Azure ContainerRegistry1.

If cost minimization is a priority, ensure that the Premium tier is necessary for your use case. If you require content trust, the Premium tier is the appropriate choice.

Modify the SKU of the ACR Instance:

Navigate to the Azure Portal.

Go to your ACR instanceaz40038443478act1.

SelectUpdatefrom the overview pane.

Choose thePremiumSKU from the SKU drop-down menu2.

Review the changes and pricing, then save the configuration.

By upgrading to the Premium SKU, you’ll be able to store signed images in your ACR instance. Remember to monitor your usage and costs to ensure they align with your budget and requirements.

Azure Automation now ships with the Azure PowerShell module of version 0.8.6, which introduced the ability to non-interactively authenticate to Azure using OrgId (Azure Active Directory user) credential-based authentication. Using the steps below, you can set up Azure Automation to talk to Azure using this authentication type.

Step 1: Find the Azure Active Directory associated with the Azure subscription to manage:

1. Log in to the Azure portal as the service administrator for the Azure subscription you want to manage using Azure Automation. You can find this user by logging in to the Azure portal as any user with access to this Azure subscription, then clicking Settings, then Administrators.

2. Note the name of the directory associated with the Azure subscription you want to manage. You can find this directory by clicking Settings, then Subscriptions.

Step 2: Create an Azure Active Directory user in the directory associated with the Azure subscription to manage:

You can skip this step if you already have an Azure Active Directory user in this directory. and plan to use this OrgId to manage Azure.

1. In the Azure portal click on Active Directory service.

2. Click the directory name that is associated with this Azure subscription.

3. Click on the Users tab and then click the Add User button.

4. For type of user, select “New user in yourorganization.” Enter a username for the user to create.

5. Fill out the user’s profile. For role, pick “User.” Don’t enable multi-factor authentication. Multi-factor accounts cannot be used with Azure Automation.

6. Click Create.

7. Jot down the full username (including part after @ symbol) and temporary password.

Step 3: Allow this Azure Active Directory user to manage this Azure subscription.

1. Click on Settings (bottom Azure tab under StorSimple)

2. Click Administrators

3. Click the Add button. Type the full user name (including part after @ symbol) of the Azure Active Directory user you want to set up to manage Azure. For subscriptions, choose the Azure subscriptions you want this user to be able to manage. Click the check mark.

Step 4: ConfigureAzure Automation to use this Azure Active Directory user to manage this Azure subscription

Create an Azure Automation credential asset containing the username and password of the Azure Active Directory user that you have just created. You can create a credential asset in Azure Automation by clicking into an Automation Account and then clicking the Assets tab, then the Add Setting button.

Note: Once you have set up the Azure Active Directory credential in Azure and Azure Automation, you can now manage Azure from Azure Automation runbooks using this credential.