Exam AZ-400 All QuestionsBrowse all questions from this exam
Go to Exam
Question 116

DRAG DROP -

You need to configure access to Azure DevOps agent pools to meet the following requirements:

✑ Use a project agent pool when authoring build or release pipelines.

✑ View the agent pool and agents of the organization.

✑ Use the principle of least privilege.

Which role memberships are required for the Azure DevOps organization and the project? To answer, drag the appropriate role memberships to the correct targets. Each role membership may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

    Correct Answer:

    Box 1: Reader -

    Members of the Reader role can view the organization agent pool as well as agents. You typically use this to add operators that are responsible for monitoring the agents and their health.

    Box 2: Service account -

    Members of the Service account role can use the organization agent pool to create a project agent pool in a project. If you follow the guidelines above for creating new project agent pools, you typically do not have to add any members here.

    Incorrect Answers:

    In addition to all the permissions given the Reader and the Service Account role, members of the administrator role can register or unregister agents from the organization agent pool. They can also refer to the organization agent pool when creating a project agent pool in a project. Finally, they can also manage membership for all roles of the organization agent pool. The user that created the organization agent pool is automatically added to the Administrator role for that pool.

    Reference:

    https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues

Discussion
TosO

Organization -> Reader Project -> User

NKnab

This one is the correct answer.

Art3

Correct! reader, User.

rdemontis

you are right. You can read the article below for more details: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser#security

rdemontis

Also see this article for best explanation https://docs.microsoft.com/en-us/azure/devops/organizations/security/about-security-roles?view=azure-devops

[Removed]

I think the Project level access should be User in this scenario

syu31svc

https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser "Reader Members of this role can view the agent pool as well as agents. You typically use this to add operators that are responsible for monitoring the agents and their health." "User Members of this role can use the project agent pool when authoring pipelines." Organization ---> Reader Project ---> User

Sara_Mo

Organization -> Reader Project -> User Agent pool security roles, project-level You add users to the following security roles from the project-level admin context, Agent Pools page. For information on adding and managing agent pools, see Agent pools. TABLE 1 Role (project-level) Description Reader Can view the pool. You typically add operators to this role that are responsible for monitoring the build and deployment jobs in that pool. User Can view and use the pool when authoring build or release pipelines. Creator Can create and use the pool when authoring build or release pipelines. Administrator Can manage membership for all roles of the pool, as well as view and use the pools. The user that created a pool is automatically added to the Administrator role for that pool.

Rubends

Organization -> Reader Project -> User

formacionkiteris

Project -> User Organization -> Reader

Atos

There is no administration work in requirements which is only thing i like about this question. Therefore the answer has to be: Organisation - Reader Project - User

UnknowMan

On Project level , the Service Account, dont exist. So the correct answer is : Organization : Reader Project : User

Miten94

Came in Exam June 23, 2024

codeguru_9777

You had any lab/simulation in the exam?

vsvaid

Organization- Reader Project- User If the user needed ability to add project agent pool then Service account at organization level.

renzoku

Organization > Reader Project> User Project-level security roles Reader: view the project agent pool User: can use the project agent pool Administrator: all the above operations and manage membership for all roles of the project agent pool

le129

https://learn.microsoft.com/en-us/azure/devops/organizations/security/about-security-roles?view=azure-devops

vsvaid

Agree with below. There is no service account for Project security. Service account is only Organizatiuon security. https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser Organization -> Reader Project -> User

yana_b

Correct answer is: Organization -> reader Project -> User Service Account is on organization and not on Project level https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser#security

Sara_Mo

the answer is correct Reader Can view the pool as well as agents. You typically add operators to this role that are responsible for monitoring the agents and their health. Service Account Can use the pool to create an agent in a project. If you follow the guidelines for creating new pools, you typically do not have to add any members to this role. Administrator Can register or unregister agents from the pool and manage membership for all pools, as well as view and create pools. They can also use the agent pool when creating an agent in a project. The system automatically adds the user that created the pool to the Administrator role for that pool. Role Description Reader Can only view deployment groups. Creator Can view and create deployment groups. User Can view and use but cannot manage or create deployment groups. Administrator Can administer roles, manage, view and use deployment groups.

Pankaj78

Frist one is definitely not the Reader (Organization ) because Members of this role can view the agent pool as well as agents. You typically use this to add operators that are responsible for monitoring the agents and their health.

GigaCaster

The issue with user at project is that the account creating the project automatically gets added to the administration area as is shown in their explanation, That's why it says service account.