Microsoft DevOps Engineer Expert AZ-400 Practice Question

Within an Azure DevOps project that hosts multiple Git repositories, management wants to guarantee that only members of the Release Managers Azure AD group can change repository or branch permissions. All other developers must still be able to create branches, push commits, and submit pull requests. You need to make a single configuration change that will automatically apply to any existing or future repositories in the project. What should you do?

Create a mandatory branch policy on the default branch of every repository that requires an approval from the Release Managers group.
At the project level, open Git repositories security and set Manage permissions to Allow for the Release Managers group and Deny for Project Contributors.
Add the Release Managers group as Administrators and remove all other groups in the permissions page of each individual repository.
Use Azure AD Privileged Identity Management to assign the Azure DevOps Project Administrator role exclusively to the Release Managers group.

Report Issue

Answer Description

Setting the Git repositories security at the project level controls the default permissions that every repository inherits. By granting Allow on the Manage permissions right to the Release Managers group and setting Deny (or leaving Not set) for other groups such as Project Contributors, only Release Managers can edit repository or branch permissions. Because the setting is applied at the project scope, every current and newly created repository inherits the rule without further action. Branch policies or per-repository administrator assignments would have to be recreated for each repo, and Azure AD role assignments do not control granular Git permissions inside Azure DevOps.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.