Microsoft DevOps Engineer Expert AZ-400 Practice Question

You are connecting an existing Azure DevOps organization to Microsoft Defender for Cloud. During the setup process for the DevOps security connector, you are redirected to Azure DevOps to authorize an OAuth application. This authorization grants Defender for Cloud the necessary permissions to discover repositories and analyze their security posture. To adhere to the principle of least privilege, which minimum set of permission scopes should be granted for the initial onboarding and scanning?

Code (Read), Graph (Read), and Work Items (Read)
Project & Team (Read), Build (Read), and Release (Read)
Code (Read & Write) only
Service Hooks (Manage) and Packaging (Read)

Report Issue

Answer Description

When you connect an Azure DevOps organization to Microsoft Defender for Cloud, the process uses an OAuth application that requests a set of permissions. To enable Defender for Cloud to enumerate repositories, map users, and understand the context of code commits, a specific set of read-only permissions is required. According to the functionality, the application needs 'Code (Read)' to access repository content, 'Graph (Read)' to map users and groups, and 'Work Items (Read)' to correlate commits with linked work items. Granting broader permissions, such as write access, or unnecessary scopes like 'Build' or 'Release' for the initial connection would violate the principle of least privilege. Omitting any of the required read scopes would cause the connector to fail in discovering and analyzing all relevant resources.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.