nerdexam
Microsoft

AZ-400 · Question #392

Drag and Drop Question You need to deploy a new project in Azure DevOps that has the following requirements: - The lead developer must be able to create repositories, manage permissions, manage polici

The correct answer is Readers; Project Administrators; Contributors. Project Managers need read-only access, so the 'Readers' group is correct as it grants view-only permissions following least privilege. The Lead Developer requires repository creation, permission management, policy management, and contribution rights - 'Project Administrators' is

Submitted by wei.xz· Mar 6, 2026Design and Implement Security and Compliance in Azure DevOps - specifically configuring appropriate group memberships and permissions for project roles within Azure DevOps organizations and projects.

Question

Drag and Drop Question You need to deploy a new project in Azure DevOps that has the following requirements: - The lead developer must be able to create repositories, manage permissions, manage policies, and contribute to the repository. - Developers must be able to contribute to the repository and create branches, but NOT bypass policies when pushing builds. - Project managers must only be able to view the repository. - The principle of least privilege must be used. You create a new Azure DevOps project team for each role. To which Azure DevOps groups should you add each team? To answer, drag the appropriate groups to the correct teams. Each group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:

Exhibit

AZ-400 question #392 exhibit

Answer Area

Drag items

Build AdministratorsContributorsProject AdministratorsProject Collection AdministratorsProject Collection Valid UsersReaders

Correct arrangement

  • Readers
  • Project Administrators
  • Contributors

Explanation

Project Managers need read-only access, so the 'Readers' group is correct as it grants view-only permissions following least privilege. The Lead Developer requires repository creation, permission management, policy management, and contribution rights - 'Project Administrators' is the appropriate group as it encompasses all these capabilities within the project scope (not Project Collection Administrators, which is broader than necessary). Developers need to contribute and create branches but must NOT bypass policies when pushing, which aligns exactly with the 'Contributors' group - Contributors can contribute and create branches but cannot bypass branch policies, unlike Project Administrators who can.

Topics

#Azure DevOps Security Groups#Role-Based Access Control#Least Privilege Principle#Repository Permissions

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice