nerdexam
Microsoft

AZ-400 · Question #415

Drag and Drop Question You have an Azure subscription that contains a project in Azure DevOps named Project1. You have three Azure Active Directory (Azure AD) users that require access to Project1 as

The correct answer is Readers; Project Administrators; Contributors. The correct arrangement follows the principle of least privilege by assigning each user only the minimum permissions needed for their role. A user who only needs to view project information gets 'Readers' (read-only access), a user who needs to manage the project, its settings, a

Submitted by ngozi_ng· Mar 6, 2026Configure and manage Azure DevOps permissions and security groups to implement role-based access control (RBAC) aligned with the principle of least privilege

Question

Drag and Drop Question You have an Azure subscription that contains a project in Azure DevOps named Project1. You have three Azure Active Directory (Azure AD) users that require access to Project1 as shown in the following table. You need to ensure that the users have the appropriate permissions. The solution must use the principle of least privilege. To which permission group in Azure DevOps should you add each user? To answer, drag the appropriate permission groups to the correct users. Each permission group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:

Exhibits

AZ-400 question #415 exhibit 1
AZ-400 question #415 exhibit 2

Answer Area

Drag items

Build AdministratorsContributorsProject AdministratorsReaders

Correct arrangement

  • Readers
  • Project Administrators
  • Contributors

Explanation

The correct arrangement follows the principle of least privilege by assigning each user only the minimum permissions needed for their role. A user who only needs to view project information gets 'Readers' (read-only access), a user who needs to manage the project, its settings, and users gets 'Project Administrators' (full project control), and a user who needs to contribute code, work items, and pipelines gets 'Contributors' (read/write without administrative control). This ensures no user has more access than their responsibilities require, satisfying the least privilege principle.

Topics

#Azure DevOps#Permission Groups#Least Privilege#Azure Active Directory

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice