nerdexam
Microsoft

AZ-400 · Question #497

Drag and Drop Question You have a tenant in Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra. The tenant contains three groups named Group1, Group2, and Group3. You create a new pr

The correct answer is Organization-level Administrator; Project-level Administrator; User. Group1 needs 'Organization-level Administrator' because sharing/unsharing a service connection across projects is an organization-wide administrative action that requires the highest scope of service connection management. Group2 needs 'Project-level Administrator' because renami

Submitted by kim_seoul· Mar 6, 2026Design and implement a secure DevOps pipeline - specifically managing service connection permissions and roles in Azure DevOps (AZ-400 / DevOps Engineer Expert certification domain: Implement and manage infrastructure and security)

Question

Drag and Drop Question You have a tenant in Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra. The tenant contains three groups named Group1, Group2, and Group3. You create a new project in Azure DevOps named Project1. You need to secure the service connections for Project1. The solution must meet the following requirements: - The members of Group1 must be able to share and unshare a service connection with other projects. - The members of Group2 must be able to rename a service connection and update the description. - The members of Group3 must be able to use the service connection within build or release pipelines. - The principle of least privilege must be followed. Which permission should you grant to each group? To answer, drag the appropriate permissions to the correct groups. Each permission may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:

Exhibit

AZ-400 question #497 exhibit

Answer Area

Drag items

ContributorCreatorOrganization-level AdministratorProject-level AdministratorUser

Correct arrangement

  • Organization-level Administrator
  • Project-level Administrator
  • User

Explanation

Group1 needs 'Organization-level Administrator' because sharing/unsharing a service connection across projects is an organization-wide administrative action that requires the highest scope of service connection management. Group2 needs 'Project-level Administrator' because renaming a service connection and updating its description are administrative actions scoped to the project level, granting manage permissions without the broader cross-project sharing rights. Group3 needs 'User' (which maps to the 'User' permission role) because members only need to consume/use the service connection within pipelines, which is the least privileged role that still allows pipeline consumption - satisfying the principle of least privilege.

Topics

#Azure DevOps#Service Connections#Role-Based Access Control#Principle of Least Privilege

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice