PDF AZ-400 Study Guide

To ensure that your Azure Web App named az400-38443478-main can retrieve secrets from an Azure Key Vault named az400-3844J478-kv1 using a system managed identity with the principle of least privilege, follow these detailed steps:

Enable a System Managed Identity for the Azure Web App:

Navigate to the Azure Portal.

Go to the Azure Web App az400-38443478-main.

Select Identity under the Settings section.

In the System assigned tab, switch the Status to On.

Click Save to apply the changes.

Grant the Web App Access to the Key Vault:

Go to the Azure Key Vault az400-3844J478-kv1.

Select Access policies under the Settings section.

Click on Add Access Policy.

Choose Secret permissions and select Get and List. This grants the app the ability to read secrets, adhering to the principle of least privilege.

Click on Select principal, search for your Web App name az400-38443478-main, and select it.

Click Add to add the policy.

Don’t forget to click Save to save the access policy changes.

Retrieve Secrets in the Web App Code:

In your Web App’s code, use the Azure SDK to retrieve the secrets.

For example, in a .NET application, you can use the Azure.Identity and Azure.Security.KeyVault.Secrets namespaces.

Utilize the DefaultAzureCredential class which will automatically use the system managed identity when running on Azure.

using Azure.Identity;

using Azure.Security.KeyVault.Secrets;

var client = new SecretClient(new Uri("https://az400-3844J478-kv1.vault.azure.net/ "), new DefaultAzureCredential());

KeyVaultSecret secret = await client.GetSecretAsync("my-secret-name");

string secretValue = secret.Value;

Replace "my-secret-name" with the actual name of the secret you want to retrieve.

By following these steps, your Azure Web App will be able to securely retrieve secrets from the Azure Key Vault using a system managed identity, without needing to store credentials in the code, and adhering to the principle of least privilege. Remember to replace the placeholder names with the actual names of your Web App and Key Vault.

Step 1: Write the KQL Query

Open Azure Data Explorer:

Navigate to Azure Data Explorer and sign in with your credentials.

Access the Securitylogs Database:

Open the Securitylogs database.

Write the Query:

Use the following KQL query to count the number of inbound requests for each source IP address:

InboundBrowsing

| where Timestamp between (datetime(2021-10-01) .. datetime(2021-12-31))

| summarize NumberOfRequests = count() by SourceIP

| project SourceIP, NumberOfRequests

Step 2: Export the Query Results

Run the Query:

Execute the query in Azure Data Explorer.

Export the Results:

Once the query results are displayed, click on the Export button.

Choose the export format (e.g., CSV) and specify the export path as C:\Samples.

By following these steps, you will have successfully written a KQL query to count the number of inbound requests for each source IP address during the last three months of 2021 and exported the results to C:\Samples

Step 1: Initialize the Default Main Branch

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Initialize the Main Branch:

Go to Repos > Files.

If the main branch does not exist, you will see an option to initialize it. Click on Initialize and follow the prompts to create the main branch1.

Step 2: Install the Microsoft Security DevOps Extension

Navigate to Extensions:

In Azure DevOps, click on the Shopping Bag icon in the top right corner and select Browse Marketplace.

Search for the Extension:

Search for Microsoft Security DevOps.

Install the Extension:

Click on Get it free.

Select your organization (User1-42147509) and click Install.

Follow the prompts to complete the installation2.

Step 3: Create a New Starter Pipeline

Navigate to Pipelines:

Go to Pipelines > New pipeline.

Select the Repository:

Choose Azure Repos Git and select the relevant repository.

Configure the Pipeline:

Select Starter pipeline and replace the default YAML with the following starter code:

trigger:

- starter

pool:

vmImage: 'windows-latest'

steps:

- task: MicrosoftSecurityDevOps@1

inputs:

command: 'run'

policy: 'azuredevops'

publish: true

Save the Pipeline:

Click on Save and enter starter as the branch name.

Click on Save and run to save the pipeline to the new branch named starter3.

By following these steps, you will have successfully initialized the main branch, installed the Microsoft Security DevOps extension, and created a new starter pipeline named starter1 that includes the specified task

Step 1: Navigate to the Library

Navigate to Azure DevOps:

Go to Azure DevOps and sign in with your credentials.

Select Your Project:

Choose Project1 from your list of projects.

Access the Library:

In the left-hand menu, select Pipelines > Library.

Step 2: Create a Variable Group

Create a New Variable Group:

On the Library page, click on + Variable group.

Configure the Variable Group:

Name: Enter varGroup1.

Description: Optionally, add a description for the variable group.

Add Variables:

Click on + Add to add a new variable.

Variable Name: Enter serverName.

Value: Enter server1.

Click OK.

Click on + Add again to add another variable.

Variable Name: Enter dbName.

Value: Enter db1.

Click OK.

Save the Variable Group:

Click on Save to save the variable group.

By following these steps, you will have successfully created a variable group named varGroup1 containing the specified variables