Exam AZ-400 topic 4 question 11 discussion

Organization -> Reader Project -> User

I think the Project level access should be User in this scenario

Came in Exam June 23, 2024

Agree with below. There is no service account for Project security. Service account is only Organizatiuon security. https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser Organization -> Reader Project -> User

Organization- Reader Project- User If the user needed ability to add project agent pool then Service account at organization level.

Correct answer is: Organization -> reader Project -> User Service Account is on organization and not on Project level https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser#security

Organization > Reader Project> User Project-level security roles Reader: view the project agent pool User: can use the project agent pool Administrator: all the above operations and manage membership for all roles of the project agent pool

Organization -> Reader Project -> User

Project -> User Organization -> Reader

https://learn.microsoft.com/en-us/azure/devops/organizations/security/about-security-roles?view=azure-devops

There is no administration work in requirements which is only thing i like about this question. Therefore the answer has to be: Organisation - Reader Project - User

https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser "Reader Members of this role can view the agent pool as well as agents. You typically use this to add operators that are responsible for monitoring the agents and their health." "User Members of this role can use the project agent pool when authoring pipelines." Organization ---> Reader Project ---> User

On Project level , the Service Account, dont exist. So the correct answer is : Organization : Reader Project : User

Organization -> Reader Project -> User Agent pool security roles, project-level You add users to the following security roles from the project-level admin context, Agent Pools page. For information on adding and managing agent pools, see Agent pools. TABLE 1 Role (project-level) Description Reader Can view the pool. You typically add operators to this role that are responsible for monitoring the build and deployment jobs in that pool. User Can view and use the pool when authoring build or release pipelines. Creator Can create and use the pool when authoring build or release pipelines. Administrator Can manage membership for all roles of the pool, as well as view and use the pools. The user that created a pool is automatically added to the Administrator role for that pool.

the answer is correct Reader Can view the pool as well as agents. You typically add operators to this role that are responsible for monitoring the agents and their health. Service Account Can use the pool to create an agent in a project. If you follow the guidelines for creating new pools, you typically do not have to add any members to this role. Administrator Can register or unregister agents from the pool and manage membership for all pools, as well as view and create pools. They can also use the agent pool when creating an agent in a project. The system automatically adds the user that created the pool to the Administrator role for that pool. Role Description Reader Can only view deployment groups. Creator Can view and create deployment groups. User Can view and use but cannot manage or create deployment groups. Administrator Can administer roles, manage, view and use deployment groups.

Frist one is definitely not the Reader (Organization ) because Members of this role can view the agent pool as well as agents. You typically use this to add operators that are responsible for monitoring the agents and their health.

The issue with user at project is that the account creating the project automatically gets added to the administration area as is shown in their explanation, That's why it says service account.