AZ-400 Exam Overview
Prepare for the Microsoft AZ-400 certification exam
with our comprehensive study guide. This study material contains 531 practice questions
sourced from real exams and expert-verified for accuracy. Each question includes the correct answer
and a detailed explanation to help you understand the material thoroughly.
The AZ-400 exam — Designing and Implementing Microsoft DevOps Solutions — is offered by Microsoft.
Passing this exam earns you the Microsoft Certified: Azure DevOps Engineer Expert credential,
an industry-recognized certification that validates your expertise.
Our study materials were last updated on 2026-02-14 to reflect the
most recent exam objectives and content.
About the Microsoft Certified: Azure DevOps Engineer Expert
The Microsoft Certified: Azure DevOps Engineer Expert is awarded by Microsoft
to professionals who demonstrate competence in the skills measured by the AZ-400 exam.
According to the
official Microsoft certification page,
this certification validates your ability to work with the technologies covered in the exam objectives.
According to the
Global Knowledge IT Skills and Salary Report,
certified IT professionals earn 15-25% more than their non-certified peers.
Certifications from Microsoft are among the most recognized credentials in the IT industry,
with strong demand across enterprise organizations worldwide.
Free Sample — 15 Practice Questions
Preview 15 of 531 questions from the AZ-400 exam.
Try before you buy — purchase the full study guide for all 531 questions with answers and explanations.
Question 339
Your company is building a new solution in Java.
The company currently uses a SonarQube server to analyze the code of .NET solutions.
You need to analyze and monitor the code quality of the Java solution.
Which task types should you add to the build pipeline?
A. Gradle
B. CocoaPods
C. Grunt
D. Gulp
Show Answer
Correct Answer: A
Explanation:
To analyze Java code with SonarQube in a build pipeline, you use a Java build tool that integrates with SonarQube analysis. Gradle is a standard Java build automation tool and has native support for running SonarQube analysis via plugins/tasks. CocoaPods is for iOS, while Grunt and Gulp are JavaScript task runners and are not applicable to Java projects.
Question 436
You are building a Microsoft ASP.NET application that requires authentication.
You need to authenticate users by using Azure Active Directory (Azure AD).
What should you do first?
A. Assign an enterprise application to users and groups
B. Create an app registration in Azure AD
C. Configure the application to use a SAML endpoint
D. Create a new OAuth token from the application
E. Create a membership database in an Azure SQL database
Show Answer
Correct Answer: B
Explanation:
To authenticate an ASP.NET application with Azure Active Directory, the first required step is to register the application in Azure AD. App registration establishes the application's identity, generates the client (application) ID, and defines redirect URIs and permissions needed for Azure AD authentication. Other steps like assigning users, configuring protocols (SAML/OAuth), or issuing tokens depend on the app registration already existing.
Question 195
SIMULATION -
You need to ensure that an Azure web app named az400-123456789-main supports rolling upgrades. The solution must ensure that only 10 percent of users who connect to az400-123456789-main use update versions of the app.
The solution must minimize administrative effort.
To complete this task, sign in to the Microsoft Azure portal.
Show Answer
Correct Answer: Create an App Service deployment slot (for example, staging)
Route 10% of production traffic to the staging slot
Explanation:
Azure App Service deployment slots support rolling upgrades with traffic splitting. Creating a staging slot and setting its traffic percentage to 10% ensures only 10% of users use the updated version while minimizing administrative effort.
Question 31
You use Azure Pipelines to build and test code.
You need to analyze the agent pool usage.
What are two ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Review the historical graph for the agent pools.
B. Review the Pipeline duration report.
C. Query the TaskAgentPoolSizeSnapshot/TaskAgentPoolSizeSnapshots endpoint.
D. Query the PipelineRun/PipelineRuns endpoint.
Show Answer
Correct Answer: A, C
Explanation:
Agent pool usage can be analyzed either through built-in visual reporting or via analytics data. Reviewing the historical graph for agent pools directly shows pool utilization over time. Querying the TaskAgentPoolSizeSnapshot/TaskAgentPoolSizeSnapshots analytics endpoint provides detailed, queryable data about agent pool size and usage. Pipeline duration reports and PipelineRuns focus on pipeline execution, not agent pool utilization.
Question 319
You need to consider the underlined segment to establish whether it is accurate.
Your company has a multi-tier application that has its front end hosted in Azure App Service.
To pinpoint the average load times of the application pages, you should make use of Azure Event Hubs.
Select `No adjustment required` if the underlined segment is accurate. If the underlined segment is inaccurate, select the accurate option.
A. No adjustment required.
B. Azure Application Insights
C. Azure Log Analytics
D. Azure Advisor
Show Answer
Correct Answer: B
Explanation:
Azure Event Hubs is used for large-scale event ingestion and streaming, not for measuring web page performance. To determine average page load times for a front end hosted in Azure App Service, Azure Application Insights is the correct service. It is designed for application performance monitoring and provides detailed metrics such as page load times, request durations, and user experience insights.
Question 450
You have an existing project in Azure DevOps.
You plan to integrate GitHub as the repository for the project.
You need to ensure that Azure Pipelines runs under the Azure Pipelines identity.
Which authentication mechanism should you use?
A. personal access token (PAT)
B. GitHub App
C. Azure Active Directory (Azure AD)
D. OAuth
Show Answer
Correct Answer: B
Explanation:
To ensure Azure Pipelines runs under the Azure Pipelines identity (not a personal GitHub user), you must use the Azure Pipelines GitHub App. GitHub App authentication runs builds and status checks using the Azure Pipelines identity. In contrast, OAuth and PAT authenticate using a personal GitHub identity, and Azure AD is not used for GitHub repository authentication.
Question 62
HOTSPOT
-
You have a GitHub repository that contains a workflow named WF1. WF1 is used to build code for an app named App1.
You need to add a build status badge to the README.md file in the repository for App1.
How should you complete the URL for the badge? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Repository owner
Repository name
Explanation:
A GitHub Actions workflow badge URL follows the format https://github.com/OWNER/REPOSITORY/actions/workflows/WORKFLOW_FILE/badge.svg. Therefore, the two placeholders are the repository owner and the repository name.
Question 23
HOTSPOT
-
You have an Azure Pipelines pipeline that has the following definition.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Yes
Yes
No
Explanation:
Jobs without dependencies can run in parallel. Job B and Job C explicitly have no dependencies. Job D depends only on Job C, so it can run alongside Job B but not alongside Job C.
Question 209
DRAG DROP -
You have a web app named App1 that is hosted on multiple servers. App1 uses Application Insights in Azure Monitor.
You need to compare the daily CPU usage from the last week for all servers.
How should you complete the query? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Show Answer
Correct Answer: bin(timestamp, 1d)
render timechart
Explanation:
Daily comparison requires grouping timestamps into 1-day bins. A timechart visualization shows CPU usage trends per server over the last 7 days.
Question 111
You use GitHub for source control.
You are evaluating whether to use proxying to add a private upstream MyGet package feed to your MyGet feed.
What are two possible advantages of this approach? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. minimizes the impact of upstream source availability issues
B. minimizes latency when accessing the package
C. provides automatic authentication
D. minimizes the impact on your storage quota
Show Answer
Correct Answer: C, D
Explanation:
With MyGet upstream proxying, packages are fetched on demand from the upstream feed and are not stored against your feed’s storage quota, and MyGet automatically handles authentication to private upstream MyGet feeds. Availability protection and latency improvements are characteristics of mirroring, not proxying.
Question 526
DRAG DROP -
You plan to use Azure Kubernetes Service (AKS) to host containers deployed from images hosted in a Docker Trusted Registry.
You need to recommend a solution for provisioning and connecting to AKS. The solution must ensure that AKS is RBAC-enabled and uses a custom service principal.
Which three commands should you recommend be run in sequence? To answer, move the appropriate commands from the list of commands to the answer area and arrange them in the correct order.
Select and Place:
Show Answer
Correct Answer: az ad sp create-for-rbac
az aks create
az aks get-credentials
Explanation:
First create a custom service principal for AKS. Then create the AKS cluster using that service principal with RBAC enabled. Finally, retrieve cluster credentials to connect to AKS from the CLI.
Question 179
You use Azure DevOps processes to build and deploy code.
You need to compare how much time is spent troubleshooting issues found during development and how much time is spent troubleshooting issues found in released code.
Which KPI should you use?
A. defect escape rate
B. unplanned work rate
C. defect rate
D. rework rate
Show Answer
Correct Answer: A
Explanation:
The requirement is to compare time spent troubleshooting issues found during development versus issues found after release. The defect escape rate measures how many defects escape development/testing and are found in production compared to total defects. This directly reflects the balance between pre-release and post-release issue discovery and, by extension, troubleshooting effort in each phase. The other KPIs do not distinguish where defects are found.
Question 500
You have a branch policy in a project in Azure DevOps. The policy requires that code always builds successfully.
You need to ensure that a specific user can always merge changes to the master branch, even if the code fails to compile. The solution must use the principle of least privilege.
What should you do?
A. Add the user to the Build Administrators group.
B. Add the user to the Project Administrators group.
C. From the Security settings of the repository, modify the access control for the user.
D. From the Security settings of the branch, modify the access control for the user.
Show Answer
Correct Answer: D
Explanation:
Branch policies in Azure DevOps can be bypassed only through branch-level security permissions. By modifying the security settings of the specific branch (e.g., master), you can grant the user permission to override or be exempt from branch policies, allowing merges even when the build fails. This targets only that branch and user, satisfying the principle of least privilege. Repository- or project-level roles would grant broader, unnecessary permissions.
Question 498
Your development team is building a new web solution by using the Microsoft Visual Studio integrated development environment (IDE).
You need to make a custom package available to all the developers. The package must be managed centrally, and the latest version must be available for consumption in Visual Studio automatically.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Publish the package to a feed.
B. Create a new feed in Azure Artifacts.
C. Upload a package to a Git repository.
D. Add the package URL to the Environment settings in Visual Studio.
E. Add the package URL to the NuGet Package Manager settings in Visual Studio.
F. Create a Git repository in Azure Repos.
Show Answer
Correct Answer: A, B, E
Explanation:
To centrally manage a custom package and make the latest version automatically available in Visual Studio, you must create a central package feed (Azure Artifacts), publish the package to that feed, and configure Visual Studio to consume it via NuGet settings. Azure Artifacts provides centralized management, publishing makes versions available, and adding the feed URL to NuGet Package Manager enables automatic discovery and restore in Visual Studio.
Question 68
HOTSPOT
-
You have a management group that contains four Azure subscriptions. Each subscription contains four resource groups.
You develop a new web app named App1.
You plan to deploy an instance of App1 to each resource group.
You need to create a Bicep template that will be used to deploy App1. The solution must meet the following requirements:
• The name of each App1 instance must be consistent for each subscription and resource group.
• The name of each App Service plan used to host App1 must be consistent.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: App Service plan uniqueString: subscription().id
App name uniqueString: resourceGroup().id
Explanation:
The App Service plan name must be consistent across resource groups within the same subscription, so it derives from subscription().id. Each web app instance must be consistent per resource group while remaining unique across groups, so it derives from resourceGroup().id. uniqueString() ensures deterministic, compliant names.