Microsoft AZ-400 Designing and Implementing Microsoft DevOps Solutions Exam Dumps and Practice Test Questions Set 1 Q1-20

Visit here for our full Microsoft AZ-400 exam dumps and practice test questions.

1. Question:

Your organization uses Azure DevOps Services and has adopted Git as its version-control model. They want to capture the lead time metric (the time from when work begins on a story until it is deployed to production) and display it on a dashboard in Azure Boards. Which widget or metric would be most appropriate for this scenario?

A) Cumulative Flow Diagram

B) Cycle Time

C) Burndown Chart

D) Lead Time Chart

 

Answer: B) Cycle Time

Explanation:

Cycle time tracks the duration from when work becomes active to when it is completed (or moved to done). It is a measure of process efficiency. Although the organization is interested in “lead time” (which is typically from creation to production), in many DevOps tools the widget labelled “Cycle Time” is used to track the active-to-done period. A “Lead Time Chart” may not always exist as a ready-made widget in Azure Boards; you can use the Cycle Time widget and correlate with when work becomes active until deployment. A Cumulative Flow Diagram gives state-movement visualization but not a specific elapsed-time metric. A Burndown Chart shows remaining work but not elapsed time for items.

Cycle time is a fundamental metric used in Agile and DevOps methodologies to evaluate the efficiency and predictability of a team’s workflow. It measures the total time taken for a work item to progress from the moment it becomes active—meaning actual work has started—until it is completed or moved to the “Done” state. This metric helps teams understand how quickly they can deliver features, fixes, or improvements once development begins. Shorter and more consistent cycle times generally indicate a mature and optimized delivery process, while long or highly variable cycle times may reveal bottlenecks, delays, or quality issues that need attention.

Although many organizations aim to measure lead time—the total duration from when a request or requirement is created until it is released to production—most DevOps tools, including Azure Boards, provide a Cycle Time widget by default rather than a Lead Time chart. The Cycle Time widget focuses specifically on the active phase of the workflow, giving visibility into how long tasks spend in development and testing. Teams can extend its usefulness by correlating the data with deployment information from Azure Pipelines to estimate full lead time.

It’s important to distinguish between related metrics. A Cumulative Flow Diagram (CFD) displays the number of work items in each state over time, highlighting flow stability and potential bottlenecks but not the precise duration items spend in each stage. A Burndown Chart, on the other hand, visualizes the amount of remaining work versus time, making it valuable for sprint planning but not for measuring process efficiency. Thus, when assessing delivery performance and identifying improvement opportunities, the Cycle Time metric offers the clearest picture of how effectively a DevOps team transforms work into completed value.
(Source: Skills measured for AZ-400: “appropriate metrics … such as cycle times, lead time”). 

2. Question:

You are designing the branching strategy for a new project using GitHub and Azure Repos. The team desires short‐lived feature branches, frequent merges, and minimal branching overhead. Which branching model best aligns with this requirement?

A) Feature branch + release branch model

B) Trunk-based development with short-lived branches

C) GitFlow (develop, feature, release, hotfix)

D) Fork and pull-request only model

Answer: B) Trunk-based development with short-lived branches

Explanation:

Trunk-based development is characterized by developers committing to a shared main branch (often “trunk” or “main”) frequently, using short-lived feature branches (or even direct commits) and frequent merges. This aligns with the requirement of minimal branching overhead and frequent merges. GitFlow (C) is more complex with long-lived ‘develop’, ‘release’, and ‘hotfix’ branches and more overhead. Feature+release branch model (A) may still introduce longer‐lived branches. Fork+pull-request model (D) is more common in open-source scenarios rather than fast internal DevOps work. The AZ-400 skills outline explicitly mentions trunk-based and feature branch strategies. 

Trunk-based development is a modern branching strategy that emphasizes simplicity, speed, and collaboration. In this approach, all developers commit their code frequently to a single shared branch, often referred to as the “trunk”, “main”, or “master” branch. The focus is on keeping branches short-lived—developers may create small feature branches that last only a few hours or a single day before merging back into the main branch. This practice reduces merge conflicts, integration delays, and the risk of divergence between multiple long-lived branches. Frequent integration ensures that the codebase remains stable and always in a releasable state, which directly supports continuous integration (CI) and continuous delivery (CD)—core principles evaluated in the AZ-400: Designing and Implementing Microsoft DevOps Solutions certification exam.

Trunk-based development contrasts sharply with the GitFlow model, which introduces multiple long-lived branches such as develop, release, and hotfix. While GitFlow provides structure, it also adds overhead and delays integration, making it less suitable for teams aiming for daily or continuous releases. Similarly, the feature + release branch approach can still lead to longer-lived branches and slower feedback cycles. The fork-and-pull-request model is typically used in open-source projects, where contributors work independently rather than in a closely coordinated team environment.

By committing frequently to the main branch, teams adopting trunk-based development benefit from faster feedback, easier code reviews, and automated testing that catches issues early. This approach fosters a culture of collaboration and continuous improvement, aligning perfectly with DevOps goals of accelerating delivery while maintaining high code quality. In the context of the AZ-400 exam, understanding when and why to use trunk-based development—especially for teams practicing continuous integration—is crucial, as Microsoft explicitly lists it among the recommended source control and branching strategies for efficient DevOps implementation.

3. Question:

You need to implement package management for a microservices architecture. You plan to store internal NuGet packages and upstream public packages, and restrict some upstream versions for compliance. Which service would you recommend in the Microsoft ecosystem?

A) Azure Container Registry

B) Azure Artifacts

C) GitHub Packages only

D) Azure Blob Storage

 

Answer: B) Azure Artifacts

Explanation:

Azure Artifacts is the Microsoft-supported service for package management, supporting NuGet, npm, Maven, Python, and more. It enables you to define feeds, upstream sources, views, and versioning strategies—exactly what the scenario requires (internal packages + upstream + restriction). Azure Container Registry (A) is for container images, not general code packages. GitHub Packages (C) is possible but if you’re using Azure DevOps and want integrated feed management, Azure Artifacts is the appropriate choice. Azure Blob Storage (D) is a more generic storage service but lacks built-in package feed semantics and versioning. In the skills outline under “Design and implement a package management strategy” the mention of Azure Artifacts and GitHub Packages is present.

Azure Artifacts is Microsoft’s fully managed, enterprise-grade package management service that seamlessly integrates with Azure DevOps. It supports multiple package formats—including NuGet, npm, Maven, Python, and Universal Packages—making it an ideal choice for organizations that develop and manage software across diverse technology stacks. Azure Artifacts allows teams to create and manage feeds, which act as repositories for storing and distributing packages both internally and externally. It also enables the configuration of upstream sources, allowing teams to connect to public repositories like npmjs.com or nuget.org while maintaining control over which external versions are used, thereby supporting compliance and security policies.

One of its key features is versioning and view management, which allows teams to promote packages through environments (such as development, staging, and production) while controlling visibility and access. This ensures that only approved or tested versions are used in production builds. In contrast, Azure Container Registry (ACR) is specifically designed for storing and managing container images, not general software libraries or build dependencies. GitHub Packages provides similar functionality, but when working within Azure DevOps pipelines, Azure Artifacts offers deeper integration with build and release workflows. Azure Blob Storage, while capable of storing binaries, lacks built-in dependency management, metadata tracking, or semantic versioning support.

The AZ-400 exam’s skill domain “Design and implement a package management strategy” specifically highlights Azure Artifacts as the recommended tool for managing internal dependencies, integrating package feeds into CI/CD pipelines, and implementing governance controls. By using Azure Artifacts, DevOps teams can maintain consistency, improve traceability, and ensure secure, compliant reuse of software components across multiple projects and teams.

4. Question:

Your team uses YAML pipelines in Azure Pipelines. You want to implement a multi-stage pipeline with parallel jobs within a stage, across a self-hosted agent pool. What element in the YAML should you use to define parallel jobs within a stage?

A) jobs: with multiple entries in the same stage

B) matrix: inside a job

C) dependsOn: within a job only

D) pool: parallel: true

 

Answer: A) jobs: with multiple entries in the same stage

Explanation:

In Azure Pipelines YAML, a stage can contain multiple jobs. These jobs, by default, run in parallel (unless specified otherwise). The matrix: directive (B) is used to generate multiple job variations based on parameters or inputs, but the core mechanism is still defining multiple jobs:. dependsOn: (C) is used to sequence jobs or stages rather than parallelize them. pool: parallel: true (D) is not a valid root directive for parallelization; the parallelization is achieved by multiple jobs defined under jobs:. Thus, to implement parallel jobs within a stage, you define multiple jobs. The skills guide mentions “strategy for job execution order, including parallelism and multi-stage pipelines”. 

5. Question:

In a deployment strategy for a web application in Azure App Service, you want to deploy a new version with minimal downtime and ability to quickly roll back. Which deployment pattern fits best?

A) Blue-green deployment

B) Rolling update with no slot swap

C) Canary release with full traffic to new version

D) Reinstall server and cut over

 

Answer: A) Blue-green deployment

Explanation:

Blue-green deployment involves having two identical environments (blue = current production, green = new version). When the new version is ready, traffic is switched (swap) to the green environment. If issues arise, you can quickly switch back. This supports minimal downtime and fast rollback. Rolling update (B) may still have partial service interruption and is less atomic. Canary (C) gradually increases traffic but isn’t as immediate for full cutover and rollback may be slower. Reinstalling server (D) is disruptive. The skills measured state “blue-green, canary, ring, progressive exposure, feature flags” in the deployment strategy section. 

Blue-green deployment is a deployment strategy designed to achieve zero-downtime releases and rapid rollback capabilities. It operates by maintaining two identical environments—commonly referred to as the Blue environment (the current production environment) and the Green environment (the new version of the application). The new version is deployed, validated, and tested in the Green environment while users continue accessing the Blue one. Once validation is complete and confidence in the new release is high, traffic is redirected—either through a load balancer, DNS switch, or slot swap in Azure App Service—from Blue to Green. This switchover happens almost instantaneously, ensuring users experience little to no downtime.

If issues are detected after release, rollback is as simple as redirecting traffic back to the Blue environment. This minimizes risk, making Blue-Green deployment ideal for mission-critical applications that require high availability. In comparison, rolling updates gradually replace instances and may cause partial service interruptions, while canary deployments release updates to a small user segment first, providing safer gradual exposure but slower full rollout.

For the AZ-400 exam, it’s important to understand that Blue-Green deployments exemplify progressive delivery techniques alongside strategies like canary, ring-based, and feature flag deployments—all of which are key to achieving safe, controlled, and automated application delivery in a DevOps environment.

6. Question:

Your pipeline needs to deploy infrastructure as code using Bicep, ensure compliance with the company’s governance policy, and automatically test the infrastructure deployment for drift every night. Which combination of tools/services would you choose?

A) Azure Resource Manager (ARM) templates only

B) Bicep for IaC + Azure Policy + Azure Automation DSC

C) Terraform only with custom scripts

D) Manual scripts executed via Azure CLI each night

 

Answer: B) Bicep for IaC + Azure Policy + Azure Automation DSC

Explanation: For infrastructure as code (IaC) in the Microsoft ecosystem, Bicep is the recommended DSL (Domain Specific Language) that is newer and more concise than raw ARM templates. To enforce governance/compliance, you use Azure Policy (which can audit or enforce resources). To test for configuration drift and ensure desired state has been upheld, you can leverage Azure Automation State Configuration (DSC) or Azure Automanage Machine Configuration. The scenario asks for nightly drift testing, so combining IaC, policy enforcement, and configuration monitoring makes sense. Option A lacks governance and drift detection. Option C (Terraform only) is less aligned with Microsoft native tooling (though possible, not the best fit for this scenario). Option D is manual and lacks automation. The skills outline covers “Define an IaC strategy … desired state configuration for environments”.

7. Question:

In your GitHub Actions workflow, you reference a secret named PROD_API_KEY required by your deployment job. What is the best practice way to store and reference this secret?

A) Store the key directly as a string in the workflow YAML under env:

B) Use GitHub Secrets to store PROD_API_KEY and reference ${{ secrets.PROD_API_KEY }} in the YAML

C) Store the key in a plaintext file committed to the repository and read it at runtime

D) Use a public repository variable defined in GitHub Actions

 

Answer: B) Use GitHub Secrets to store PROD_API_KEY and reference ${{ secrets.PROD_API_KEY }} in the YAML

Explanation:

Storing sensitive information such as API keys in plaintext in the YAML or repository is a security risk (A & C are wrong). Using GitHub Secrets provides a secure store; you reference them via ${{ secrets.<NAME> }} in workflow YAML. Using a public repository variable (D) also is insecure because it may expose it. The skills outline for AZ-400 includes “Implement and manage secrets … in GitHub Actions and Azure Pipelines” and “Design pipelines to prevent leakage of sensitive information”. 

8. Question:

Your organization uses Azure Monitor and wants to capture telemetry from their containerized microservices running in Kubernetes on Azure Kubernetes Service (AKS). They also need to enable distributed tracing to diagnose performance issues across services. Which combination of services would you implement?

A) Azure Monitor for containers only

B) Azure Monitor + Application Insights (with distributed tracing enabled)

C) Log Analytics workspace only

D) Azure Monitor + Virtual Machines Insights

 

Answer: B) Azure Monitor + Application Insights (with distributed tracing enabled)

Explanation:

For containerized workloads in AKS, Azure Monitor’s “Container Insights” offers resource‐level telemetry (CPU, memory, etc.) and logs; for application-level telemetry and distributed tracing, you use Application Insights. Together, they provide both infrastructure and application insights, including tracing across microservices. A Log Analytics workspace (C) is used under the covers but by itself doesn’t provide the richer application performance monitoring and tracing. Virtual Machines Insights (D) is for VMs, not containers. The skills outline includes “Configure collection of telemetry … by using Application Insights … and inspect distributed tracing by using Application Insights”. 

For containerized workloads running in Azure Kubernetes Service (AKS), observability is crucial for diagnosing performance issues and ensuring reliable operations. Azure Monitor’s Container Insights provides deep visibility into the infrastructure and runtime performance of containers, nodes, and controllers. It automatically collects metrics such as CPU usage, memory consumption, node availability, and pod restarts, helping DevOps teams identify resource bottlenecks or failing components quickly.

However, infrastructure metrics alone are not enough to understand end-to-end application behavior. That’s where Application Insights comes in—it provides application-level telemetry, including request rates, response times, dependency calls, and distributed tracing across microservices. This enables engineers to follow a single transaction as it flows through multiple services and pinpoint performance degradation or exceptions.

While a Log Analytics workspace underpins both services by storing collected logs and metrics, it does not independently offer advanced visualization or correlation features. Virtual Machines Insights, on the other hand, is tailored to VM-based workloads, not containers. For the AZ-400 exam, understanding how to configure Azure Monitor, Container Insights, and Application Insights together for comprehensive observability is an essential skill.

9. Question:

You want to restrict deployment of pipeline artifacts in Azure Pipelines until a manual business owner approval is given. In YAML the stage is called ProductionDeploy. Which of the following YAML snippets correctly configures a manual approval (pre-deployment) for that stage?

A)

stages:

  – stage: ProductionDeploy

    dependsOn: Build

    jobs:

      – job: Deploy

        steps:

          – script: echo Deploying to prod

B)

 

stages:

  – stage: ProductionDeploy

    dependsOn: Build

    approval:

      type: Manual

    jobs:

      – job: Deploy

        steps:

          – script: echo Deploying to prod

C)

 

stages:

  – stage: ProductionDeploy

    dependsOn: Build

    environment:

      name: prod

      deploymentApprovals:

        approvals:

          – name: businessOwner

            reviewers:

              – user1@contoso.com

    jobs:

      – job: Deploy

        steps:

          – script: echo Deploying to prod

D)

 

stages:

  – stage: ProductionDeploy

    dependsOn: Build

    requiresApproval: true

    jobs:

      – job: Deploy

        steps:

          – script: echo Deploying to prod

Answer: C)

Explanation:

In Azure Pipelines YAML you typically use the environment keyword to define an environment (like “prod”) and under it specify deploymentApprovals (or approvals) with reviewers for manual approval gates. Option C is correctly structured for a manual approval step. Option B uses a non-existent approval directive at the stage level, which is not valid YAML for Azure Pipelines. Option D uses requiresApproval: true which is not valid. Option A has no approval configured. The skills outline mentions “Design and implement checks and approvals by using YAML-based environments”. 

10. Question:

You are implementing a continuous integration (CI) build pipeline. You want to fail the build if code coverage falls below 80% and if any new security vulnerabilities are detected in dependencies. Which strategies would you include in the pipeline? (Choose two)

A) Add a code coverage task and fail build if threshold not met

B) Skip dependency scanning since it slows down the build

C) Integrate dependency vulnerability scanning (e.g., Dependabot, GitHub Advanced Security) and fail if issues found

D) Only run code coverage during nightly builds, not in PR builds

 

Answer: A) and C)

Explanation:

To enforce quality gates, you should incorporate both code coverage threshold checks (A) and dependency scanning (C) to detect vulnerabilities. Skipping dependency scanning (B) goes against good DevOps and security practices. Only running coverage in nightly builds (D) might delay detection of coverage regression—better to enforce earlier in PR builds. The skills outline includes “Implement tests in a pipeline … integration of test results” and “Automate security and compliance scanning … dependency, code, secret … scanning”. 

To effectively enforce quality gates in a CI pipeline you should combine automated code coverage checks with dependency vulnerability scanning so that both code correctness and supply-chain security are continuously validated. A code coverage task configured to fail the build when coverage falls below your agreed threshold (for example, 80–90%) ensures new changes cannot erode test coverage and that regressions are caught early in pull requests. Complementing this, dependency scanning (via tools like Dependabot, GitHub Advanced Security, or third-party scanners) detects known vulnerable libraries or insecure transitive dependencies; the pipeline should be configured to fail or block merges when critical or high-severity findings are introduced. Omitting dependency scanning simply because it might slow the build undermines secure development practices and increases risk. Likewise, relegating coverage checks to nightly builds delays feedback — making it harder and costlier to fix regressions — so it’s better to enforce coverage thresholds during PR/CI builds where developers receive immediate feedback. Together these practices implement a “shift-left” posture: automated, fast, and actionable gates in CI that protect quality and security while keeping the development workflow efficient and aligned with AZ-400 expectations for test integration and automated compliance scanning.

11. Question:

Your team uses GitHub for source control and wants to enforce a policy where all pull requests (PRs) must have at least one reviewer, all builds must pass, and no merge if any required status checks fail. Which feature should you configure in GitHub?

A) Branch protection rules

B) GitHub Actions workflow with manual conditions

C) GitHub Issues templates

D) GitHub Projects board automation

 

Answer: A) Branch protection rules

Explanation:

In GitHub, branch protection rules allow you to enforce policies such as requiring status checks to pass, requiring reviews before merge, requiring signed commits, etc. So this aligns exactly with the requirement. A GitHub Actions workflow (B) may automate things but cannot in itself enforce “no merge unless” without protection rules. Issues templates (C) and Projects board automation (D) are not relevant to PR merge enforcement. The skills outline mentions “Design and implement a pull request workflow by using branch policies and branch protections” under source control strategy. 

12. Question:

You are designing a pipeline retention strategy for build artifacts and dependencies. The organization policy is to keep artifacts for 30 days, but for builds marked as “Release” keep indefinitely. How would you implement this in Azure Pipelines?

A) Set the pipeline’s general retention to 30 days and manually mark release builds and set their artifacts to “never expire”

B) Create separate pipelines: one for nightly builds (30 days retention) and one for release builds (infinite retention)

C) Configure retention policies with filters: by build tag “Release” → keep forever; default builds → 30 days

D) Use Azure Blob Storage for artifacts and clean up with a script

 

Answer: C)

Explanation:

Azure Pipelines supports retention policies where you can specify conditions (e.g., builds with certain tags, branches, or patterns) and define retention settings accordingly. So you can set a rule: builds tagged “Release” → keep forever; other builds → retention 30 days. Option A is partly workable but involves manual marking—less ideal. Option B complicates pipeline structure unnecessarily. Option D moves away from first-class artifact management. The skills outline includes “design and implement a retention strategy for pipeline artifacts and dependencies”. 

Azure Pipelines provides flexible and automated retention policies that allow organizations to manage the lifecycle of build records, test results, and artifacts in a controlled and efficient manner. These retention settings ensure that important builds—such as production releases—are preserved indefinitely for auditing, rollback, or compliance purposes, while routine or temporary builds are automatically deleted after a defined period to optimize storage costs and maintain pipeline performance. Within Azure DevOps, you can configure retention rules based on specific branches, build tags, or pipeline triggers. For instance, you might define a policy stating that any build tagged as “Release” or originating from the main branch should be kept forever, whereas builds from feature or development branches should be retained for only 30 days.

This approach eliminates the need for manual marking (Option A), which is prone to inconsistency and administrative overhead. Likewise, redesigning pipelines to manage retention separately (Option B) introduces unnecessary complexity and potential maintenance challenges. Storing artifacts outside Azure Pipelines, such as in external storage (Option D), may weaken traceability and move away from Azure’s first-class artifact management capabilities.

From an AZ-400 exam perspective, understanding and implementing retention strategies is a key skill. The “Design and implement a retention strategy for pipeline artifacts and dependencies” objective focuses on ensuring that teams maintain an appropriate balance between long-term traceability and efficient resource usage. Effective retention policies not only support governance and compliance but also contribute to sustainable DevOps operations by automating cleanup and lifecycle management across pipelines.

13. Question:

Your DevOps team wants to use feature flags to turn on/off features in production without redeployment, and gradually roll out to 10% of users, then 50%. Which Azure service would you use to manage feature flags, and how would you integrate it in your pipeline?

A) Use Azure App Configuration with Feature Manager; include a task in pipeline to update flag targeting

B) Use Azure Key Vault to store feature flag values; pipeline updates values manually

C) Use environment variables in the application; pipeline toggles variable

D) Use Azure Functions to host flag logic; pipeline redeploys function

 

Answer: A)

Explanation:

Azure App Configuration’s Feature Manager capability is designed for feature flag management. You can define flags, set targeting rules (such as percentage rollout), integrate with your app (SDK), and pipeline can update flags or publish configurations during deployment. Option B is inappropriate because Key Vault is for secrets, not feature toggles. Option C (environment variables) lacks sophisticated targeting and dynamic rollout capability. Option D is overly complex and not the standard service for flags. The skills outline under “Design and implement deployments” includes “feature flags by using Azure App Configuration Feature Manager”. 

14. Question:

You are tasked with integrating a migration-proof repository strategy to manage large binary files (such as game assets) in your Git repository used by Azure Repos. Which feature should you use to optimize the repository?

A) Git Submodules

B) Git Large File Storage (LFS)

C) Git Sparse-Checkout

D) Git Clone –depth 1

Answer: B) Git Large File Storage (LFS)

Explanation:

Git LFS is designed exactly for tracking large binary files (images, videos, assets) without bloating the Git repository. The skills outline states: “Design and implement a strategy for managing large files, including Git Large File Storage (LFS) and git-fat”. Submodules (A) help with splitting repositories but don’t solve large‐file storage. Sparse-Checkout (C) helps with partial checkouts but not large-file tracking. Depth clone (D) helps clone size but doesn’t manage large assets in the repo history. 

Git Large File Storage (Git LFS) is a Git extension specifically built to handle large binary files—such as images, videos, datasets, and other media assets—that can otherwise make repositories slow and unmanageable. Instead of storing the entire binary content within the Git repository, Git LFS replaces large files with lightweight text pointers inside Git while storing the actual binary data on a separate LFS server or remote storage. This keeps the repository lean, improves clone and fetch performance, and prevents repository history from becoming bloated. Developers can still work with large assets transparently because Git LFS automatically downloads the required versions when needed.

In comparison, Git submodules (Option A) are useful for linking separate repositories within a parent project but do not address the problem of large-file management. Sparse-checkout (Option C) allows developers to check out only portions of a repository, which helps with working-set size but doesn’t prevent large binaries from bloating the repository history. Similarly, performing a shallow or depth clone (Option D) reduces the number of commits fetched but doesn’t remove large file content already stored in history.

For the AZ-400: Designing and Implementing Microsoft DevOps Solutions exam, understanding when to use Git LFS is important. The exam outline explicitly lists “Design and implement a strategy for managing large files, including Git LFS and git-fat” under source control management skills. Implementing Git LFS within Azure Repos or GitHub repositories enables DevOps teams to maintain performance, scalability, and efficiency while adhering to best practices for managing binary assets in continuous integration and delivery pipelines.

15. Question:

Your organization has multiple microservices deployed in several environments (dev, test, prod). You want to use a YAML pipeline that allows reuse of common stages across projects and maintain consistency. Which approach accomplishes this best?

A) Create one massive YAML file per project and duplicate stages

B) Use YAML templates (e.g., template: common-stages.yml) and include them in each project’s pipeline

C) Use the classic UI pipeline editor for each project

D) Write a script that copies the common stages into each YAML file before commit

 

Answer: B)

Explanation:

Reusable YAML templates are a recommended best practice in Azure Pipelines: you factor out common pipeline logic (jobs, stages) into templates and include them in pipelines across projects. This improves maintainability and consistency. Option A duplicates code and is hard to maintain. Option C (classic UI) lacks version control and reuse advantages. Option D introduces complexity and fragility. The skills list mentions “Create reusable pipeline elements, including YAML templates, task groups, variables, and variable groups”. 

16. Question:

You want to deploy changes to a SQL database as part of your CI/CD pipeline with minimal downtime. Which deployment pattern is least suitable for this scenario?

A) Rolling deployment of database schema change with backward compatibility

B) Blue-green deployment by having two identical database instances

C) Direct drop-and-recreate of database in production during off-hours

D) Use of feature flags and versioned database scripts with backup and swap

Answer: C) Direct drop-and-recreate of database in production during off-hours

Explanation:

Dropping and recreating a database in production, even during off-hours, is high risk for downtime, data loss or inconsistency, and is not aligned with minimal downtime. Rolling deployment with backward compatibility (A), blue-green (B), and using feature flags/versioned scripts with backups (D) are all more controlled strategies. The skills outline for pipelines/deployments mentions database tasks and minimizing downtime. 

Dropping and recreating a database in production, even if performed during off-hours, is considered a high-risk strategy. This approach can lead to significant downtime, potential data loss, or data inconsistencies, particularly in systems that are actively used or rely on transactional integrity. Even with backups, the process introduces operational risk because restoring data can be time-consuming, and any failure in the restore process could impact availability or correctness of the application. This method is generally not aligned with modern DevOps practices that emphasize continuous delivery, minimal downtime, and risk mitigation.

In contrast, safer deployment strategies exist for updating databases as part of CI/CD pipelines. A rolling deployment with backward-compatible schema changes (Option A) gradually updates database instances, ensuring that the system remains operational and compatible with existing application code. Blue-green deployments (Option B) involve creating a parallel database environment where changes are fully validated before switching production traffic, enabling fast rollback if issues are detected. Using feature flags combined with versioned scripts and backups (Option D) allows teams to deploy changes incrementally and control feature exposure without disrupting production.

For the AZ-400 exam, candidates are expected to understand how to design deployment strategies for databases that minimize downtime and reduce risk during releases. This includes knowledge of safe schema updates, integration with pipelines, and rollback mechanisms to maintain system reliability and business continuity. Effective database deployment strategies are a critical part of a DevOps engineer’s skill set in continuous delivery scenarios.

17. Question:

Your pipeline runs unit tests, integration tests, and load tests for a microservices application. You wish to fail the pipeline if the code coverage is less than 90% and the load test shows an average response time > 500ms. Which configuration is most appropriate for implementing this in Azure Pipelines?

A) Use publishCodeCoverageResults task and set its thresholdFail to 90; then use a separate load test task with a script that checks the results and fails if >500ms

B) Only check code coverage; ignore load test results in the pipeline

C) Use a gate in the pipeline that triggers only if response time < 300ms

D) Do not automate this; perform manual review of test reports after pipeline completion

Answer: A)

Explanation:

To enforce quality criteria programmatically, you would use the publishCodeCoverageResults (or equivalent) task to enforce a code-coverage threshold (90%). For the load test, you can add a script or dedicated task that reads the load test results and fails the job if the average response time exceeds 500 ms. Option B ignores part of the requirement. Option C uses an arbitrary 300ms threshold which doesn’t match the requirement and uses “gate” terminology but isn’t precise. Option D is manual and does not align with CI/CD automated enforcement. The skills outline mentions “Design and implement a testing strategy … integration of test results” and “quality and release gates”.

18. Question:

Your organization wants to track time to recovery (MTTR) for production incidents and display this metric on a DevOps dashboard. They also want to integrate with chat notifications in Microsoft Teams when an incident is resolved. What would you design?

A) Use Azure Monitor alerts only; no integration with Teams

B) Create a chart in Azure Boards with query for resolved work items, calculate average time, then use Teams webhook to send notification when a work item is closed

C) Use an Excel report exported manually each week

D) Use Azure DevOps Release Approvals only

Answer: B)

Explanation:

To track MTTR (time from incident start to resolution) you can use work items in Azure Boards to represent incidents. You build a query that calculates elapsed time between “active” and “closed” states (or custom fields). Then you create a chart widget on the dashboard to display the average over a time period. For Teams integration, you can configure a webhook or use the Azure DevOps ↔ Teams connector so that when a work item is updated to “Closed”, a notification is sent to a Teams channel. Option A lacks the reporting/dashboard and Teams integration. Option C is manual, not automated. Option D (release approvals) is unrelated to incident resolution metrics. The skills measured include “Design and implement appropriate metrics and queries … for operations” and “Configure integration between Azure Boards and GitHub or Azure DevOps and Microsoft Teams”.

To effectively track Mean Time to Recovery (MTTR)—the average time from the start of an incident to its resolution—you can leverage work items in Azure Boards to represent each incident. By defining incidents as work items, teams can capture metadata such as priority, severity, and impacted services, enabling structured tracking. To calculate MTTR, you can build custom queries that measure the elapsed time between the work item transitioning from “Active” (or “In Progress”) to “Closed,” or between other custom-defined fields that represent the start and end of the incident lifecycle. Once this data is available, you can create chart widgets on an Azure DevOps dashboard to visualize MTTR trends over time, highlighting patterns, recurring issues, or areas needing improvement.

For real-time collaboration and alerting, you can integrate Microsoft Teams by configuring a webhook or using the built-in Azure DevOps ↔ Teams connector. With this integration, when a work item’s state changes to “Closed,” a notification is automatically sent to the relevant Teams channel, ensuring stakeholders are informed promptly.

Other options are less effective: Option A, using only Azure Monitor alerts, provides no dashboard visualization or Teams integration; Option C, manual reporting, is error-prone and slow; and Option D, relying solely on release approvals, does not reflect operational incident metrics.

Understanding how to design queries, create dashboards, and integrate with collaboration tools aligns with the AZ-400 exam skills, specifically under “Design and implement appropriate metrics and queries for operations” and “Configure integration between Azure Boards and Microsoft Teams.” These practices ensure teams can monitor incidents, improve response times, and drive continuous operational improvement in DevOps environments.

19. Question:

You plan to migrate your CI/CD pipelines from Classic editor in Azure Pipelines to YAML. What benefits would you expect, and which consideration should you plan for?

A) Benefit: version control of pipeline definitions; Consideration: existing environments and approvals may need manual recreation in YAML

B) Benefit: pipelines run faster; Consideration: YAML cannot run on self-hosted agents

C) Benefit: no need for variable groups; Consideration: cannot reuse templates

D) Benefit: elimination of agents; Consideration: YAML cannot integrate with GitHub

Answer: A)

Explanation:

Moving to YAML pipelines gives you version control of pipeline definitions (because they live alongside your code), reuse via templates, better maintainability, and consistency. The main consideration is that constructs like environment approvals, release environment definitions, and complex release gating configured in Classic editor may need to be manually mapped or recreated when switching to YAML. Option B is incorrect because YAML doesn’t inherently run faster and YAML pipelines can run on self-hosted agents. Option C is wrong because YAML supports variable groups and templates. Option D is wrong because agents are still needed and GitHub integration is supported. The skills outline includes “Migrate a pipeline from classic to YAML”. 

20. Question:

Your application’s container images must be scanned for vulnerabilities before deployment to production in Azure Kubernetes Service (AKS). You also want the scan result to block the deployment if critical vulnerabilities are found. Which approach is most aligned with DevOps best practices in the Microsoft ecosystem?

A) Manually run container scan tool once a month and review results

B) Use a container scanning task (e.g., Azure DevOps task or GitHub Action) integrated into the build pipeline, fail the build and release if critical vulnerabilities are found, and optionally integrate with Microsoft Defender for Cloud for continuous scanning

C) Skip scanning during CI/CD; wait until production environment monitor detects issues

D) Deploy to production first, then scan and rollback if issues found

 

Answer: B)

Explanation:

Best practices dictate that security scanning is integrated early in the pipeline (shift-left), vulnerabilities block progression to release, and continuous monitoring is used in production. Integrating container scanning in CI/CD and failing build or release if critical vulnerabilities are found is aligned to this. Using Microsoft Defender for Cloud (formerly Azure Security Center) for ongoing scanning and alerting adds production-side monitoring. Option A is too infrequent and manual. Option C delays detection too late. Option D is risky because you deploy first then scan, which violates shift-left and introduces unnecessary risk. The skills outline includes “Automate security and compliance scanning … container scanning, … integrating with GitHub Advanced Security and Microsoft Defender for Cloud”.