Microsoft · Free Practice Questions · Last reviewed May 2026
42real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A team uses Azure Boards and wants to ensure that work items moved to the 'Done' state require a completed code review. What should they configure?
Add a work item rule in the process template to require a code review for the 'Done' transition.
Work item rules enforce conditions on state transitions.
Modify the work item type definition to add a custom field for code review status.
Use a tag to mark work items as code-reviewed before moving to 'Done'.
Configure branch policies in Azure Repos to require pull request approvals.
During a sprint review, stakeholders complain that they don't receive notifications about completed work items. The team uses Azure Boards with a custom notification subscription. What is the most likely cause?
Email notifications are disabled at the organization level.
The subscription is set to deliver only to the team members.
The subscription's 'Deliver to' filter excludes stakeholders.
The filter must include stakeholders for them to receive notifications.
The subscription was automatically disabled after the first notification.
A multinational company uses Azure DevOps with a single project. The project has multiple teams in different time zones. They want to customize the process to reflect different working days for each team. What is the recommended approach?
Create a custom process for each time zone and assign teams accordingly.
Use the same process but create separate areas for each team, then configure working days per area path.
Use the same process and configure working days in the team settings for each team.
Team settings allow per-team working days.
Use the same process and configure capacity planning for each team to account for time off.
A team uses Azure Repos with a Git branching strategy that includes feature branches. They want to ensure that all feature branches are deleted automatically after the pull request is completed. What should they do?
Enable 'Automatically delete source branch' in the branch policy.
This deletes the source branch after the PR is completed.
Enable 'Create a merge commit' option in the branch policy.
Configure branch retention policy in the pipeline to delete branches after build.
Create a work item to remind developers to delete branches after merge.
An organization uses Azure DevOps and wants to implement a change management process where all changes to the main branch require approval from a change advisory board (CAB). The CAB members are not part of the development team. How should they configure this?
Set branch permissions to restrict push to main and only allow CAB to approve via manual process.
Create a new branch policy on main that requires a minimum number of reviewers from a separate CAB group.
Branch policies can require specific reviewers or groups.
Use a service hook to notify CAB when a PR is created, and rely on manual approval.
Add the CAB as members of the development team and require team review.
Which TWO actions help improve communication and collaboration in a distributed Azure DevOps team?
Maintain a shared wiki with project documentation and decisions.
Centralized documentation aids transparency.
Use multiple chat channels for each topic to organize discussions.
Use long email threads for decision-making to ensure full documentation.
Schedule daily stand-up meetings at a time that works for all time zones.
Daily sync helps alignment.
Avoid using pull request comments to reduce noise.
Want more Configure processes and communications practice?
Practice this domainA team uses a monorepo with multiple projects in one Git repository. They want to enforce that each commit message must reference a work item from Azure Boards. Which branch policy should they configure?
Automatically include work items in pull request descriptions
Require a work item linking policy in branch policies
This policy enforces that every pull request has at least one linked work item.
Configure a minimum number of reviewers policy
Use a build validation policy to check commit messages
An organization has multiple Git repositories. Developers often forget to update the repository README file after making changes. What is the most effective way to ensure the README is always up-to-date?
Apply a label to PRs that touch certain files and require review
Add a task in the CI pipeline that checks if the README was modified
Use a repository template with a mandatory README file structure
Templates provide a starting point and can include a README that developers must fill.
Require a pull request comment that confirms README update
A development team uses a forking workflow in Azure Repos. They want to ensure that only specific users can create forks of the main repository. How can they achieve this?
Use branch security to restrict who can create forks
Under repository settings, you can set security by group for 'Create Fork' permission.
Set branch policies on the main branch to prevent forks
Configure the repository to disable forks globally
Remove the 'Create Fork' permission from all users except the required group
A team uses Git for source control. They want to automatically squash all commits in a feature branch into a single commit when merging to the main branch. Which merge type should they use?
Rebase and fast-forward
Squash commit
Combines all changes into a single commit on target branch.
Merge commit (no fast-forward)
Semi-linear merge
A company has a policy that all code changes must be reviewed by at least two people. However, for urgent bug fixes, they want to allow a single reviewer. How should they configure the branch policy?
Set minimum number of reviewers to 1 and require a separate approval from a manager
Set minimum number of reviewers to 2 and allow resetting code review votes on new pushes
Configure a build validation policy that checks number of approvals
Set minimum number of reviewers to 2, but allow policy override for urgent fixes
Policy override can be used with a justification to bypass the two-reviewer requirement.
A team uses Git-LFS to store large binary files. They observe that cloning the repository takes a long time because Git-LFS files are downloaded. How can they improve clone performance?
Use a shallow clone with depth 1
Use the --filter=blob:none option when cloning
This partial clone defers downloading LFS blobs until they are accessed.
Use sparse checkout to limit files in working directory
Configure git lfs prune to run automatically
Want more Design and implement source control practice?
Practice this domainA team uses Azure Pipelines to build a .NET Core application. The build pipeline runs successfully, but the release pipeline fails when deploying to Azure App Service with the error: 'ERROR_FILE_IN_USE'. What is the most likely cause?
The deployment slot is not configured correctly.
The 'Take App Offline' setting is not enabled in the deployment task.
Taking the app offline releases file locks.
The Azure App Service plan is not scaled appropriately.
The build configuration is set to Release instead of Debug.
A development team is designing a build pipeline for a microservices application. They want to ensure that each service is built and tested independently, but they also need to run integration tests that span multiple services. What is the recommended approach?
Use a single release pipeline that triggers manual deployment for each service.
Create a single build pipeline that builds all services together to ensure consistency.
Create individual build pipelines for each service, and a separate release pipeline that deploys all services to an integration environment for testing.
This allows independent builds and integration tests.
Build each service separately, but skip integration tests to avoid complexity.
A company uses Azure Pipelines with YAML-based pipelines stored in a Git repository. The pipeline triggers on every push to the main branch, but the team wants to reduce unnecessary builds when only documentation files are changed. What is the best way to achieve this?
Use path filters in the trigger section to exclude 'docs/*' and '*.md' files.
Path filters allow excluding specific paths from triggering.
Configure branch policy to require a pull request for documentation changes.
Add a 'condition' to the pipeline that checks if changed files are documentation.
Disable CI trigger and rely on scheduled builds.
A team is implementing a release pipeline for a Node.js application. They want to run integration tests against a temporary environment that is destroyed after the tests complete. Which strategy should they use?
Use a separate release pipeline that deploys to a production environment for testing.
Use a single release pipeline that deploys to a staging slot and runs tests on the slot.
Run integration tests in the build pipeline using a mock environment.
Use a release pipeline that deploys to a new Azure App Service instance, runs tests, and then removes the instance.
Ephemeral environments are ideal for temporary testing.
Which TWO actions should be taken to secure secrets in Azure Pipelines? (Choose two.)
Use secret variables with the 'secret' input type to mask them in logs.
Secret variables are masked in logs.
Use a variable group without Key Vault integration for easier management.
Store secrets directly in the YAML pipeline file.
Store secrets in a variable group linked to Azure Key Vault.
Variable groups from Key Vault allow secure secret storage.
Disable CI triggers to reduce exposure.
You are reviewing an Azure Policy definition applied to an Azure DevOps project. The project has a build pipeline that deploys to production. What is the effect of this policy on the build pipeline?
The policy blocks the pipeline from running if fewer than two reviewers approve.
The policy requires two reviewers and blocks the pipeline if not met.
The policy audits the pipeline but does not enforce any mandatory reviewers.
The audit effect logs compliance without blocking.
The policy does not apply to build pipelines because the field type is teamProjects.
Want more Design and implement build and release pipelines practice?
Practice this domainA company uses Azure DevOps for CI/CD. The security team requires that all pipeline runs must use a specific service connection (ServiceConnection-Prod) that has been approved for production deployments. However, developers are accidentally using unapproved connections. You need to enforce that only the approved service connection can be used in any pipeline that deploys to the production environment. What should you do?
Define a required template for all pipelines that includes the service connection, and instruct developers to use it.
Set up a manual approval gate on the production environment stage in the pipeline.
Configure a branch policy on the main branch to require a successful build before merging.
Create an Azure Pipeline decorator that validates the service connection used in each task and fails the pipeline if it is not the approved one.
A decorator can inject validation tasks into every pipeline to enforce the use of a specific service connection.
Your organization uses Azure DevOps and Azure Key Vault to manage secrets. You have a pipeline that deploys a web app to Azure App Service. The pipeline uses a variable group linked to Key Vault to retrieve the database connection string. Recently, the build started failing with the error: 'Access to Key Vault is denied. Please ensure the service connection has Get and List permissions on secrets.' The service connection uses a service principal. You have verified that the service principal has the correct Key Vault access policy with Get and List permissions. What is the most likely cause of the failure?
The service connection is configured to use the wrong Azure subscription.
The secret name in the variable group does not match the secret name in Key Vault.
The service principal used by the service connection does not have Contributor role on the Key Vault.
The build service identity does not have Get and List permissions on the Key Vault secrets.
The build service identity (project collection or project level) must be granted access to Key Vault for variable group resolution.
A company uses Azure DevOps and needs to ensure that all pipelines use approved YAML templates from a central repository. The security team wants to prevent developers from referencing unapproved templates. What is the best way to enforce this?
Create a branch policy on the repository that requires all pull requests to be approved by security team members.
Configure a variable group with the approved template repository and require it in all pipelines.
Use a pipeline decorator to check the template origin and fail the pipeline if unapproved.
Set the 'Required template' repository setting in the Azure DevOps project to the approved central repository.
This built-in setting enforces that all YAML templates must come from the specified repository.
You are designing a compliance strategy for Azure DevOps pipelines that deploy to production. The company policy requires that all production deployments must be reviewed by a security lead. Additionally, the deployment must use a specific release pipeline that has been pre-approved. How should you implement this?
Create a branch policy that requires the security lead to approve the pull request before merging.
Define a 'production' environment in Azure DevOps and configure an approval check that requires the security lead. Have the pipeline deploy to that environment.
Environment approvals provide the required manual review gate.
Use a Classic release pipeline with a pre-deployment approval gate for the production stage.
Store the approved pipeline definition in a variable group and reference it in all pipelines.
A financial services company uses Azure DevOps and requires that all secrets (e.g., API keys, connection strings) be stored in Azure Key Vault. They have a pipeline that runs automated tests and deploys to staging. The pipeline uses a variable group linked to Key Vault to retrieve secrets. Recently, the pipeline failed with the error: 'Secret 'DbPassword' not found in Key Vault 'kv-prod'. Ensure the secret exists and the service principal has List permission.' The secret exists in the vault. What is the most likely cause?
The variable group is linked to the wrong Key Vault instance.
The variable name in the variable group does not exactly match the secret name in Key Vault (case-sensitive).
Azure DevOps maps variable names to secret names, and the match is case-sensitive.
The service principal does not have Get permission on the secret.
The Key Vault is in a different Azure region than the Azure DevOps organization.
Your organization uses Azure DevOps and Azure Policy to enforce compliance. You need to ensure that all Azure resources deployed by Azure DevOps pipelines have specific tags (e.g., CostCenter and Environment) applied. Which TWO approaches can achieve this? (Choose TWO.)
Configure the service connection to only allow deployments with tags.
Create an Azure Policy with the 'audit' effect to report non-compliant resources.
Create an Azure Policy with the 'deny' effect that requires the tags to be present at resource creation.
Deny policy blocks deployment of non-compliant resources.
Add a pipeline task after resource creation that applies the required tags using Azure CLI or PowerShell.
This remediates missing tags post-deployment.
Configure a branch policy on the main branch to require tag verification in pull requests.
Want more Develop a security and compliance plan practice?
Practice this domainYou are configuring Application Insights for a .NET Core web application deployed to Azure App Service. The application must capture telemetry for all HTTP requests, exceptions, and dependency calls with minimal code changes. What should you do?
Enable the Application Insights site extension in the App Service 'Application Insights' blade.
The site extension enables auto-instrumentation with no code changes.
Configure diagnostics logging in the App Service and stream logs to Application Insights.
Install the Microsoft.ApplicationInsights.AspNetCore NuGet package and add services.AddApplicationInsightsTelemetry() in Startup.cs.
Add the Application Insights JavaScript SDK to each page.
Your team uses Azure DevOps for CI/CD. You need to ensure that every build publishes telemetry to Application Insights, including build duration, test pass rate, and deployment frequency. Which approach should you use?
Call the Azure DevOps REST API from a custom script in the pipeline to capture telemetry.
Run the Azure DevOps CLI command 'az devops telemetry publish' in a build task.
Use the built-in 'Pipeline Telemetry' dashboard in Azure DevOps.
Use the Azure DevOps Analytics OData endpoint to query pipeline telemetry and send to Application Insights via a release task.
OData provides structured telemetry data that can be streamed.
You are designing a centralized logging strategy for multiple microservices hosted in Azure Kubernetes Service (AKS). Each microservice writes logs in JSON format to stdout/stderr. The operations team needs to query logs across all services and correlate them with application performance metrics. Which solution provides the best integration?
Configure AKS to send logs to Azure Blob Storage and use Azure Storage Analytics for querying.
Enable Container Insights in Azure Monitor to collect stdout/stderr logs and metrics into a Log Analytics workspace.
Container Insights provides integrated log and metric collection with querying via KQL.
Stream logs to Azure Event Hubs and then to Azure Data Explorer for analysis.
Deploy the Application Insights agent as a DaemonSet in AKS and send logs directly to Application Insights.
You have an Azure DevOps pipeline that deploys a web app to Azure App Service. You want to capture deployment frequency and change failure rate as metrics in Application Insights. Which built-in analytics view should you use?
Deployment Frequency
It provides the requested metrics.
Application Dashboard
Time to Restore Service
Azure DevOps Pipeline Telemetry
You are troubleshooting an intermittent performance issue in a web application. Application Insights shows a high number of failed dependency calls to Azure SQL Database. The errors are SqlException with error code -2 (timeout). What is the most likely cause and recommended fix?
The application is exhausting the connection pool; increase Max Pool Size in the connection string.
Timeouts often indicate pool exhaustion.
The SQL Server firewall is blocking the application IP; add a firewall rule.
The database is experiencing deadlocks; enable read committed snapshot isolation.
The database DTU limit is being exceeded; scale up the service tier.
Which TWO metrics should you monitor to evaluate the reliability of a web application according to the DORA metrics?
Lead Time for Changes
Change Failure Rate
Measures how often deployments cause failures.
Mean Time to Restore (MTTR)
Measures how quickly you recover from failures.
CPU Usage
Deployment Frequency
Want more Implement an instrumentation strategy practice?
Practice this domainA team wants to enforce that all Azure resource groups in a subscription are tagged with 'CostCenter' and 'Environment'. They need a solution that automatically applies these tags to any new resource group and ensures compliance without manual intervention. What should they use?
Azure Policy
Azure Policy can enforce tagging rules via 'deny' or 'append' effects on resource groups.
Azure RBAC
Azure Blueprints
Azure Resource Graph
A company uses Azure DevOps for CI/CD. They have multiple pipelines that deploy to different environments. They want to ensure that secrets like API keys are not exposed in pipeline logs. What is the best approach?
Use Azure App Configuration with Key Vault references
Create a Variable Group linked to Azure Key Vault
Variable Groups linked to Key Vault ensure secrets are never stored in the pipeline and are fetched at runtime.
Use Azure Kubernetes Service secrets
Use pipeline variables marked as 'secret'
A company uses Azure Pipelines to build a .NET Core application. The build takes 45 minutes due to dependency restoration. They want to reduce build time. What is the most effective strategy?
Cache the NuGet packages and enable caching in the pipeline
Caching packages reduces the need to download them every build, significantly reducing build time.
Use parallel jobs in the pipeline
Use a self-hosted agent with more CPU
Enable incremental builds
A team wants to automatically destroy a temporary test environment after a pull request is merged or closed. What Azure DevOps feature should they use?
Environment with post-deployment approvals
Post-deployment approvals can trigger a cleanup job when the environment is no longer needed.
Branch policy with required reviewers
Pipeline trigger on branch deletion
Service hook to Azure Functions
A company uses Azure Pipelines to deploy a web app to Azure App Service. They want to ensure that the deployment is first validated in a staging slot before swapping to production. What should they configure?
Create two separate pipelines for staging and production
Use Azure Traffic Manager to route traffic
Use deployment slots in the App Service and configure auto-swap
Deployment slots with auto-swap allow validation in staging and then swap to production.
Use an App Service plan with multiple instances
A team uses Terraform to manage Azure infrastructure. They want to store the Terraform state file securely and enable collaboration. What is the recommended approach?
Store the state file in an Azure Storage account with state locking enabled
Azure Storage provides remote state with leasing for locking, ensuring consistency.
Store the state file in a local folder and commit to Git
Store the state file in Terraform Cloud
Store the state file in a Git repository with manual locking
Want more Design and implement a DevOps infrastructure practice?
Practice this domainYour team uses a monorepo in Azure Repos with multiple feature branches. You notice that merge conflicts frequently occur because developers are working on the same files. You want to reduce conflicts and improve collaboration. Which branching strategy should you recommend?
Use release branches for each deployment and cherry-pick commits from main.
Use trunk-based development with feature flags to merge small, frequent changes.
Short-lived branches and feature flags reduce conflicts.
Use a single main branch and require all changes to be committed directly.
Use GitFlow with separate develop and release branches.
Your company is migrating from TFVC to Git in Azure Repos. The repository contains a large number of binary files (e.g., .dll, .exe) that are frequently updated. You need to minimize repository size and clone time. What should you include in your migration plan?
Perform a shallow clone of the last commit only.
Use Git LFS to track binary files.
Git LFS replaces large files with pointers, keeping the repo lean.
Use sparse checkout to exclude binary files from the working tree.
Use TFVC to Git converter with default settings.
You have a GitHub repository with a GitHub Actions workflow that builds a .NET application. The workflow should only run when changes are pushed to the main branch, but it currently runs on every push to any branch. How should you fix the workflow trigger?
Add 'on: push: branch: [main]' to the workflow.
Add 'on: push: paths: [main]' to the workflow.
Add 'on: pull_request: branches: [main]' to the workflow.
Add 'on: push: branches: [main]' to the workflow.
This restricts the trigger to pushes on main.
You are reviewing a webhook payload from Azure Repos. The payload indicates that a new branch named 'feature-123' was created. Which event type triggered this webhook?
A new branch creation.
All zeros in 'before' indicates a new branch.
A push to an existing branch.
A branch deletion.
A pull request update.
You see the above git log output. The team has a policy requiring linear history on the main branch. Which command should be used next time to integrate the feature branch?
git merge --squash feature/login
git cherry-pick f4e5d6c a7b8c9d
git merge --no-ff feature/login
git rebase main feature/login then git merge --ff-only
Rebase creates linear history; fast-forward merge preserves it.
Your team uses GitHub and wants to enforce that all commits to the main branch are signed with a GPG key. Which branch protection rule should you configure?
Require pull request reviews before merging.
Require status checks to pass before merging.
Require linear history.
Require signed commits.
Enforces GPG or S/MIME signing on every commit.
Want more Design and implement a source control strategy practice?
Practice this domainThe AZ-400 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 7 domains: Configure processes and communications, Design and implement source control, Design and implement build and release pipelines, Develop a security and compliance plan, Implement an instrumentation strategy, Design and implement a DevOps infrastructure, Design and implement a source control strategy. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Microsoft AZ-400 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.