Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Develop a security and compliance plan practice sets

AZ-400 Develop a security and compliance plan • Complete Question Bank

AZ-400 Develop a security and compliance plan — All Questions With Answers

Complete AZ-400 Develop a security and compliance plan question bank — all 0 questions with answers and detailed explanations.

142
Questions
Free
No signup
Certifications/AZ-400/Practice Test/Develop a security and compliance plan/All Questions
Question 1mediummultiple choice
Read the full Develop a security and compliance plan explanation →

A company uses Azure DevOps for CI/CD. The security team requires that all pipeline runs must use a specific service connection (ServiceConnection-Prod) that has been approved for production deployments. However, developers are accidentally using unapproved connections. You need to enforce that only the approved service connection can be used in any pipeline that deploys to the production environment. What should you do?

Question 2hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Azure DevOps and Azure Key Vault to manage secrets. You have a pipeline that deploys a web app to Azure App Service. The pipeline uses a variable group linked to Key Vault to retrieve the database connection string. Recently, the build started failing with the error: 'Access to Key Vault is denied. Please ensure the service connection has Get and List permissions on secrets.' The service connection uses a service principal. You have verified that the service principal has the correct Key Vault access policy with Get and List permissions. What is the most likely cause of the failure?

Question 3easymultiple choice
Read the full Develop a security and compliance plan explanation →

A company uses Azure DevOps and needs to ensure that all pipelines use approved YAML templates from a central repository. The security team wants to prevent developers from referencing unapproved templates. What is the best way to enforce this?

Question 4mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are designing a compliance strategy for Azure DevOps pipelines that deploy to production. The company policy requires that all production deployments must be reviewed by a security lead. Additionally, the deployment must use a specific release pipeline that has been pre-approved. How should you implement this?

Question 5hardmultiple choice
Read the full Develop a security and compliance plan explanation →

A financial services company uses Azure DevOps and requires that all secrets (e.g., API keys, connection strings) be stored in Azure Key Vault. They have a pipeline that runs automated tests and deploys to staging. The pipeline uses a variable group linked to Key Vault to retrieve secrets. Recently, the pipeline failed with the error: 'Secret 'DbPassword' not found in Key Vault 'kv-prod'. Ensure the secret exists and the service principal has List permission.' The secret exists in the vault. What is the most likely cause?

Question 6mediummulti select
Read the full Develop a security and compliance plan explanation →

Your organization uses Azure DevOps and Azure Policy to enforce compliance. You need to ensure that all Azure resources deployed by Azure DevOps pipelines have specific tags (e.g., CostCenter and Environment) applied. Which TWO approaches can achieve this? (Choose TWO.)

Question 7hardmulti select
Read the full Develop a security and compliance plan explanation →

A company uses Azure DevOps and requires that all pipeline runs are audited and that sensitive information (e.g., passwords, keys) is never exposed in logs. Which THREE actions should you take? (Choose THREE.)

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

You are a DevOps engineer at a healthcare company that must comply with HIPAA. The company uses Azure DevOps with YAML pipelines to deploy a multi-tier application to Azure Kubernetes Service (AKS). The application stores sensitive patient data. The security team requires that all secrets (e.g., database passwords, API keys) must be stored in Azure Key Vault and never hardcoded in the pipeline. The pipeline currently uses a service principal (SP1) for AKS deployments. The pipeline has a variable group 'VG-Prod' linked to Key Vault 'KV-Prod' with secrets: 'DbPassword', 'ApiKey'. The pipeline runs successfully in non-production environments. However, when you run the pipeline for production, it fails at the stage that deploys to AKS with the error: 'Error: failed to get secret 'DbPassword' from Key Vault: Forbidden'. You have verified that the secret exists and the variable group is correctly linked. The service principal SP1 has the 'Get' and 'List' permissions on KV-Prod secrets. The AKS cluster is in a different subscription than the Key Vault. What is the most likely cause and how should you fix it?

Question 9hardmultiple choice
Read the full Develop a security and compliance plan explanation →

A financial services company uses Azure DevOps to manage CI/CD pipelines for a critical application. The security team requires that all production deployments be approved by two different managers, and that the build artifacts are immutable and signed. Currently, the pipeline uses a manual approval gate with one approver and stores artifacts in Azure Artifacts. What should the DevOps engineer implement to meet the security requirements?

Question 10easymultiple choice
Read the full Develop a security and compliance plan explanation →

A company uses Azure DevOps and has a security policy that all pipeline runs must use a specific service connection scoped to a resource group. A developer reports that a pipeline fails with the error: 'The service connection does not have permission to access the resource.' What is the most likely cause?

Question 11mediummulti select
Read the full Develop a security and compliance plan explanation →

A company is adopting Azure DevOps and needs to ensure that all pipelines comply with regulatory standards. The security team wants to enforce that every build includes a security scan and that deployment to production requires approval from a compliance officer. Which TWO actions should the DevOps engineer take?

Question 12hardmultiple choice
Read the full Develop a security and compliance plan explanation →

You are reviewing an Azure Policy assignment in a DevOps environment. The exhibit shows the policy assignment JSON. The policy set includes the built-in policy 'Allowed Locations' with effect Deny. During a pipeline deployment, a resource creation fails with a policy violation error. The resource being deployed is a storage account in the 'centralus' region. What is the most likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "policyDefinitions": [
      {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfd4f8c3-4b5d-4a7d-8c9a-1e2f3a4b5c6d",
        "parameters": {
          "effect": {
            "value": "Deny"
          },
          "allowedLocations": {
            "value": ["eastus", "westus"]
          }
        }
      }
    ],
    "policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/0a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d"
  },
  "id": "/subscriptions/sub123/resourceGroups/rg-devops/providers/Microsoft.Authorization/policyAssignments/assignment-dev",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "assignment-dev",
  "location": "eastus"
}
Question 13mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Azure DevOps for a multi-tier web application. The application consists of a React frontend, a Node.js API, and a SQL database. The security team has mandated the following: (1) All code changes must be scanned for secrets before merging to the main branch. (2) Infrastructure-as-code templates (ARM) must be validated for security compliance before deployment. (3) Production deployments must use a service connection with a managed identity that has only the required permissions. You have set up a CI/CD pipeline with two stages: Build and Release. The Build stage runs on pull requests and the Release stage deploys to a production environment. Recently, a developer accidentally committed a secret (API key) to a configuration file. The secret was not caught by the pipeline, and the code was merged to main. You need to prevent this in the future. What should you do?

Question 14mediummultiple choice
Read the full Develop a security and compliance plan explanation →

A company's Azure DevOps project uses a custom agent pool with self-hosted agents. The security team discovers that pipeline runs can access secrets stored in Azure Key Vault, but the team wants to ensure that secrets are only accessible to approved pipelines. Which configuration should the team implement?

Question 15hardmulti select
Read the full Develop a security and compliance plan explanation →

Which TWO actions should a DevOps engineer take to ensure that Azure DevOps pipelines comply with the principle of least privilege for service connections?

Question 16easymultiple choice
Read the full Develop a security and compliance plan explanation →

The exhibit shows a draft Azure Monitor alert rule for Key Vault secret expiry. However, the query fails to return results for secrets that have already expired. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "alertRule": {
    "displayName": "Key Vault Secret Near Expiry",
    "query": "// Azure Resource Graph query
    resources
    | where type == 'microsoft.keyvault/vaults/secrets'
    | extend DaysToExpiry = datetime_diff('day', now(), properties.attributes.expiresOn)
    | where DaysToExpiry < 30 and DaysToExpiry > 0
    | project name, vaultName = resourceGroup, expiresOn = properties.attributes.expiresOn, DaysToExpiry
    | limit 10"
  }
}
```
Question 17hardmultiple choice
Read the full Develop a security and compliance plan explanation →

You are a DevOps engineer for a financial services company with strict regulatory compliance requirements (e.g., PCI-DSS, SOX). The company uses Azure DevOps for CI/CD and manages multiple projects. Each project has its own set of service connections, variable groups, and agent pools. The security team recently audited the environment and found that several service connections have been granted Contributor rights at the subscription level, and some variable groups are accessible by all pipelines across all projects. Additionally, audit logs show that a former employee's service principal still has active service connections in two projects. You need to implement a security and compliance plan to address these issues. Which approach should you take?

Question 18mediummulti select
Read the full Develop a security and compliance plan explanation →

Your team is implementing a security and compliance plan for Azure DevOps. Which TWO actions should you take to meet regulatory requirements for audit logging and access control?

Question 19hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your company, Contoso Ltd., is a financial services firm that must comply with PCI DSS. You manage a Azure DevOps organization with over 200 projects. Each project uses a service principal to deploy to Azure using service connections stored in library variable groups. Recently, an auditor flagged that a developer used a service principal with Contributor rights on a production subscription to accidentally delete a storage account. The developer had been granted access to the variable group containing that service principal's credentials. You are tasked with implementing a security and compliance plan to prevent this from recurring. The solution must minimize administrative overhead and follow the principle of least privilege. Current environment: All service principals are created in Azure AD and assigned to variable groups. Developers are granted 'User' access level in Azure DevOps and are members of various teams. You have the ability to create Azure AD groups and custom roles. Which course of action should you take?

Question 20mediumdrag order
Read the full Develop a security and compliance plan explanation →

Drag and drop the steps to perform a blue-green deployment in Azure using App Service slots into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediumdrag order
Read the full Develop a security and compliance plan explanation →

Drag and drop the steps to configure Azure Monitor alerts for application performance into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediummatching
Read the full Develop a security and compliance plan explanation →

Match each YAML pipeline trigger to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Runs pipeline on code push

Runs pipeline on pull request creation

Runs pipeline at specified times

Runs pipeline after another pipeline completes

Question 23mediummatching
Read the full Develop a security and compliance plan explanation →

Match each Azure DevOps extension type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SonarQube analysis

Burnup chart

Slack integration on work item update

Terraform task for Azure Pipelines

Question 24mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub Actions for CI/CD. Security policies require that secrets must be automatically rotated every 90 days. Which Azure DevOps feature should you integrate to enforce this requirement?

Question 25hardmultiple choice
Read the full NAT/PAT explanation →

Your organization uses Azure Boards and requires that all changes to work items in the 'Security' area path be audited. Which solution ensures that any modification to a work item triggers an audit event in Microsoft Sentinel?

Question 26easymultiple choice
Read the full Develop a security and compliance plan explanation →

You need to ensure that only approved users can deploy to production from Azure Pipelines. What should you implement?

Question 27mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are reviewing a compliance policy for Azure Pipelines. What does this policy enforce?

Exhibit

Refer to the exhibit.

```json
{
  "policy": {
    "name": "Require MFA for pipeline variables",
    "scope": [
      "variableGroup:MySecrets"
    ],
    "effects": {
      "requireMFA": {
        "on": "variableGroup:MySecrets",
        "action": "approve"
      }
    }
  }
}
```
Question 28hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your company uses GitHub Advanced Security. You need to ensure that all code in the main branch is free of high-severity secrets before deployment. What is the most efficient way to enforce this?

Question 29mediummultiple choice
Read the full NAT/PAT explanation →

You need to implement a compliance framework that ensures Azure Pipelines build agents are always patched with the latest security updates. What should you use?

Question 30easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Entra ID. You want to ensure that only users from specific countries can access Azure DevOps. Which security feature should you configure?

Question 31hardmultiple choice
Read the full Develop a security and compliance plan explanation →

You are evaluating an Azure Policy assignment for Azure Pipelines. What does this policy audit?

Exhibit

Refer to the exhibit.

```json
{
  "id": "policy-secure-files",
  "type": "Microsoft.Authorization/policyAssignments",
  "properties": {
    "displayName": "Secure Files in Pipelines",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/audit-secure-files",
    "parameters": {
      "allowedFileExtensions": {
        "value": [".pfx", ".p12", ".cer"]
      }
    },
    "scope": "/subscriptions/.../resourceGroups/.../providers/microsoft.devops/pipelines"
  }
}
```
Question 32mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub. You need to automatically remove a user's access to all repositories when they leave the company. What is the most efficient approach?

Question 33hardmulti select
Read the full Develop a security and compliance plan explanation →

Which TWO actions should you take to ensure that Azure Pipelines artifacts are scanned for vulnerabilities before production deployment? (Choose two.)

Question 34mediummulti select
Read the full Develop a security and compliance plan explanation →

Which THREE measures should be implemented to protect secrets in Azure Pipelines? (Choose three.)

Question 35easymulti select
Read the full Develop a security and compliance plan explanation →

Which TWO tools can be used to enforce branch protection policies in GitHub repositories? (Choose two.)

Question 36mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are reviewing an Azure DevOps permissions JSON. What access does the user 'user@contoso.com' have?

Exhibit

Refer to the exhibit.

```json
{
  "permissions": [
    {
      "role": "Reader",
      "identity": {
        "type": "group",
        "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
      },
      "scope": "project"
    },
    {
      "role": "Contributor",
      "identity": {
        "type": "user",
        "id": "user@contoso.com"
      },
      "scope": "build:Build-1"
    }
  ]
}
```
Question 37easymultiple choice
Read the full Develop a security and compliance plan explanation →

You need to ensure that only signed-in users can view Azure DevOps project wikis. Which setting should you configure?

Question 38hardmultiple choice
Read the full Develop a security and compliance plan explanation →

You are analyzing Azure DevOps audit logs with a KQL query. What is the purpose of this query?

Exhibit

Refer to the exhibit.

```kql
AzureDevOpsAuditLogs
| where TimeGenerated > ago(30d)
| where OperationName == "Project.Create"
| where ResultType == "Success"
| project TimeGenerated, ProjectName, ActorUPN
| summarize Count = count() by ActorUPN
| top 5 by Count desc
```
Question 39mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Azure DevOps to manage CI/CD pipelines. The security team requires that all pipeline runs use a specific service connection that references a managed identity in Microsoft Entra ID. However, some developers have been using personal access tokens (PATs) in their pipelines, bypassing the managed identity. What should you implement to enforce the use of the managed identity service connection?

Question 40hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub Enterprise to manage source code. You need to implement a security and compliance plan that ensures all commits are signed using GPG keys and that secrets are scanned before code is merged. Which GitHub features should you combine?

Question 41easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Azure DevOps and Microsoft Entra ID. The compliance team needs to ensure that access to Azure DevOps projects is governed by conditional access policies. Which Azure DevOps integration should you use?

Question 42mediummulti select
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub Advanced Security to identify vulnerabilities in code. Which TWO actions can you take to ensure that critical security alerts are addressed before code is merged?

Question 43hardmulti select
Read the full Develop a security and compliance plan explanation →

Your organization uses Azure Key Vault to store secrets and certificates used in Azure Pipelines. You need to implement a security and compliance plan that ensures secrets are rotated automatically and access is audited. Which THREE actions should you take?

Question 44easymulti select
Read the full Develop a security and compliance plan explanation →

Your team is adopting GitHub Copilot for code generation. The compliance team requires that all code generated by AI is reviewed and that proprietary code is not used as training data. Which TWO settings should you configure in your GitHub organization?

Question 45hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. You receive a secret scanning alert for an Azure DevOps PAT in a GitHub repository. The push_protection_bypass is false. What does this mean and what action should you take?

Exhibit

{
  "alert": {
    "type": "secret_scanning",
    "secret_type": "Azure DevOps Personal Access Token",
    "secret": "abc123...",
    "repository": "contoso/MyApp",
    "push_protection_bypass": false
  }
}
Question 46mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Refer to the exhibit. Your organization has configured an Azure DevOps pipeline security setting that enforces a required template for all pipelines deploying to production and staging. The required template 'security-validation.yml' runs a series of security scans and compliance checks. A developer creates a new pipeline that deploys to a test environment, but the pipeline does not reference the required template. What will happen?

Exhibit

{
  "type": "Azure DevOps Pipeline Security",
  "settings": {
    "enforceRequiredTemplate": true,
    "requiredTemplate": "security-validation.yml",
    "scope": ["production", "staging"]
  }
}
Question 47easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Defender for Cloud to monitor Azure resources. The compliance team needs to ensure that all Azure DevOps projects have their pipelines scanned for security issues before deployment. Which integration should you use?

Question 48hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. You have configured a Conditional Access policy in Microsoft Entra ID to require MFA for Azure DevOps. However, users report that they can still access Azure DevOps without MFA when using a PAT for authentication. What is the most likely reason?

Exhibit

{
  "policy": {
    "name": "Require MFA for Azure DevOps",
    "type": "Conditional Access Policy",
    "assignments": {
      "users": "All users",
      "cloud_apps": "Azure DevOps",
      "conditions": {
        "client_apps": ["Browser", "Mobile apps and desktop clients"]
      },
      "grant_controls": {
        "built_in_controls": ["Mfa"]
      }
    }
  }
}
Question 49mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses GitHub Actions for CI/CD. The security team requires that all workflows are stored in a central repository and that only approved actions can be used. What should you implement?

Question 50easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization needs to ensure that all containers built in Azure Pipelines are scanned for vulnerabilities before being pushed to a container registry. Which step should you add to the pipeline?

Question 51hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Refer to the exhibit. You run a KQL query in Microsoft Sentinel to audit Azure Container Registry login failures. The result shows 15 failed push attempts to the 'contoso/webapp' repository and 3 failed pull attempts to 'contoso/api'. What is the most likely security implication?

Exhibit

{
  "query": "ContainerRegistryLoginEvents\n| where TimeGenerated > ago(7d)\n| where ResultType != 'Success'\n| summarize FailureCount = count() by Repository, Action",
  "result": [
    {"Repository": "contoso/webapp", "Action": "push", "FailureCount": 15},
    {"Repository": "contoso/api", "Action": "pull", "FailureCount": 3}
  ]
}
Question 52mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Purview to manage sensitive data in Azure DevOps repositories. The compliance team needs to automatically classify and label source code that contains personally identifiable information (PII). Which solution should you use?

Question 53easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses Azure Pipelines to deploy to multiple environments. The compliance team requires that all deployments to the production environment are approved by a security officer. Which feature should you use?

Question 54mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub Actions for CI/CD and needs to ensure that secrets such as Azure service principal credentials are not exposed in logs. What is the best practice to prevent secret exposure?

Question 55hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Entra ID for identity and Azure DevOps for source control. You need to enforce that all code changes to the main branch require a pull request with at least two approvals and no failing checks. What should you configure?

Question 56easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your DevOps team is using Microsoft Defender for Cloud to monitor Azure resources. Which of the following is a security recommendation that Defender for Cloud might provide?

Question 57mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are implementing a secrets management strategy for a multi-cloud deployment. You need to securely store and rotate API keys for a third-party service. Which Azure service should you use?

Question 58hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization is adopting GitHub Copilot for developers. Which security measure should you implement to ensure that no proprietary code is inadvertently shared with the AI model?

Question 59easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses Azure Pipelines to deploy to multiple environments. You need to ensure that deployment to the production environment requires approval from the security team. What should you configure?

Question 60mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your company uses Microsoft Purview to manage data governance. You need to classify a new dataset containing personally identifiable information (PII) and apply a data loss prevention (DLP) policy. What should you do first?

Question 61hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Azure DevOps and wants to enforce that all pipelines use a specific set of approved tasks. How can you achieve this?

Question 62easymultiple choice
Read the full Develop a security and compliance plan explanation →

You need to ensure that only authorized users can access the Azure DevOps organization. Which identity provider should you configure for single sign-on (SSO)?

Question 63mediummulti select
Read the full Develop a security and compliance plan explanation →

Your company uses Azure Key Vault to store secrets. Which TWO actions should you take to ensure secure access? (Select TWO.)

Question 64hardmulti select
Read the full Develop a security and compliance plan explanation →

You are designing a security compliance plan for a GitHub Enterprise environment. Which THREE practices should you implement? (Select THREE.)

Question 65easymulti select
Read the full Develop a security and compliance plan explanation →

Your team uses Azure Pipelines and needs to comply with SOC 2 requirements. Which TWO features should you use to meet audit log requirements? (Select TWO.)

Question 66easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub repositories and wants to ensure that all code changes are signed by a verified contributor before merging. Which branch protection rule should you enable?

Question 67mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your company uses Azure DevOps and must enforce that all pipelines use approved agent pools. The security team wants to prevent the use of the default agent pool. What should you do?

Question 68hardmultiple choice
Read the full Develop a security and compliance plan explanation →

You are deploying a web app to Azure App Service using Azure Pipelines. The security team requires that all secrets are stored in Azure Key Vault and retrieved at deployment time. What is the best approach?

Question 69easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub and wants to automatically detect and block secrets pushed to repositories. Which GitHub feature should you enable?

Question 70mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are designing a compliance plan for Azure DevOps. The compliance officer requires that all changes to build pipelines are audited and cannot be reverted without approval. What should you implement?

Question 71hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Entra ID and Azure DevOps. You need to ensure that only users from specific Entra ID groups can create new Azure DevOps organizations. What should you configure?

Question 72easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses Azure Pipelines and wants to ensure that builds cannot access the internet to prevent data exfiltration. What should you do?

Question 73mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are using GitHub Advanced Security. The security team wants to prevent developers from introducing code with high-severity vulnerabilities. What is the best way to enforce this?

Question 74hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your company uses Azure DevOps and must comply with SOC 2. The auditor requires proof that all production deployments went through a change management process with approval. What should you implement?

Question 75easymultiple choice
Read the full Develop a security and compliance plan explanation →

You are reviewing an Azure Policy definition applied to an Azure DevOps organization. What is the effect of this policy?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "description": "Policy to restrict pipeline creation",
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deny Pipeline Creation",
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DevOps/pipelines"
      },
      "then": "Deny"
    }
  }
}
```
Question 76mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You receive a GitHub Dependabot alert as shown. The repository 'my-app' is internal. What is the best immediate action to mitigate the risk?

Exhibit

Refer to the exhibit.

```json
{
  "alert": {
    "title": "High severity vulnerability found in dependency",
    "state": "open",
    "severity": "critical",
    "created_at": "2026-03-15T10:00:00Z",
    "repository": {
      "name": "my-app",
      "visibility": "internal"
    },
    "security_advisory": {
      "summary": "Remote code execution in lodash",
      "severity": "critical",
      "cvss": {
        "score": 9.8
      }
    }
  }
}
```
Question 77hardmultiple choice
Read the full Develop a security and compliance plan explanation →

You are auditing an Azure Pipeline YAML file. The security team requires that deployments to the 'Prod' environment only occur from the main branch. Does this pipeline meet that requirement?

Exhibit

Refer to the exhibit.

```yaml
# azure-pipelines.yml
variables:
- group: ProductionSecrets
- name: environment
  value: 'prod'
stages:
- stage: Build
  jobs:
  - job: BuildJob
    steps:
    - script: echo Building...
- stage: Deploy
  condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
  jobs:
  - deployment: DeployJob
    environment: Prod
    strategy:
      runOnce:
        deploy:
          steps:
          - script: echo Deploying...
```
Question 78mediummulti select
Read the full Develop a security and compliance plan explanation →

Your organization is implementing a security compliance plan for Azure DevOps. Which TWO actions help enforce the principle of least privilege?

Question 79hardmulti select
Read the full Develop a security and compliance plan explanation →

Your company uses GitHub and must comply with data residency requirements. Which THREE actions should you take to ensure data stays within a specific geographic region?

Question 80easymulti select
Read the full Develop a security and compliance plan explanation →

You are designing a plan to protect Azure DevOps pipelines from supply chain attacks. Which TWO measures should you implement?

Question 81mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses Azure DevOps and wants to enforce branch protection policies for all repositories in a GitHub Advanced Security-enabled organization. Which approach should you use to ensure that pull requests require a successful status check from a required workflow?

Question 82hardmultiple choice
Read the full Develop a security and compliance plan explanation →

A company uses Microsoft Defender for Cloud to assess the security posture of Azure Pipelines agents. They notice that self-hosted agents are flagged as having high-severity vulnerabilities. What is the recommended action to remediate these findings while minimizing downtime?

Question 83easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization requires that all code changes be signed using a valid code signing certificate before they can be merged. Which feature in GitHub should you enable to enforce this?

Question 84mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are designing a security compliance plan for Azure Pipelines. The plan must ensure that no pipeline can use variables containing secrets unless those variables are stored in Azure Key Vault and referenced via a variable group linked to Key Vault. What is the best way to enforce this across all pipelines in an Azure DevOps organization?

Question 85hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses GitHub Actions and has a repository containing sensitive infrastructure code. You need to ensure that only approved actions are used in workflows. Which two settings should you configure? (Select two.)

Question 86easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses Azure DevOps and wants to automatically scan pull requests for secrets before they are merged. Which Azure DevOps feature should you use?

Question 87hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your company uses Microsoft Defender for Cloud to monitor Azure DevOps environments. You receive an alert that a service principal has excessive permissions. What is the first step you should take to investigate and remediate?

Question 88mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization must comply with SOC 2 requirements. You are using Azure DevOps and need to ensure that all pipeline runs are logged and that logs are retained for at least one year. Which configuration should you implement?

Question 89easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub and wants to automatically detect exposed credentials in code. Which GitHub feature should you enable?

Question 90mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are reviewing an Azure Policy definition. What does this policy do?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DevOps/Pipelines"
      },
      "then": {
        "effect": "deny",
        "details": {
          "field": "Microsoft.DevOps/Pipelines/yamlFilePath",
          "notEquals": "/pipeline-templates/secure-pipeline.yml"
        }
      }
    }
  }
}
```
Question 91hardmultiple choice
Read the full Develop a security and compliance plan explanation →

You are analyzing Azure DevOps audit logs with the KQL query above. Your security team wants to ensure that only approved service connections are used. After running the query, you find multiple service connections created by a user who is not on the approved list. What should you do next?

Exhibit

Refer to the exhibit.

```json
{
  "name": "service-connection-audit",
  "query": "AzureDevOpsAuditing | where OperationName == 'ServiceConnectionCreated' | project TimeGenerated, ServiceConnectionId, ServiceConnectionName, CreatedBy"
}
```
Question 92mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are reviewing a pipeline YAML file. The variable 'prod-db-password' is stored in a variable group linked to Azure Key Vault. However, the pipeline fails with an error that the secret cannot be accessed. What is the most likely cause?

Exhibit

Refer to the exhibit.

```yaml
# azure-pipelines.yml
variables:
- group: 'prod-variables'
- name: 'DB_PASSWORD'
  value: $(prod-db-password)
```
Question 93easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization is adopting GitHub Copilot and wants to ensure that no proprietary code is used to train models. Which setting should you configure in the GitHub organization?

Question 94hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your Azure DevOps organization has multiple projects. You need to ensure that only approved extension versions are installed across all projects. What is the most efficient way to enforce this?

Question 95mediummultiple choice
Read the full Develop a security and compliance plan explanation →

You are using Microsoft Defender for Cloud to secure Azure Pipelines. You need to receive alerts when a pipeline run uses a service principal with excessive permissions. Which feature should you enable?

Question 96mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Azure DevOps and requires that all pipelines enforce branch policy for pull requests. A developer creates a pipeline that builds and tests code on push to any branch. The security team wants to ensure that no code can be deployed to production without passing through a pull request with required reviewers. Which action should you take to meet this requirement?

Question 97hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your company uses GitHub Enterprise and wants to implement a secret scanning policy to detect and block secrets (e.g., API keys) in code pushes. The policy must allow exceptions for test repositories that use fake secrets. What is the recommended approach?

Question 98easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses Microsoft Defender for Cloud to monitor Azure resources. You need to ensure that all Azure DevOps pipelines are scanned for security misconfigurations before deployment. Which integration should you enable?

Question 99hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses GitHub Actions and needs to enforce that only approved actions from the GitHub Marketplace can be used in workflows. Developers have been using custom actions from third-party repositories. What is the most effective way to control which actions are allowed?

Question 100mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses Azure Pipelines to deploy to Azure Kubernetes Service (AKS). The security team requires that all container images be scanned for vulnerabilities before deployment. You have configured a container registry with Microsoft Defender for Cloud integration. What should you add to your pipeline to ensure only compliant images are deployed?

Question 101easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Entra ID (formerly Azure AD) for identity management. You need to ensure that only authorized users can access the Azure DevOps organization. What is the most secure way to manage access?

Question 102hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your company uses GitHub and wants to implement a compliance framework that requires signed commits for all repositories. Developers use various IDEs and Git clients. What is the best way to enforce signed commits across the organization?

Question 103mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses Azure Pipelines to deploy a web app to Azure App Service. You need to ensure that secrets (e.g., connection strings) are not exposed in the pipeline logs. What is the recommended approach?

Question 104easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Purview to classify and protect sensitive data. You need to ensure that source code in Azure DevOps repositories containing credit card numbers is detected and flagged. What should you configure?

Question 105mediummulti select
Read the full Develop a security and compliance plan explanation →

Which TWO actions should you take to ensure that only approved pipelines can deploy to production in Azure DevOps? (Choose two.)

Question 106hardmulti select
Read the full Develop a security and compliance plan explanation →

Which THREE measures should you implement to protect secrets used in GitHub Actions workflows? (Choose three.)

Question 107easymulti select
Read the full Develop a security and compliance plan explanation →

Which TWO practices should you follow to ensure compliance with regulatory requirements (e.g., PCI DSS) when using Azure DevOps? (Choose two.)

Question 108hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub Actions for CI/CD and must ensure that only approved contributors can merge code to the main branch. You need to enforce a policy where every pull request must be reviewed by at least two members of the security team. Which branch protection rule should you configure?

Question 109easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your company is migrating to Microsoft Entra ID and needs to manage secrets used in Azure Pipelines. Which service should you use to securely store and rotate secrets?

Question 110mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your Azure DevOps organization contains multiple teams. You need to ensure that code reviews require approval from a member of the security team before merging to the main branch. What is the best way to implement this?

Question 111hardmultiple choice
Read the full NAT/PAT explanation →

Your organization uses GitHub Advanced Security. A developer reports that a secret scanning alert for an Azure DevOps Personal Access Token (PAT) is a false positive. What should you do to handle this?

Question 112mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses Azure Pipelines to deploy to production. You need to ensure that deployment only proceeds if a security scan passes and a manual approval is obtained. What is the best approach?

Question 113easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization is adopting DevSecOps and wants to integrate security scanning into the CI/CD pipeline. Which tool should you use to scan container images for vulnerabilities?

Question 114hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub Actions and needs to enforce that all workflows must use approved actions from a curated list. What is the best way to implement this?

Question 115mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization requires compliance with SOC 2 and needs to audit all changes to Azure Pipelines. What should you enable?

Question 116easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub and wants to automatically detect exposed credentials in code. Which GitHub feature should you enable?

Question 117hardmulti select
Read the full Develop a security and compliance plan explanation →

Your organization is implementing a security compliance plan for Azure DevOps. Which TWO actions should you take to ensure that only authorized users can modify build pipelines?

Question 118mediummulti select
Read the full Develop a security and compliance plan explanation →

Your team uses Azure DevOps and needs to ensure that secrets are not exposed in pipeline logs. Which THREE practices should you implement?

Question 119mediummulti select
Read the full Develop a security and compliance plan explanation →

Your organization is adopting GitHub Advanced Security. Which THREE features should you enable to improve security?

Question 120hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Azure DevOps with multiple teams. You are tasked with creating a security and compliance plan. The environment includes: Azure Repos for source control, Azure Pipelines for CI/CD, and Azure Artifacts for package management. Requirements: 1) All code changes to the main branch must be reviewed by at least one member of the security team. 2) Deployment to production requires approval from a manager. 3) Secrets must be stored securely and rotated every 90 days. 4) Pipeline logs must be retained for 1 year for audit purposes. You have configured branch policies requiring a minimum number of reviewers and mandatory security team review. For production deployments, you have added a manual approval gate. Secrets are stored in Azure Key Vault with automatic rotation. However, the audit team reports that pipeline logs are only retained for 30 days. You need to extend log retention to 1 year. What should you do?

Question 121mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub Enterprise and GitHub Actions for CI/CD. You need to implement a security compliance plan. The organization has the following requirements: 1) All code pushed to the main branch must be scanned for secrets and vulnerabilities. 2) Developers must use signed commits. 3) Only approved GitHub Actions can be used. 4) Dependencies must be scanned for vulnerabilities. You have enabled secret scanning and code scanning (CodeQL) on all repositories. You have configured branch protection rules to require signed commits using GPG keys. To restrict actions, you have set an allowed list of actions in the organization settings. You have enabled Dependabot alerts. However, during an audit, a reviewer notes that secret scanning alerts are not being reviewed within 30 days. You need to ensure that secret scanning alerts are triaged within 30 days. What should you do?

Question 122hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your team is adopting a shift-left security approach in Azure Pipelines. They want to automatically detect secrets, such as API keys or connection strings, in source code before code is committed. Which Azure DevOps feature should be configured to scan pull requests for secrets and block the PR if any are found?

Question 123mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Defender XDR to secure Azure DevOps pipelines. You need to ensure that any build pipeline triggered by a pull request automatically runs a security scan and fails if critical vulnerabilities are found. What should you configure?

Question 124easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub Copilot for code suggestions. To comply with your organization's data protection policies, you need to ensure that code snippets and prompts sent to Copilot are not stored or used by Microsoft for service improvement. What should you configure?

Question 125hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a security compliance plan for Azure Pipelines. The plan must ensure that all pipelines: (1) run on Microsoft-hosted agents in a specific geo-region, (2) use approved Docker images from a private Azure Container Registry, and (3) enforce that pipeline variables containing secrets are never logged. Which combination of Azure DevOps features should you use?

Question 126mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Defender XDR for security monitoring. You need to configure an alert that fires whenever a user with high privileges (e.g., Project Collection Administrators) is added to an Azure DevOps group. What is the most efficient approach?

Question 127easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your team is using GitHub Enterprise and wants to ensure that every pull request includes a link to a work item in Azure Boards. Which GitHub Apps or Azure DevOps Services integration should you configure?

Question 128hardmulti select
Read the full Develop a security and compliance plan explanation →

Which TWO actions should you take to ensure that Azure Pipelines artifacts are securely stored and access is audited?

Question 129mediummulti select
Read the full Develop a security and compliance plan explanation →

Which THREE measures should you implement to protect secrets (e.g., API keys, passwords) used in Azure Pipelines?

Question 130easymulti select
Read the full Develop a security and compliance plan explanation →

Which TWO compliance frameworks are directly supported by Microsoft Purview Compliance Manager for Azure DevOps?

Question 131hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Refer to the exhibit. You are reviewing the branch policies for the main branch in Azure Repos. The team reports that while the branch naming policy works, the approval policy does not block pull requests when only one person approves. What is the most likely cause?

Exhibit

{
  "policies": [
    {
      "name": "Enforce branch naming convention",
      "policyType": "Git",
      "settings": {
        "scope": [
          {
            "refName": "refs/heads/*",
            "matchKind": "Prefix",
            "prefix": "feature/"
          }
        ],
        "isEnabled": true,
        "isBlocking": true
      }
    },
    {
      "name": "Require a minimum number of reviewers",
      "policyType": "Approval",
      "settings": {
        "minimumApproverCount": 2,
        "creatorVoteCounts": false,
        "allowDownvotes": false,
        "resetOnPush": true
      }
    }
  ]
}
Question 132mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Refer to the exhibit. You executed the Azure CLI command to list variable groups. A security audit requires that all variable groups containing secrets are configured to be authorized for all pipelines. Which statement is true based on the output?

Network Topology
org https://dev.azure.com/contosoproject MyProject"id": 1,"name": "ProdVars","variables": {"ApiKey": {"value": null,"isSecret": true},"Endpoint": {"value": "https://prod.contoso.com","isSecret": false"description": "Production variables"
Question 133hardmultiple choice
Read the full NAT/PAT explanation →

You are a security engineer for a large financial institution. The organization uses Azure DevOps with multiple projects, each containing hundreds of pipelines. The security team recently discovered that several pipeline variables marked as 'Secret' were inadvertently printed to logs due to a custom script task that echoed the variable. Consequently, the compliance officer requires that all secrets used in pipelines must be centrally managed in Azure Key Vault, and any pipeline that references a variable not from Key Vault must be blocked from running. Additionally, the solution must minimize administrative overhead and provide real-time enforcement across all projects in the organization. You have the following options:

Option A: Create an Azure Policy definition that audits pipelines for the use of non-Key Vault variables and attach it to the management group containing the Azure DevOps resources.

Option B: Develop a custom pipeline task that checks at runtime whether all secret variables originate from Key Vault, and add it to every pipeline YAML file manually.

Option C: Configure a pipeline decorator in the organization settings that injects a task at the beginning of every pipeline to validate that all secret variables are linked to Key Vault, and fail the pipeline if any are not.

Option D: Use Azure DevOps Audit Logs to periodically review pipeline runs and manually identify pipelines that use non-Key Vault secrets.

Which option meets the requirements most effectively?

Question 134mediummultiple choice
Read the full VPN explanation →

Your company is migrating from on-premises TFS to Azure DevOps Services in the cloud. The security policy mandates that all access to Azure DevOps must go through a conditional access policy that requires multi-factor authentication (MFA) for users outside the corporate network. Additionally, the policy requires that service accounts (used for automated deployments) must use device-based authentication and cannot be interactive. You are configuring Microsoft Entra ID (formerly Azure AD) conditional access. The Azure DevOps organization is connected to the corporate Entra ID tenant. You have the following options:

Option A: Create a conditional access policy that applies to all users and service principals, requiring MFA for all cloud apps, and exclude the Azure DevOps app from the policy.

Option B: Create a conditional access policy that targets the Azure DevOps app, grant access requiring MFA for all users, and create a separate policy for service accounts that requires device compliance.

Option C: Create a conditional access policy that applies to the Azure DevOps app, requiring MFA for all users, and exclude service accounts by user group. Then create a separate policy for service accounts that requires a compliant device.

Option D: Use Azure DevOps IP address restrictions to block external traffic and rely on VPN for external users.

Which option best meets the requirements?

Question 135easymultiple choice
Read the full Develop a security and compliance plan explanation →

Your development team uses GitHub Enterprise with GitHub Actions for CI/CD. The security team wants to ensure that all secrets used in workflows are stored in GitHub Secrets and that they are not accessible to forked repositories. Currently, some workflows reference secrets directly in YAML files. You need to implement a solution that meets the following requirements: (1) Secrets must be stored in GitHub Secrets, not in YAML files. (2) Workflows triggered from forked repositories must not have access to organization secrets. (3) Auditors must be able to see which workflows access which secrets.

Option A: Move all secrets to GitHub Secrets, configure the repository to require approval for all external contributions, and enable audit logging for secret usage.

Option B: Move all secrets to GitHub Secrets, and in the repository settings, disable 'Allow GitHub Actions to create and approve pull requests' and enable 'Fork pull request workflows from outside collaborators' to require approval.

Option C: Move all secrets to GitHub Secrets, and in the organization settings, enable 'Private repository fork policy' to only allow forks from within the organization, and use environment secrets with required reviewers.

Option D: Move all secrets to GitHub Secrets, and for each workflow that uses secrets, add a condition to check if the event is from a fork, and if so, skip the step.

Which option best satisfies all requirements?

Question 136mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Azure DevOps repositories. The compliance team has identified that source code containing credit card numbers (PCI data) was accidentally committed to a public repository. You need to implement a solution that meets the following requirements: (1) Automatically scan all new commits in Azure Repos for sensitive data types like credit card numbers. (2) If sensitive data is detected, automatically block the push and notify the security team. (3) The solution must be integrated with Microsoft Purview and Azure DevOps.

Option A: Configure a branch policy in Azure Repos that runs a custom Azure Function via a service hook when a push occurs, and the function uses Purview APIs to scan the commit.

Option B: Enable Microsoft Purview Data Loss Prevention for Azure DevOps, which automatically scans and blocks pushes containing sensitive data.

Option C: Use GitHub Advanced Security secret scanning for Azure Repos, and configure a webhook to notify the security team.

Option D: Install a third-party extension from Azure DevOps Marketplace that provides content scanning and configure it to block pushes.

Which option is the most appropriate and efficient?

Question 137easymulti select
Read the full Develop a security and compliance plan explanation →

Your organization uses Microsoft Defender for Cloud and Azure DevOps. Security teams need to automatically detect and block secrets (e.g., passwords, keys) pushed to Azure Repos. Which TWO actions should you take?

Question 138hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your company is deploying Azure DevOps pipelines for a critical financial application. Compliance requires that all pipeline runs are immutable and auditable. You must ensure that once a pipeline completes, its logs, artifacts, and test results cannot be modified or deleted by anyone, including administrators, for 7 years. You also need to prevent any pipeline runs from being deleted. Azure DevOps retention policies are currently set to 30 days. What should you do?

Question 139mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your team uses GitHub for source control and GitHub Actions for CI/CD. Security policy requires that all code changes must be signed by a verified contributor using a GPG key. You need to enforce this requirement at the organization level. However, some developers use SSH keys for authentication, and you want to allow them to continue. What should you do?

Question 140hardmultiple choice
Read the full Develop a security and compliance plan explanation →

Your organization uses Azure DevOps with classic pipelines. Security audit requires that all pipeline variables containing secrets (e.g., API keys) are stored in Azure Key Vault and referenced dynamically. Currently, secrets are stored as plain text in the pipeline UI. You need to migrate to Key Vault with minimal downtime and ensure that secret values are never exposed in logs. What should you do?

Question 141mediummultiple choice
Read the full Develop a security and compliance plan explanation →

Your company uses Microsoft Sentinel for security monitoring. Azure DevOps pipelines deploy resources to production. You need to create an automated response that triggers when Sentinel detects a high-severity alert related to unauthorized pipeline changes. The response should temporarily disable the service connection used by the pipeline and notify the security team. What should you do?

Question 142easymultiple choice
Read the full NAT/PAT explanation →

Your team uses GitHub Enterprise with GitHub Actions. Compliance requires that all contributors sign commits with a verified GPG key. You have enabled 'Require signed commits' on the repository. However, a developer reports that their commits are being rejected even though they have configured a GPG key. The error says 'Commit must have a valid signature.' The developer's GPG key is listed in their GitHub account settings. What is the most likely cause?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

AZ-400 Practice Test 1 — 10 Questions→AZ-400 Practice Test 2 — 10 Questions→AZ-400 Practice Test 3 — 10 Questions→AZ-400 Practice Test 4 — 10 Questions→AZ-400 Practice Test 5 — 10 Questions→AZ-400 Practice Exam 1 — 20 Questions→AZ-400 Practice Exam 2 — 20 Questions→AZ-400 Practice Exam 3 — 20 Questions→AZ-400 Practice Exam 4 — 20 Questions→Free AZ-400 Practice Test 1 — 30 Questions→Free AZ-400 Practice Test 2 — 30 Questions→Free AZ-400 Practice Test 3 — 30 Questions→AZ-400 Practice Questions 1 — 50 Questions→AZ-400 Practice Questions 2 — 50 Questions→AZ-400 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configure processes and communicationsDesign and implement source controlDesign and implement build and release pipelinesDevelop a security and compliance planImplement an instrumentation strategyDesign and implement a DevOps infrastructureDesign and implement a source control strategy

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Develop a security and compliance plan setsAll Develop a security and compliance plan questionsAZ-400 Practice Hub