Microsoft · 2026 Edition
A complete preparation guide written by Microsoft-certified engineers. Covers the exam format,all 7 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
4–6 months
Prep time
Advanced
Difficulty
50
Exam questions
700/1000
Pass mark
Exam code
AZ-400
Full name
Azure DevOps Engineer Expert
Vendor
Microsoft
Duration
120 minutes
Questions
50 items
Passing score
700/1000 (scaled)
Domains covered
7 blueprint domains
Recommended experience
AZ-104 or AZ-204 required; 2+ years of DevOps or cloud development experience
Typical prep time
4–6 months
AZ-400 earns the DevOps Engineer Expert certification — the top Azure DevOps credential. It validates end-to-end CI/CD pipeline design, infrastructure as code, and continuous monitoring skills in strong demand at enterprises adopting Azure DevOps or GitHub Actions.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
Source Control and Work Management: Git branching strategies, Azure Boards, GitHub
Tip: Branching strategies tested by scenario: Git Flow (release branches, scheduled releases), GitHub Flow (feature branches merged to main, continuous delivery), and Trunk-Based Development (very short-lived branches, requires feature flags). Know when each is appropriate.
Weeks 4–7
CI/CD Pipelines: Azure Pipelines YAML, GitHub Actions, multi-stage pipelines, environments
Tip: Azure Pipelines YAML syntax is tested — know stages, jobs, steps, tasks, and dependencies (dependsOn). Know how to use pipeline variables, variable groups linked to Key Vault, and environment approvals for production deployment gates.
Weeks 8–10
Infrastructure as Code: Bicep, ARM templates, Terraform with Azure DevOps
Tip: Bicep is the primary IaC language on AZ-400. Know the Bicep resource declaration syntax, parameters, variables, modules, and how to deploy a Bicep template via the Azure CLI and Azure Pipelines.
Weeks 11–14
Security, Compliance, Monitoring: SonarQube, Defender for DevOps, container security, DAST/SAST
Tip: Shift-left security: SAST (static code analysis) runs during build, DAST (dynamic application security testing) runs against a deployed app, SCA (software composition analysis) checks dependencies for CVEs. Know which tool category runs at which pipeline stage.
Azure DevOps service connections connect pipelines to external services (Azure subscriptions, GitHub, Docker Hub, Kubernetes clusters). Know the difference between a service principal connection and a managed identity connection and when each is preferred.
Deployment strategies: blue/green (two identical environments, switch traffic), canary (gradual traffic shift), rolling (update instances in batches), and feature flags (release to a subset of users). Know each strategy's rollback mechanism.
Container security: scan images with Microsoft Defender for Containers, push signed images to Azure Container Registry, and enforce image signing in Kubernetes via admission controllers.
AZ-400 requires either AZ-104 or AZ-204 as a prerequisite for the expert designation.
GitHub Actions workflows are tested alongside Azure Pipelines. Know the GitHub Actions YAML structure: workflow → jobs → steps → actions. Understand how GitHub Environments with required reviewers provide deployment gates equivalent to Azure Pipelines environment approvals.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on AZ-400 — with exam key points and common misconceptions.