20+ practice questions focused on Develop a security and compliance plan — one of the most tested topics on the Microsoft Azure DevOps Engineer Expert AZ-400 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Develop a security and compliance plan PracticeA company uses Azure DevOps for CI/CD. The security team requires that all pipeline runs must use a specific service connection (ServiceConnection-Prod) that has been approved for production deployments. However, developers are accidentally using unapproved connections. You need to enforce that only the approved service connection can be used in any pipeline that deploys to the production environment. What should you do?
Explanation: Option D is correct because Azure Pipeline decorators inject custom validation logic at runtime, allowing you to inspect each task's service connection and fail the pipeline if it does not match the approved one. This enforces the security requirement centrally without relying on developer compliance or manual gates.
Your organization uses Azure DevOps and Azure Key Vault to manage secrets. You have a pipeline that deploys a web app to Azure App Service. The pipeline uses a variable group linked to Key Vault to retrieve the database connection string. Recently, the build started failing with the error: 'Access to Key Vault is denied. Please ensure the service connection has Get and List permissions on secrets.' The service connection uses a service principal. You have verified that the service principal has the correct Key Vault access policy with Get and List permissions. What is the most likely cause of the failure?
Explanation: The error message indicates that the identity attempting to access Key Vault lacks the required permissions. Even though the service principal has the correct access policy, the pipeline may be using a different identity—the build service identity—to authenticate with Key Vault. In Azure DevOps, when a variable group is linked to Key Vault, the pipeline's build service identity (not the service connection's service principal) must have Get and List permissions on the Key Vault secrets. This is a common misconfiguration where the service principal is granted permissions but the build service identity is not.
A company uses Azure DevOps and needs to ensure that all pipelines use approved YAML templates from a central repository. The security team wants to prevent developers from referencing unapproved templates. What is the best way to enforce this?
Explanation: Option D is correct because the 'Required template' repository setting in Azure DevOps enforces that all pipelines must use a YAML template from a specified central repository. If a pipeline references a template from any other location, the pipeline will fail at runtime, providing a hard enforcement mechanism that cannot be bypassed by developers. This directly addresses the security team's requirement to prevent unapproved template references.
You are designing a compliance strategy for Azure DevOps pipelines that deploy to production. The company policy requires that all production deployments must be reviewed by a security lead. Additionally, the deployment must use a specific release pipeline that has been pre-approved. How should you implement this?
Explanation: Option B is correct because Azure DevOps environments allow you to define approval checks that must be satisfied before a deployment proceeds. By creating a 'production' environment and adding a pre-deployment approval check requiring the security lead, you enforce the mandatory review. The pipeline then deploys to that environment, ensuring only the pre-approved release pipeline is used.
A financial services company uses Azure DevOps and requires that all secrets (e.g., API keys, connection strings) be stored in Azure Key Vault. They have a pipeline that runs automated tests and deploys to staging. The pipeline uses a variable group linked to Key Vault to retrieve secrets. Recently, the pipeline failed with the error: 'Secret 'DbPassword' not found in Key Vault 'kv-prod'. Ensure the secret exists and the service principal has List permission.' The secret exists in the vault. What is the most likely cause?
Explanation: Option B is correct because variable groups linked to Azure Key Vault in Azure DevOps require an exact case-sensitive match between the variable name in the variable group and the secret name in Key Vault. Even though the secret 'DbPassword' exists in the vault, if the variable group defines the variable as 'dbpassword' or 'DBPassword', the lookup will fail with the 'not found' error. The error message explicitly states the secret was not found, which is the typical symptom of a case mismatch, not a permissions or connectivity issue.
+15 more Develop a security and compliance plan questions available
Practice all Develop a security and compliance plan questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Develop a security and compliance plan. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Develop a security and compliance plan questions on the AZ-400 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Develop a security and compliance plan is tested as part of the Microsoft Azure DevOps Engineer Expert AZ-400 blueprint. Practicing with targeted Develop a security and compliance plan questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free AZ-400 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Develop a security and compliance plan is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Develop a security and compliance plan practice session with instant scoring and detailed explanations.
Start Develop a security and compliance plan Practice →