Azure DevOps servicesIntermediate24 min read

What Is Approval gate in DevOps?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

An approval gate is a way to pause your software release so someone can check it before it goes live. It stops the pipeline automatically and waits for a person to say yes or no. This gives teams a chance to review changes and catch problems before the update reaches users. It helps keep deployments safe and controlled.

Commonly Confused With

Approval gatevsManual intervention task

A manual intervention task is a pipeline task that pauses the pipeline and waits for a user to provide input (like a script to run). An approval gate is a condition on a stage, not a task. Approvals are built into stage settings, while manual intervention tasks are added to the pipeline as a step.

In a release pipeline, you can add a 'Manual Intervention' task that asks the operator to enter a password before proceeding. That is different from an approval gate that simply asks for a yes/no to continue.

Approval gatevsQuality gate

A quality gate is an automated check that evaluates metrics like test pass rate or code coverage. It does not require human input. An approval gate always requires a human decision. Quality gates run automatically; approval gates wait for a person.

A pipeline might have a quality gate that fails if unit test coverage drops below 80%. That is automatic. An approval gate requires a person to review and click Approve.

Approval gatevsDeployment control

Deployment control is a broader term that includes approvals, gates, and policies that manage how releases are deployed. Approval gate is a specific type of deployment control that uses human approval. Other controls include automated checks and scheduled deployment windows.

A deployment control might be 'only deploy between 2 AM and 4 AM'. An approval gate is a separate control that asks a person for permission.

Must Know for Exams

For the AZ-400 exam (Microsoft Azure DevOps Solutions), approval gates are listed as a key topic under the objective 'Design and implement a release strategy'. The exam expects you to know how to configure pre-deployment and post-deployment approvals, how to manage approvers, and how to handle multi-approval scenarios. You will likely see questions that ask you to set up an approval gate to comply with a security policy. For example, a scenario might say: 'Your company requires that all production deployments be approved by a release manager. You need to configure the release pipeline to enforce this.' The correct answer would involve adding a pre-deployment approval gate on the production stage and assigning the release manager or a group containing that person.

you may be asked about handling approval failures. For instance, if an approver rejects a release, the pipeline should cancel. The exam wants you to know that rejected releases are not automatically resumed; they remain in a failed state. Another common question is about timeout settings: if no approver responds within the specified time, what happens? You need to understand that the pipeline either times out and marks the release as failed (if reject on timeout is checked) or keeps waiting indefinitely (if timeout is not set).

The AZ-400 also covers how to create approval gates using YAML pipelines versus classic release pipelines. While the exam mostly focuses on the classic release pipeline, you should know that YAML pipelines support 'approvals' as part of the 'environments' concept. Questions might ask you to define approval checks in a YAML file. You will need to know the syntax: for example, under the 'environments' section, you can specify 'approvals' and list approvers.

Another key point is the difference between 'pre-deployment approvals' and 'post-deployment approvals'. Pre-deployment approvals happen before the stage runs, meaning the pipeline waits before even starting the deployment. Post-deployment approvals happen after the stage completes, so the stage runs but the pipeline does not move to the next stage until approval is given. This is important for scenarios where you want to run a deployment and then have someone verify that the deployment is healthy before continuing.

Finally, the exam might ask about delegating approvals or using 'reassign' functionality. You should know that approvers can reassign the approval to another person if they are unavailable. This is a small but testable detail. Overall, the AZ-400 exam treats approval gates as a core control mechanism for safe releases, and you must be comfortable with configuration options, error handling, and integration with Azure DevOps features like environments and service connections.

Simple Meaning

Think of an approval gate like a security checkpoint at an airport. Before you board a plane, a security officer checks your ticket and ID. If everything is fine, you get a stamp and you can proceed to the gate. If something is wrong, you are stopped and sent back. In software development, an approval gate works the same way. When a new version of software is ready to be released, it must pass through a checkpoint where a human reviewer looks at it. The reviewer might check that all tests passed, that the new features work correctly, or that there are no security problems. If the reviewer says yes, the release continues and the software goes live. If the reviewer says no, the release stops and the team has to fix the issues.

Approval gates are especially important when a change could affect many users or cause serious problems. For example, if a bank wants to update its mobile app, a manager must approve the release to make sure customer accounts are safe. Without approval gates, software could be released automatically and accidentally break things. Approval gates also help teams follow rules and regulations, especially in industries like healthcare or finance where changes must be reviewed carefully.

In Azure DevOps, approval gates are part of the release pipeline. You can add them before or after certain stages, like before deploying to production. The pipeline pauses and sends an email notification to the approver or approvers. They can look at the release details, see what changed, and then approve or reject. If they reject, the pipeline stops and the team is notified. Sometimes you need multiple people to approve before the release can continue. This is called multi-approval. It adds an extra layer of safety.

Approval gates are not just for managers. Developers, testers, or security experts can be approvers too. The goal is to make sure the right people review the right changes at the right time. This way, teams can catch mistakes early and avoid big problems in production. Approval gates also create an audit trail, so you always know who approved what and when. This is helpful for compliance and for understanding why a change was made.

Full Technical Definition

An approval gate in Azure DevOps is a pre-deployment or post-deployment condition that halts the execution of a release pipeline stage until one or more designated approvers explicitly approve or reject the deployment. It is part of Azure Pipelines, which is the continuous integration and continuous delivery (CI/CD) service in Azure DevOps. The approval gate is defined in the release pipeline under the Pre-deployment conditions or Post-deployment conditions of a stage. When a release reaches that stage, the pipeline checks the approval gate conditions. If approvals are required, the pipeline status changes to 'Pending approval' and waits indefinitely (or until a timeout) for a response.

Technically, the approval gate is a user-defined condition that ties into Azure DevOps identity management. Approvers can be individual users, Azure DevOps groups, or security groups. When a pipeline triggers, Azure DevOps sends an email notification to each approver with a link to the release summary page where they can review the details and take action. The approver sees a dialog that shows the release name, the stage, any linked work items, and the artifacts being deployed. They can also view the changes made to the code or configuration. They then choose Approve, Reject, or Reassign (if they are not the right person). If the approver rejects, they must provide a reason, which is logged in the release history.

Under the hood, Azure DevOps uses a polling mechanism to check the status of approvals. The approval gate does not interact with any external protocol; it is entirely handled within the Azure DevOps service. However, the approval gate can be extended using REST APIs to integrate with external systems. For example, you could build a custom web service that listens for approval events and automatically approves if certain conditions are met, though this bypasses the human review purpose. Microsoft also offers Azure Pipelines approvals and checks as part of the broader Azure DevOps security and governance model.

The approval gate can be configured with multiple approvers who all must approve (required) or any one of them can approve (optional). You can also set a timeout period after which the approval is automatically rejected or kept pending. The gate can be applied to specific stages, such as QA, staging, or production. In a typical implementation, organizations use approval gates for production deployments to ensure that only authorized personnel can push changes to the live environment. The audit trail records every approval action, including timestamp, approver identity, and any comments. This satisfies regulatory requirements like SOC 2 or HIPAA that mandate change control and separation of duties.

approval gates can be combined with other gates like quality checks or manual intervention steps. For example, a release might require both a successful automated test run and a human approval before deploying. Azure DevOps also supports 'approval and gates' that can run Azure Functions or other checks before the human approval, but that is considered a different gate type. In the context of the AZ-400 exam, you need to understand how to configure approvals in release pipelines, how to manage approver groups, and how to handle approval failure scenarios.

Real-Life Example

Imagine you are working in a busy restaurant kitchen. The head chef prepares a new special dish for the evening menu. Before that dish is served to customers, it must be tasted and approved by the restaurant manager. The manager checks the flavor, presentation, and consistency. If the dish is perfect, the manager nods and the plates go out. If something is wrong, say the sauce is too salty, the manager sends it back to the chef to fix. This tasting and approval step is exactly like an approval gate in software development.

Now extend the analogy. The restaurant has different stations: appetizers, main courses, desserts. Each station has its own chef. Before a dish leaves the appetizer station, the head chef might approve it. Then before it goes to the main course station, another approval might be needed. This is like having multiple approval gates at different stages of a release pipeline. In software, you might have an approval gate before deploying to a testing environment, and another one before deploying to production.

The manager's approval is not automatic. The chef cannot just skip it and send the dish out. The restaurant policy requires that every new dish go through this checkpoint. This is the same as enforcing a policy in your DevOps pipeline that no production release can happen without a human sign-off. If the manager is busy or on break, the dish waits. That is like a pipeline waiting for an approver. If the manager is unavailable for too long, the dish might be taken off the specials board. In Azure DevOps, you can set a timeout that will automatically reject the release if no one approves in time.

Also, sometimes the manager needs a second opinion. In the restaurant, two managers might need to taste and approve a dish that is very complex or risky. This is like a multi-approval gate where two people must say yes before the release continues. And just like the restaurant keeps a log of who approved which dish, Azure DevOps logs every approval decision so you can trace back any issues later. This analogy shows why approval gates exist: to prevent mistakes, ensure quality, and keep control over what goes into the live environment.

Why This Term Matters

In real IT environments, software releases happen frequently, sometimes multiple times a day. Without a safety check, a small bug can affect thousands or millions of users. Approval gates act as that safety check. They force a human to look at the release before it goes live, which catches issues that automated tests might miss. For example, a developer might accidentally merge a feature that breaks the user interface. Automated tests might not catch every visual problem. An approver can quickly see that the new buttons look wrong and reject the release.

Approval gates are also critical for compliance. Many industries require that any change to production systems be reviewed and approved by a manager or a change advisory board (CAB). Azure DevOps approval gates provide an automatic way to enforce this policy. Instead of sending emails back and forth, the pipeline itself stops and waits for approval. The audit trail proves that the change was reviewed and approved, which is essential for audits. This reduces the manual overhead of change management and makes the process faster and more reliable.

Another reason approval gates matter is that they help manage risk. If you are deploying a major update or a security fix, you want a senior engineer to verify that the deploy is safe. You might also want a product owner to confirm the feature is correct. Approval gates let you set up these checks without slowing down the whole pipeline. The pipeline only stops at the stage that needs approval, while earlier stages run automatically. This balances speed and safety.

Finally, approval gates improve team collaboration. They create a moment where someone other than the developer reviews the change. This is like a mini code review for the deployment. The approver can leave comments, ask questions, or suggest improvements. This helps spread knowledge about the release across the team and reduces the chance of one person making a mistake alone. Approval gates are not just a checkbox in a pipeline – they are a practical tool for quality, compliance, risk management, and teamwork.

How It Appears in Exam Questions

In the AZ-400 exam, approval gate questions appear in several forms. The most common is scenario-based, where a company has a specific requirement and you must choose the correct configuration. For example, a question might describe: 'Your organization has a release pipeline that deploys to staging and then production. You need to ensure that the production deployment only occurs after a senior developer reviews the changes. Which strategy should you use?' The options might include adding a pre-deployment approval gate on the production stage, adding a post-deployment approval on the staging stage, or using a manual intervention task. The correct answer is the pre-deployment approval gate on the production stage.

Another type of question is about approving multiple releases or batch approvals. You might be asked: 'An approver is on vacation and cannot approve pending releases. What should the team do?' Options include increasing the timeout, reassigning the approval to someone else, or bypassing the approval. The correct answer is to reassign the approval to another approver who is available.

There are also configuration questions where you must set up an approval gate in a YAML pipeline. The question might give you a YAML snippet with a missing field, and you need to choose the correct syntax to add an approval check. For example: 'You need to add an approval gate that requires sign-off from the DevOps team before deploying to production. Which code should you add to the YAML file?' The correct answer would include the 'approvals' block under the 'environment' definition.

Troubleshooting questions are also common. A scenario might describe a release that is stuck with a 'pending approval' status, and the approver claims they never received the notification. You would need to check the notification settings, ensure the approver's email is correct, or verify that the approval is not assigned to a group with no members. The exam also tests whether you understand that the pipeline will wait indefinitely unless a timeout is set.

Finally, there are questions about combining approval gates with other gates. For instance, a question might ask: 'You want a release to only continue if the build quality gate passes and a manager approves. How should you configure the pipeline?' The answer is to include both a quality gate (like a build validation) and a pre-deployment approval gate on the same stage. Both conditions must be satisfied for the pipeline to proceed.

approval gate questions in the exam are practical and focus on real-world configuration, failure handling, and integration with other pipeline features. You must know the UI options in classic release pipelines and the YAML syntax for environments.

Study AZ-400

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a DevOps engineer for a company called SafePay, which processes online payments. SafePay has a release pipeline that deploys a new version of the payment API to a staging environment automatically. But for production, the company policy says a security engineer must review and approve every deployment because even a small bug could cause financial loss or data leaks.

You open the release pipeline in Azure DevOps and navigate to the production stage. Under 'Pre-deployment conditions', you enable 'Approvals'. You add the security engineer, Alice, as the approver. You also set a timeout of 2 hours, so if Alice does not approve within 2 hours, the release is automatically rejected to avoid security issues.

A developer updates the API to fix a minor logging issue. The pipeline runs, deploys to staging, and all automated tests pass. The pipeline then reaches the production stage and pauses, showing 'Pending approval' to Alice. Alice gets an email with a link to the release. She logs in and sees that the change is only a logging fix, low risk. She clicks 'Approve' and adds a comment: 'Approved for production. Minor logging fix only.' The pipeline continues and deploys to production successfully.

Three weeks later, a developer submits a larger change that modifies the payment authorization logic. Again, the pipeline reaches the production stage and waits for Alice's approval. Alice reviews the change and notices that the new logic might not handle currency conversions correctly in some cases. She clicks 'Reject' and writes a reason: 'Potential currency conversion bug. Need more testing.' The pipeline stops, and the developer is notified. They fix the logic, add more tests, and run the pipeline again. This time Alice approves, and the release goes live safely.

This scenario shows how an approval gate prevents a risky release from reaching production. It also demonstrates the audit trail – both Alice's approval and rejection are logged with time and reason. The company can prove to auditors that every production change is reviewed by a security expert. Without the approval gate, the buggy currency conversion could have caused thousands of dollars in financial errors.

Common Mistakes

Setting an approval gate but not assigning any approvers.

If no approvers are assigned, the pipeline may wait forever because no one can approve or reject it. The release becomes stuck.

Always assign at least one individual user or a security group with members when you enable an approval gate.

Using post-deployment approval when you need pre-deployment approval.

Post-deployment approval happens after the stage runs, so the deployment occurs without review. This defeats the purpose of gating the deployment.

Use pre-deployment approval if you want to stop the deployment from happening until someone says yes.

Setting a very short timeout that causes legitimate releases to be automatically rejected.

If the approver is in a meeting or away from their computer, the release might time out and fail even though the change is safe. This causes unnecessary delays and re-runs.

Set a reasonable timeout, like 4 to 8 hours, or leave it unset if the team is large and someone can approve quickly.

Adding the same person as the only approver for every stage, including QA and production.

This creates a bottleneck. If that person is busy, all releases are stuck. It also defeats separation of duties – the same person should not approve both internal test and production releases.

Use different approvers for different stages. For example, a QA lead for staging and a release manager for production.

Forgetting that approvals are case-sensitive in YAML definitions.

If you type 'Approvals' with a capital A but the correct syntax uses 'approvals' in lowercase, the pipeline might ignore the gate or throw an error.

Always verify the exact keyword casing in YAML documentation. For Microsoft, use lowercase: 'approvals'.

Exam Trap — Don't Get Fooled

{"trap":"On the exam, a scenario might describe a release that is stuck on 'pending approval' because the approver forgot to check their email. The question asks what you should do to allow the release to proceed. A tempting wrong answer is to 'increase the timeout' or 'disable the approval gate'."

,"why_learners_choose_it":"Learners might think increasing the timeout will give the approver more time to notice the email. Or they think disabling the gate is a quick fix. But in a real production environment, you should not just increase timeout indefinitely, and disabling the gate bypasses the security control."

,"how_to_avoid_it":"The correct approach is to contact the approver directly or reassign the approval to another available approver. In Azure DevOps, you can reassign the approval through the release interface. The exam expects you to know that you can reassign, not that you should change the timeout or remove the gate."

Step-by-Step Breakdown

1

Create or open a release pipeline

In Azure DevOps, you start by creating a release pipeline or editing an existing one. This defines the stages (like Dev, Test, Prod) and the artifacts to deploy.

2

Select the stage where you want the approval gate

Click on the stage (e.g., Production). This opens the stage configuration panel. You can choose Pre-deployment conditions or Post-deployment conditions depending on when you want the approval to occur.

3

Enable the approval gate

Under the chosen conditions, toggle 'Approvals' to On. This tells Azure DevOps to pause the pipeline at this stage and wait for approval before proceeding.

4

Add approver(s)

In the approvers list, add the user, group, or Azure DevOps security group that will be responsible for approving the release. You can add multiple approvers and choose whether all must approve ('Required') or any one can approve ('Optional').

5

Set timeout and other options

Configure the timeout for the approval. If the approvers do not respond within the timeout, the pipeline either fails (if 'Reject on timeout' is checked) or remains pending. You can also add instructions for the approver, like 'Check the test results before approving'.

6

Save and create a release

After configuration, save the pipeline. When a new release is triggered, the pipeline will run through earlier stages and then pause at the stage with the approval gate. Approvers will receive email notifications with a link to the release.

7

Approve or reject

The approver clicks the link, reviews the release details, and decides. They can also reassign if needed. If approved, the pipeline continues. If rejected, the pipeline stops and the team is notified.

Practical Mini-Lesson

In practice, setting up an approval gate in Azure DevOps is straightforward, but professionals need to understand the broader context of how approvals fit into a secure and compliant release process. First, you must decide which stages require human approval. Typically, production or customer-facing environments need approvals, while internal test environments might not. You should also consider using groups instead of individual users for approvers. Using a group, like 'Production Approvers', makes it easier to manage who can approve without editing the pipeline. When a team member leaves, you just update the group membership.

One important detail is that approval gates can be combined with other pipeline features like 'multiple approvers' and 'reassignment'. If you have multiple approvers and set them all as 'Required', every one of them must approve before the pipeline continues. This is useful for high-security deployments where two senior people must sign off. However, this can also slow down releases if some approvers are slow to respond. The 'Reassign' option allows an approver to delegate their approval to someone else, which prevents delays.

Another practical consideration is how approval gates interact with the release pipeline's other conditions, like deployment queue settings. If you have a deployment queue that blocks multiple releases from deploying at the same time, the approval gate still works as expected – each release will wait in the queue and then pause for approval independently. Also, note that approvals are part of the release's history. If a release is rejected, you cannot just resume it later. You must create a new release with the fixes. This is a common point of confusion – a rejected release is not like a paused video that you can restart; it is a dead end.

What can go wrong? The most common problem is that the approver does not receive the email notification. This can happen if the email address in Azure DevOps is incorrect, or if the email is marked as spam. To mitigate this, you can also check the 'Pending approvals' view in Azure DevOps under the Pipelines tab. Approvers can see all pending approvals there, even without an email. Another issue is that the approval gate times out too quickly. If your team works across different time zones, a 4-hour timeout might not be enough. Set a longer timeout or use 'No timeout' for critical releases.

Finally, for professionals preparing for the AZ-400 exam, practice configuring approval gates in a lab environment. Create a release pipeline with two stages, add a pre-deployment approval on the second stage, and then trigger a release. Observe how the pipeline pauses, check the email notification, and practice approving and rejecting. Also, test what happens when the timeout expires. This hands-on experience will solidify your understanding and help you answer exam questions more confidently.

Memory Tip

Think of an approval gate as a bouncer at a club – the release cannot get into production without the bouncer's OK.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can I have multiple approval gates in the same stage?

Yes, you can set both a pre-deployment approval and a post-deployment approval on the same stage. The pipeline waits for pre-deployment approval before starting, and then waits for post-deployment approval before moving to the next stage.

What happens if the approver is on leave and the approval times out?

If you have 'Reject on timeout' enabled, the release will be marked as failed. You will need to create a new release and assign a different approver or have someone reassign the approval before the timeout.

Can I use Azure AD groups as approvers?

Yes, you can add Azure Active Directory groups as approvers. However, note that only members of the group who have access to Azure DevOps will receive the approval request.

Is there a way to automatically approve low-risk releases?

Not natively, but you can use Azure DevOps REST APIs to automate approval based on custom logic. However, this defeats the purpose of human oversight and should be used with caution.

Can I set up approval gates in YAML pipelines?

Yes, in YAML pipelines you define environments that can have approval checks. You specify the approvers in the YAML file under the 'environments' section.

What is the difference between 'Approvals' and 'Checks' in Azure Pipelines?

Approvals are manual reviews by people. Checks are automated validations like seeing if the target resource is healthy. Both can block a deployment, but approvals require a person to click approve.

Summary

An approval gate in Azure DevOps is a manual checkpoint that stops a release pipeline until a designated person or group gives the go-ahead. It is a critical tool for ensuring that changes are reviewed before they reach production, which helps prevent bugs, security issues, and compliance violations. Approval gates are simple to set up – you enable them on a stage, assign approvers, and optionally set a timeout. They are a core topic for the AZ-400 exam, where you must understand how to configure them in both classic release pipelines and YAML-based pipelines.

The real-world value of approval gates is immense. They provide a clear audit trail, enforce separation of duties, and reduce the risk of human error during deployment. By requiring a second pair of eyes, teams can catch problems that automated tests might miss. Approval gates also align with industry regulations and change management policies, making them essential for enterprises in finance, healthcare, and other regulated sectors.

For exam takers, the key takeaway is to practice setting up approval gates in a lab. Know the difference between pre and post deployment approvals, understand how multi-approver works, and be able to troubleshoot why a release is stuck. Avoid common mistakes like assigning no approvers or using the wrong type of gate. Remember that approval gates stop the pipeline and require a human decision – they are not automated checks. With this understanding, you will be well-prepared for AZ-400 questions and for real-world DevOps work.