Microsoft Azure DevOps Engineer Expert AZ-400 (AZ-400) — Questions 901913

913 questions total · 13pages · All types, answers revealed

Page 12

Page 13 of 13

901
MCQhard

Your team uses Azure Pipelines to deploy a multi-tier application to Azure. The application consists of a web frontend, an API backend, and a database. You need to deploy the database schema changes using a DACPAC file. The deployment should be idempotent and support rollback. You must use the Azure SQL Database deployment task. What should you do?

A.Use the 'Azure SQL Database deployment' task with the 'Deploy' action, specifying the DACPAC file and setting the 'Additional Arguments' to include 'p:BlockOnPossibleDataLoss=False' for safety.
B.Use the 'Azure SQL Database deployment' task with the 'Query' action to run schema changes.
C.Use a 'PowerShell' task to run 'SqlPackage.exe' with the DACPAC file.
D.Use the 'Azure SQL Database deployment' task with the 'Run SQL Script' action, and execute the schema changes as SQL scripts.
AnswerA

This deploys the DACPAC incrementally and allows rollback by redeploying the previous version.

Why this answer

Option A is correct: The 'Azure SQL Database deployment' task supports incremental deployment from a DACPAC and allows rollback via additional steps. Option B is incorrect because SQL scripts do not provide the same level of idempotency as DACPAC. Option C is incorrect because executing the DACPAC manually is not automated.

Option D is incorrect because the task does support DACPAC deployment.

902
MCQhard

Your Azure DevOps pipeline deploys to multiple environments. You want to require manual approval before production deployment, but only if the deployment originated from a branch other than 'main'. How can you implement this?

A.Set a pre-deployment approval on the production environment
B.Configure a deployment group with approval gates
C.Use a branch policy that requires approval for non-main branches
D.Add a manual validation task with a condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
AnswerD

The condition can skip the approval when the branch is main.

Why this answer

Option D is correct because the manual validation task with a condition `eq(variables['Build.SourceBranch'], 'refs/heads/main')` will only pause the pipeline for manual approval when the source branch is NOT main (the condition evaluates to false for non-main branches, triggering the approval). This directly implements the requirement: approval is required only for deployments originating from branches other than 'main'.

Exam trap

The trap here is that candidates confuse pre-deployment approvals (which are environment-level and unconditional) with conditional task-level approvals, and they overlook that the condition must be written to trigger the manual validation only when the branch is NOT main, not when it is main.

How to eliminate wrong answers

Option A is wrong because a pre-deployment approval on the production environment applies to ALL deployments to that environment, regardless of the source branch, and cannot be conditionally applied based on branch. Option B is wrong because deployment group approval gates are used for controlling deployments to physical or virtual machines in a deployment group, not for conditional branch-based approvals in multi-environment pipelines. Option C is wrong because branch policies apply to pull requests and code changes in the repository, not to pipeline deployment approvals; they cannot gate a release pipeline's deployment step.

903
MCQeasy

You need to ensure that only approved users can deploy to production from Azure Pipelines. What should you implement?

A.Pipeline approval gates
B.Microsoft Entra ID Conditional Access policies
C.Environment checks with required approvers
D.Branch protection rules in GitHub
AnswerC

Azure Pipelines environments support approval checks that require designated approvers to approve a deployment.

Why this answer

Option D is correct because Azure Pipelines approval gates allow requiring manual approval before deployment. Option A is wrong because branch policies control code changes, not deployments. Option B is wrong because environment checks can include approvals but are not the primary mechanism.

Option C is wrong because Microsoft Entra ID provides authentication but not approval workflows.

904
MCQhard

You are analyzing Azure DevOps audit logs with a KQL query. What is the purpose of this query?

A.List the top 5 most active users in Azure DevOps
B.Display detailed audit records of project creation with timestamps
C.Identify users who created projects and have admin role
D.Find the top 5 users who created the most projects in the last 30 days
AnswerD

The query counts successful project creations per user and returns top 5.

Why this answer

Option C is correct because the query filters for successful project creation events, groups by actor, and returns the top 5 users by count. Option A is wrong because it does not filter by role. Option B is wrong because it only counts project creation, not all operations.

Option D is wrong because it does not show creation time details.

905
Multi-Selectmedium

Which TWO are benefits of using deployment groups in Azure Pipelines compared to using individual virtual machines?

Select 2 answers
A.Built-in secrets management for connection strings.
B.Reduced cost because VMs are shut down when not in use.
C.Automatic scaling of virtual machines based on load.
D.Simplified targeting of multiple machines with a single pipeline run.
E.Rolling deployment support with health checks.
AnswersD, E

Deployment groups group machines together for parallel deployment.

Why this answer

Deployment groups allow you to target multiple machines with a single pipeline run and manage rolling updates. They do not directly improve security or reduce cost by themselves.

906
MCQhard

You are a DevOps engineer for a financial services company with strict regulatory compliance requirements (e.g., PCI-DSS, SOX). The company uses Azure DevOps for CI/CD and manages multiple projects. Each project has its own set of service connections, variable groups, and agent pools. The security team recently audited the environment and found that several service connections have been granted Contributor rights at the subscription level, and some variable groups are accessible by all pipelines across all projects. Additionally, audit logs show that a former employee's service principal still has active service connections in two projects. You need to implement a security and compliance plan to address these issues. Which approach should you take?

A.Conduct a manual audit of all service connections and variable groups every quarter, and revoke any permissions that are not needed. Disable service connections associated with the former employee.
B.Immediately delete all service connections associated with the former employee and recreate them using service principals with the least privilege. Then, update all pipelines to use the new connections.
C.Restrict all service connections to use resource-group level scoped permissions instead of subscription-level. For variable groups, set them to be accessible only to specific pipelines.
D.Implement Azure Policy to enforce that service connections cannot have subscription-level Contributor role; instead, require specific resource group roles. Use Azure AD access reviews to automatically remove stale service principals. Use pipeline decorators to enforce branch policy and approval checks on variable groups that contain secrets.
AnswerD

Azure Policy enforces least privilege automatically, access reviews remove stale principals, and pipeline decorators ensure compliance for variable groups.

Why this answer

Option D is correct because it provides a comprehensive, automated, and scalable approach to enforcing least privilege and compliance. Azure Policy can audit and enforce that service connections are scoped to resource groups rather than subscriptions, preventing over-permissioned Contributor access. Azure AD access reviews automate the detection and removal of stale service principals, addressing the former employee issue without manual effort.

Pipeline decorators enforce mandatory approval checks and branch policies on variable groups containing secrets, ensuring that sensitive variables are not accessible to all pipelines across projects.

Exam trap

The trap here is that candidates often choose a manual or reactive approach (like Option A or B) because they focus on the immediate fix for the former employee, overlooking the need for automated, continuous enforcement that Azure Policy, access reviews, and pipeline decorators provide for long-term compliance.

How to eliminate wrong answers

Option A is wrong because a manual quarterly audit is reactive, error-prone, and does not scale across multiple projects; it fails to meet the strict regulatory compliance requirements that demand continuous enforcement. Option B is wrong because immediately deleting all service connections associated with the former employee could break running pipelines and does not address the root cause of over-permissioned service connections or variable group accessibility; it also lacks automation for ongoing compliance. Option C is wrong because restricting service connections to resource-group level scopes is a partial fix that does not enforce the change across existing connections, and setting variable groups to be accessible only to specific pipelines is a manual configuration that does not prevent future misconfigurations or provide audit trails.

907
MCQeasy

You need to automatically create a work item in Azure Boards when a GitHub issue is opened. What is the most efficient way to achieve this?

A.Install the GitHub + Azure Boards integration
B.Create a GitHub Action that calls Azure DevOps REST API
C.Use Azure Pipelines with a GitHub trigger
D.Configure a webhook in GitHub to Azure DevOps
AnswerA

This integration automatically creates work items from GitHub issues.

Why this answer

Option D is correct because the GitHub + Azure Boards integration provides automatic syncing. Option A is wrong because a GitHub Action would require custom code. Option B is wrong because a webhook is manual setup.

Option C is wrong because Azure Pipelines is not needed.

908
Multi-Selecthard

Which THREE components are required to set up a self-hosted agent pool in Azure Pipelines?

Select 3 answers
A.The agent software installed on the target machine
B.A deployment group target
C.The agent pool name and URL of the Azure DevOps organization
D.Azure VM extension for Azure Pipelines Agent
E.A personal access token (PAT) for authentication
AnswersA, C, E

The agent software is essential for the self-hosted agent.

Why this answer

Option A is correct because the self-hosted agent requires the Azure Pipelines agent software to be installed on the target machine. This software, which includes the agent listener and worker processes, is what registers the machine with the agent pool and executes pipeline jobs. Without the agent software, the machine cannot communicate with Azure Pipelines or run any tasks.

Exam trap

The trap here is that candidates often confuse the Azure VM extension (a convenience tool) with a mandatory requirement, or they mistakenly think a deployment group target is needed for agent pools, when in fact deployment groups are for targeting specific machines in a release context, not for agent registration.

909
MCQmedium

You are using Microsoft Defender for Cloud to secure Azure Pipelines. You need to receive alerts when a pipeline run uses a service principal with excessive permissions. Which feature should you enable?

A.Enable Azure DevOps audit logs and review them manually.
B.Create an Azure Policy to deny over-privileged service principals.
C.Enable Microsoft Defender for Cloud's identity and access monitoring.
D.Configure Microsoft Entra ID Conditional Access policies.
AnswerC

This provides alerts on risky permissions and usage.

Why this answer

Option B is correct because Defender for Cloud's identity and access monitoring can alert on over-privileged service principals used in pipelines. Option A is wrong because audit logs alone do not generate alerts. Option C is wrong because conditional access policies are for user sign-ins, not service principals in pipelines.

Option D is wrong because Azure Policy does not generate real-time alerts for pipeline runs.

910
MCQeasy

Your team uses GitHub Actions for CI/CD. You need to ensure that secrets are not exposed in build logs. What should you use?

A.Hardcoded values in the workflow YAML
B.Environment variables in the workflow
C.GitHub Secrets
D.Artifact storage
AnswerC

Secrets are encrypted and masked in logs.

Why this answer

GitHub Actions encrypts secrets and masks them in logs. Option B is wrong because environment variables can be printed. Option C is wrong because workflow files are public.

Option D is wrong because artifact upload does not mask secrets.

911
MCQmedium

A company uses Azure DevOps for CI/CD. They have a multi-stage YAML pipeline that builds a Java application, runs unit tests, and deploys to a test environment. The test environment uses an Azure SQL Database. The pipeline currently runs successfully but the team notices that the test database schema is not always up-to-date. They want to apply database migrations automatically as part of the pipeline. Which tool or task should they integrate?

A.Use the Azure SQL Database deployment task to run a SQL script manually.
B.Use Azure SQL Database backup and restore to update the schema.
C.Add a PowerShell task that runs SQLCMD.
D.Integrate Flyway or similar database migration tool in the pipeline.
AnswerD

Flyway provides versioned migrations that can be automated in CI/CD.

Why this answer

Option D is correct because Flyway is a dedicated database migration tool that integrates seamlessly with Azure DevOps pipelines, allowing you to version-control and apply schema changes automatically. Unlike ad-hoc scripts, Flyway tracks which migrations have been applied, ensuring the test database schema is always up-to-date without manual intervention.

Exam trap

The trap here is that candidates may think any SQL execution task (like SQLCMD or the Azure SQL task) is sufficient for schema updates, overlooking the critical need for version control, state tracking, and repeatability that dedicated migration tools provide.

How to eliminate wrong answers

Option A is wrong because the Azure SQL Database deployment task is designed for deploying a DACPAC or running a single SQL script, but it does not provide versioning or incremental migration tracking, so it cannot reliably keep the schema up-to-date across multiple changes. Option B is wrong because backup and restore is a data recovery operation, not a schema migration strategy; it would overwrite the entire database rather than applying incremental schema changes. Option C is wrong because a PowerShell task running SQLCMD can execute arbitrary SQL scripts, but it lacks migration state management, rollback capabilities, and version control, making it error-prone and non-repeatable for continuous schema updates.

912
Multi-Selectmedium

Your release pipeline deploys a web app to Azure App Service. You need to implement safe deployment practices that minimize downtime and enable quick rollback. Which THREE strategies should you recommend?

Select 3 answers
A.Deploy to a staging slot first, validate, then swap.
B.Use rolling deployment with manual step to approve each instance.
C.Deploy directly to the production slot.
D.Configure monitoring and alerts to trigger automatic rollback if error rate increases.
E.Use deployment slots with swap and auto-swap.
AnswersA, D, E

Staging slot allows testing before production.

Why this answer

Option A is correct because slot swapping allows zero-downtime deployment. Option C is correct because deployment slots enable testing before swapping. Option E is correct because monitoring alerts trigger automatic rollback.

Options B and D are not safe deployment practices.

913
MCQmedium

Your company uses Microsoft Teams for collaboration. You want to send notifications to a Teams channel whenever a build pipeline in Azure Pipelines fails. Which approach should you use?

A.Configure an email subscription in Azure DevOps to send alerts to the Teams channel email address.
B.Set up a webhook in Azure DevOps to post to the Teams channel's incoming webhook URL.
C.Install the Azure Pipelines app for Microsoft Teams and subscribe the channel to pipeline notifications.
D.Use the 'Post to a Microsoft Teams channel' task in the pipeline.
AnswerC

The app provides easy integration with Teams.

Why this answer

Option C is correct because the Azure Pipelines app for Microsoft Teams provides built-in integration to subscribe to pipeline events and send notifications to channels. Option A is incorrect because email subscriptions are separate. Option B is incorrect because webhooks require custom configuration.

Option D is incorrect because the Teams connector is deprecated in favor of the app.

Page 12

Page 13 of 13