CCNA Design and implement build and release pipelines Questions

75 of 461 questions · Page 6/7 · Design and implement build and release pipelines · Answers revealed

376
MCQhard

You need to implement a strategy to manage secrets for your multi-stage YAML pipeline. The pipeline runs on Microsoft-hosted agents. Which approach should you use to securely pass secrets to pipeline tasks?

A.Define the secrets as environment variables in the pipeline YAML directly.
B.Use the Azure Key Vault task to download secrets and then pass them as parameters.
C.Use pipeline variables with 'secret: true' and reference them as $(variableName).
D.Store secrets in a file in the repository and read it during the build.
AnswerC

Secret variables are encrypted and masked in logs.

Why this answer

Option D is correct because using variables with 'secret: true' in the YAML pipeline and referencing them as $(variableName) is the recommended way. Option A is wrong because environment variables are not secure in YAML. Option B is wrong because hardcoding is insecure.

Option C is wrong because Azure Key Vault task should be used to fetch secrets into variables.

377
Multi-Selecthard

Which THREE factors should you consider when designing a strategy for managing secrets in Azure Pipelines? (Choose three.)

Select 3 answers
A.Hardcode secrets in the pipeline YAML for simplicity.
B.Store secrets as plain text variables in YAML pipelines.
C.Use Azure Key Vault to store secrets.
D.Use a library variable group linked to Azure Key Vault.
E.Reference secrets as secret variables in pipeline tasks.
AnswersC, D, E

Key Vault is the recommended service for storing secrets.

Why this answer

Options A, C, and E are correct. Secrets should be stored in Azure Key Vault, retrieved using library variable groups linked to Key Vault, and referenced as secret variables. Option B is incorrect because variables in YAML are visible in logs.

Option D is incorrect because hardcoding secrets is insecure.

378
MCQhard

The exhibit shows a parameters file for an ARM template deployment. During a release pipeline, the deployment fails with the error 'The provided value for the template parameter 'sku' is not valid'. The ARM template defines the 'sku' parameter as an allowed value set of ['F1', 'D1', 'B1', 'S1']. What could be the issue?

A.The parameter file contains an extra space or hidden character in the 'sku' value.
B.The parameter file is missing the '$schema' property.
C.The 'sku' parameter is defined in the 'variables' section instead of 'parameters'.
D.The ARM template expects a different API version for the resource.
AnswerA

Even though 'S1' appears correct, hidden characters can cause the value to not match the allowed values.

Why this answer

Option A is correct because the error indicates that the provided value 'S1' is not in the allowed values, but the exhibit shows 'S1', which should be valid. However, the error could occur if the parameter file has a typo or extra whitespace that makes it invalid. Option B is wrong because the parameter file is properly formatted.

Option C is wrong because the schema version is correct. Option D is wrong because the parameter file does not include 'sku' in the wrong section.

379
MCQmedium

What is the most likely cause of this error?

A.The variable group is not linked to the Key Vault
B.The service connection does not have 'Get' permission on the Key Vault
C.The secret name in Key Vault does not match 'myKeyVaultSecret'
D.Pipeline variables cannot reference Key Vault secrets
AnswerC

The secret name must match exactly.

Why this answer

Option D is correct because the secret name in Key Vault must match exactly. Option A is wrong because the variable group is linked. Option B is wrong because missing permissions would give a different error.

Option C is wrong because variable groups are supported.

380
MCQhard

Refer to the exhibit. Your team uses a classic build pipeline. You notice that test assemblies are not being found during the Test phase. Which change resolves the issue?

A.Change testSelector to 'testMethod'
B.Use fully qualified paths in testAssemblyVer2
C.Add buildConfiguration: 'Release' to the DotNetCoreCLI task
D.Set searchFolder to $(Build.BinariesDirectory)
AnswerD

Test DLLs are in the build output folder.

Why this answer

The VSTest task searches for test DLLs in the source folder, but the build output goes to a subfolder like $(Build.BinariesDirectory). Setting searchFolder to the correct output path allows discovery. Option B is wrong because using full paths is not necessary if searchFolder is correct.

Option C is wrong because buildConfiguration is already set correctly. Option D is wrong because the issue is not about failing tests but finding them.

381
MCQhard

You are designing a release pipeline for a critical production application. The pipeline must ensure that changes are deployed to a staging environment first, and if integration tests pass, they are automatically deployed to production. However, if the tests fail, the deployment to production must be blocked. What is the best approach?

A.Create a single stage in the pipeline with conditional tasks to deploy to staging and then to production based on test results.
B.Create a multi-stage YAML pipeline with a gate on the production stage that evaluates test results from the staging stage.
C.Create two separate pipelines: one for staging and one for production. Use a pipeline trigger to run the production pipeline after staging completes.
D.Use a classic release pipeline with pre-deployment approvals on the production stage.
AnswerB

Gates allow automated evaluation of conditions like test pass rate before promoting to the next stage.

Why this answer

A multi-stage YAML pipeline with a gate on the production stage that evaluates test results is the best approach because it allows for automated promotion with conditional logic. Option A is wrong because a single stage with conditional tasks doesn't separate environments properly. Option B is wrong because separate pipelines are harder to manage and coordinate.

Option D is wrong because manual approval defeats the requirement for automatic deployment.

382
MCQeasy

You are configuring a continuous integration trigger in Azure Pipelines for a repository in Azure Repos. You want to trigger a build for all branches except the 'release' branch. How should you configure the trigger?

A.Set trigger: branches: include: - main
B.Set trigger: branches: include: - '*' exclude: - '*'
C.Set trigger: branches: include: - '*' exclude: - release
D.Set trigger: branches: exclude: - release
AnswerC

This includes all branches except release.

Why this answer

Option C is correct because using 'include' for all branches and 'exclude' for the release branch achieves the desired behavior. Option A is incorrect because it only includes main. Option B is incorrect because it excludes all branches.

Option D is incorrect because the syntax is invalid.

383
MCQhard

You are a DevOps engineer for a large e-commerce company. The development team uses GitHub for source control and GitHub Actions for CI/CD. The application is a microservices architecture with 15 services, each in its own repository. You need to implement a continuous delivery pipeline that builds and deploys each service to a Kubernetes cluster in Azure (AKS). The pipeline must meet the following requirements: - Each service must have its own pipeline that triggers on pushes to the main branch. - Deployment to AKS must use Helm charts. - The pipeline must automatically increment the Helm chart version and update the deployment manifest in the repository. - Security scanning must be performed on container images before deployment. - The pipeline must support manual approval for production deployment. - All secrets (e.g., AKS credentials, registry credentials) must be stored securely and not exposed in logs. You need to design the workflow. What is the best course of action?

A.Use Azure Pipelines instead of GitHub Actions because it has better integration with AKS. Store secrets in Azure Key Vault and use variable groups.
B.Create a reusable workflow with OIDC authentication to Azure. Use Helm to deploy, increment chart version, and commit back. Use GitHub environments for approval gates. Integrate container scanning with Docker Scout or Trivy.
C.Create a workflow per service with direct deployment. Use kubectl commands to deploy. Store all secrets in a single GitHub secret. Skip security scanning to save time.
D.Create a single reusable workflow that each service calls. Use Azure CLI to deploy Helm charts. Store AKS credentials as GitHub secrets. Use a manual approval step via environment protection rules.
AnswerB

This meets all requirements: OIDC for secure auth, Helm for deployment, version bump, approval, and scanning.

Why this answer

Using GitHub Actions with OIDC to authenticate to Azure avoids storing long-lived secrets. Helm chart version bumping can be done with a script. The workflow uses environments for approval gates.

Container scanning using tools like Trivy can be added as a step.

384
MCQhard

Refer to the exhibit. You have a YAML pipeline with the above steps. The pipeline publishes a web app and deploys to Azure App Service. The deployment fails with error: 'Could not find the package in the specified path.' What is the most likely cause?

A.The package path is wrong; the zip file is in $(Build.ArtifactStagingDirectory).
B.The AzureWebApp task input 'appType' is incorrect.
C.The dotnet publish command did not generate a zip file.
D.The service connection 'MyServiceConnection' is not authorized.
AnswerA

Correct: DotNetCoreCLI publish outputs to $(Build.ArtifactStagingDirectory) by default.

Why this answer

Option C is correct because the publish step outputs the zip file to $(Build.ArtifactStagingDirectory), not $(System.DefaultWorkingDirectory). Option A is wrong because the AzureWebApp task is correct. Option B is wrong because the service connection would cause a different error.

Option D is wrong because the dotnet publish command produces a zip file when zipAfterPublish is true.

385
MCQhard

Refer to the exhibit. A build pipeline produces the above logs. Which change would resolve the build failure?

A.Change the build configuration from Release to Debug.
B.Add a definition for 'MyMethod' in the 'MyClass' class.
C.Remove the '--no-build' flag from the test step.
D.Add the '--no-restore' flag to the build step.
AnswerB

The error indicates that 'MyMethod' is missing from 'MyClass'. Adding the method definition resolves the compilation error.

Why this answer

The build fails with a CSC error CS0117 indicating that 'MyClass' does not contain a definition for 'MyMethod'. This is a compilation error. The 'dotnet test' step runs with '--no-build' which skips building and relies on the build output, but the build step fails, so the test step produces no results.

The fix is to correct the code in the source file to include the definition for 'MyMethod'.

386
MCQmedium

Refer to the exhibit. You have a YAML pipeline that references a repository resource with a tag. When will this pipeline trigger?

A.When a new tag v1.0 is pushed to the referenced repository.
B.When changes are pushed to any branch of the referenced repository.
C.When changes are pushed to the main branch of the current repository.
D.The pipeline will never trigger because no trigger is defined.
AnswerC

The trigger defines main branch pushes.

Why this answer

The pipeline has a CI trigger on the main branch of the current repository. The repository resource specifies a tag, which is used for checkout in the pipeline, but the trigger is based on the source trigger (main branch). Option A is correct because the trigger is on main.

Option B is wrong because tags are not triggers. Option C is wrong because the trigger is not for the repository resource. Option D is wrong because there is a trigger defined.

387
MCQeasy

Your Azure DevOps pipeline uses a YAML template that defines variables. You want to override a variable value when running the pipeline manually. What is the best approach?

A.Create a variable group and link it to the pipeline.
B.Edit the template YAML file to hardcode the desired value.
C.Use the 'Variables' tab in the pipeline run UI to set a new value for the variable.
D.Define a parameter in the template and pass the value via the 'Override' parameter in the pipeline.
AnswerC

Queue-time variables override template variables.

Why this answer

Option A is correct because Azure DevOps allows you to set pipeline variables at queue time, which override template variables. Option B is incorrect because it would require modifying the template. Option C is incorrect because variable groups are for shared variables, not for overriding.

Option D is incorrect because the 'Override' parameter is not a YAML template parameter.

388
MCQeasy

Your organization uses Azure Pipelines for CI/CD. The current pipeline for a .NET Core application builds and runs unit tests, then deploys to a staging environment. The team wants to add a step to run integration tests against the staging environment after deployment, and only if integration tests pass, promote the build to production. The integration tests require a database connection string that is stored as a secret in Azure Key Vault. The pipeline uses a service principal with permissions to read secrets from the Key Vault. You need to modify the pipeline to meet these requirements while ensuring security best practices. Which action should you take?

A.Set the connection string as a secret variable in the pipeline UI and reference it in the integration test step.
B.Add an Azure Key Vault task before the integration test step to retrieve the secret and map it to a variable.
C.Add a variable group linked to the Key Vault and reference the secret variable directly in the integration test step.
D.Use a PowerShell script to read the secret from Key Vault using the service principal.
AnswerB

This is the recommended approach: use the Azure Key Vault task to fetch secrets securely and make them available as pipeline variables.

Why this answer

Option B is correct because the Azure Key Vault task securely retrieves the secret at pipeline runtime and maps it to a pipeline variable without exposing the secret in logs or YAML. This approach follows security best practices by avoiding hard-coded secrets and leveraging the existing service principal permissions. The integration test step can then reference the variable, ensuring the connection string is available only during execution.

Exam trap

The trap here is that candidates often confuse variable groups linked to Key Vault (which load secrets at queue time) with the Azure Key Vault task (which loads secrets at runtime), leading them to choose Option C despite the runtime retrieval requirement for integration tests that depend on the latest secret value.

How to eliminate wrong answers

Option A is wrong because setting the connection string as a secret variable in the pipeline UI still requires manual management and does not leverage Azure Key Vault, increasing the risk of secret exposure and violating the principle of centralized secret storage. Option C is wrong because a variable group linked to Key Vault retrieves secrets at queue time, not at runtime, which means the secret value is static for the entire pipeline run and cannot be updated dynamically if the Key Vault secret changes mid-run; also, variable groups do not support per-step scoping as securely as the Key Vault task. Option D is wrong because using a PowerShell script to read the secret from Key Vault introduces unnecessary complexity and potential security gaps (e.g., script errors might leak secrets in logs), whereas the dedicated Azure Key Vault task provides built-in logging suppression and seamless variable mapping.

389
Multi-Selecthard

Which THREE of the following are best practices for managing secrets in Azure Pipelines? (Select THREE.)

Select 3 answers
A.Hardcode secrets directly in the YAML file and use variable substitution at runtime.
B.Use Azure Key Vault to store secrets and link them to variable groups.
C.Enable 'Allow scripts to access the OAuth token' for all build pipelines.
D.Restrict access to variable groups by using pipeline permissions.
E.Map secret variables as environment variables with a mapping to prevent exposure in logs.
AnswersB, D, E

Key Vault provides secure storage and access control.

Why this answer

Options A, C, and E are correct. A: Using Azure Key Vault is a secure way to store secrets. C: Limiting variable group permissions ensures only authorized pipelines access secrets.

E: Using secret variables with $( ) in script tasks prevents exposure. B is incorrect because pipeline logs can inadvertently output secrets; it's better to avoid logging. D is incorrect because hardcoding secrets in YAML is a security risk.

390
MCQeasy

You have a YAML pipeline that builds a .NET application. You need to ensure that the pipeline uses the .NET SDK version 6.0.x. Which task should you add to the pipeline?

A.UseDotNet@2
B.NuGetToolInstaller@1
C.DotNetCoreCLI@2
D.PowerShell@2
AnswerA

Why this answer

The UseDotNet@2 task is the correct choice because it explicitly installs a specific .NET SDK version (6.0.x) on the build agent, ensuring the pipeline uses the required SDK for building the .NET application. This task downloads and caches the SDK, making it available for subsequent tasks like DotNetCoreCLI@2.

Exam trap

The trap here is that candidates often confuse DotNetCoreCLI@2 (which runs .NET commands) with UseDotNet@2 (which installs the SDK), assuming the build task itself can set the SDK version, but DotNetCoreCLI@2 only uses whatever SDK is already available.

Why the other options are wrong

B

This installs NuGet, not the .NET SDK.

C

This runs .NET commands but does not install a specific SDK version.

D

PowerShell can install SDK but it's not the built-in task for this purpose.

391
MCQmedium

Your organization uses Azure DevOps Server (on-premises) and is planning to migrate to Azure DevOps Services. You have hundreds of build and release pipelines. The migration must be done with minimal downtime and with validation that each pipeline works after migration. You have a test collection of 20 critical pipelines that must be validated first. What is the best approach?

A.Export all pipelines as JSON from the server and import them into Azure DevOps Services. Skip validation to save time.
B.Manually recreate the 20 critical pipelines in Azure DevOps Services and test them. Then recreate the rest manually.
C.Use the Azure DevOps Migration Tools to replicate the test pipelines to a new Azure DevOps Services organization. Validate, fix issues, then migrate the remaining pipelines in batches.
D.Perform an in-place upgrade of Azure DevOps Server to the latest version, then migrate to Azure DevOps Services using the Data Migration Tool.
AnswerC

This allows validation and incremental migration with minimal impact.

Why this answer

Using the Azure DevOps Migration Tools to perform a trial migration to a test organization allows you to validate and fix issues before migrating the full collection. Direct upgrade is not supported. Manual recreation is error-prone and not minimal downtime.

Skipping validation risks breaking pipelines.

392
MCQmedium

Refer to the exhibit. You have this Azure Pipelines YAML definition. The pipeline runs manually, but you want it to automatically trigger on every push to the main branch and also build pull requests targeting main. Which change should you make?

A.Remove the 'triggers' and 'pr' sections entirely.
B.Replace 'triggers: ["none"]' with 'triggers: ["main"]' and 'pr: ["none"]' with 'pr: ["main"]'.
C.Set 'triggers' to '["main"]' and 'pr' to '["none"]'.
D.Set 'triggers' to 'none' and 'pr' to 'none'.
AnswerB

This enables CI on push to main and PR triggers for PRs targeting main.

Why this answer

Option C is correct because removing the explicit 'triggers: none' and 'pr: none' enables the default triggers: CI on push to any branch and PR triggers on PRs to any branch. To limit to main branch, you need to specify triggers and pr properly. Option A is wrong because 'none' disables triggers.

Option B is wrong because setting both to 'none' disables triggers. Option D is wrong because setting triggers: none still disables CI, and pr: none disables PR triggers.

393
MCQeasy

You run the above Azure CLI command to deploy a Bicep template. The deployment fails with 'The resource 'Microsoft.Storage/storageAccounts/mystgaccount' already exists'. What is the most likely cause?

A.The storage account 'mystgaccount' already exists in the resource group.
B.The command should use 'az deployment group validate' instead.
C.The Bicep file uses 'complete' mode.
D.The resource group 'MyRG' does not exist.
AnswerA

Azure deployment with 'create' mode fails if resource exists.

Why this answer

Option D is correct because the storage account already exists. Option A is wrong because the command uses 'create' which is correct. Option B is wrong because the error mentions 'already exists', not resource group.

Option C is wrong because 'create' mode fails if resource exists; 'incremental' would update.

394
MCQmedium

You are designing a release pipeline for a microservices application. Each service must be deployed independently with zero downtime. Which deployment strategy should you recommend?

A.Rolling update
B.Feature flags
C.Canary release
D.Blue-green deployment
AnswerD

Blue-green maintains two full environments for instant switch.

Why this answer

Blue-green deployment allows switching traffic to the new version while keeping the old version running, enabling instant rollback. Option A is wrong because rolling update replaces instances gradually. Option B is wrong because canary releases route a subset of users.

Option D is wrong because feature flags enable toggling features at runtime.

395
MCQhard

You are designing a build pipeline that must run on Microsoft-hosted agents. The pipeline has a dependency on a native library that is not pre-installed. You want to minimize pipeline duration. Which approach should you use?

A.Use a container job with a custom Docker image that includes the library
B.Use a self-hosted agent with the library pre-installed
C.Add a script step to install the library using a package manager
D.Download the library from Azure Blob Storage in each build
AnswerB

Self-hosted agents skip installation.

Why this answer

Using a custom agent with the library pre-installed avoids repeated installation. Option A is wrong because inline scripts run each time. Option C is wrong because Docker requires pull and build each time.

Option D is wrong because downloading from storage is slow.

396
MCQeasy

You have a YAML pipeline that builds a Docker image and pushes it to Azure Container Registry (ACR). You need to dynamically set the image tag based on the build number. Which predefined variable should you use?

A.$(System.JobId)
B.$(System.TeamProject)
C.$(Build.BuildNumber)
D.$(Build.BuildId)
AnswerD

Build.BuildId is a unique numeric ID that can be used as a tag.

Why this answer

Option A is correct because Build.BuildId is a unique identifier for each build run. Option B is wrong because Build.BuildNumber is customizable and may not be numeric. Option C is wrong because System.TeamProject is the project name.

Option D is wrong because System.JobId is a job-level ID.

397
MCQmedium

Your team uses Azure Pipelines for CI/CD. You need to enforce that all builds sign the assemblies with a code signing certificate stored in Azure Key Vault. What is the recommended approach?

A.Store the certificate as a secure file in the pipeline library and use the 'Download Secure File' task.
B.Embed the certificate in the repository and use a script to sign.
C.Use the 'Azure Key Vault' task to download secrets and then a 'PowerShell' task to sign.
D.Use the 'Azure CLI' task to retrieve the certificate and then sign.
AnswerC

The Key Vault task downloads secrets (including certificates) and makes them available as pipeline variables.

Why this answer

Use a 'Download secrets' task to retrieve the certificate from Key Vault and then use a script to sign the assemblies.

398
MCQmedium

You are designing a pipeline to build a .NET Core application. The build must run unit tests and publish code coverage results. Which task should you use to publish the code coverage results to Azure DevOps?

A.Use the 'PublishCodeCoverageResults@1' task.
B.Use the 'PublishTestResults@2' task.
C.Use the 'DotNetCoreCLI@2' task with the 'test' command.
D.Use the 'VSTest@2' task with the 'codeCoverageEnabled' option.
AnswerA

This task publishes code coverage reports.

Why this answer

Option D is correct because the 'PublishCodeCoverageResults@1' task publishes code coverage results to the pipeline. Option A is wrong because the 'DotNetCoreCLI@2' task can run tests but does not publish results. Option B is wrong because 'VSTest@2' is for Visual Studio tests.

Option C is wrong because 'PublishTestResults@2' publishes test results, not coverage.

399
MCQmedium

Your company uses Azure DevOps for CI/CD. You have a build pipeline that compiles a C++ application and runs unit tests. The pipeline uses a Microsoft-hosted agent. The build takes approximately 45 minutes to complete. You want to reduce the build time. You notice that the pipeline downloads dependencies from a NuGet feed every time. You have a private NuGet feed in Azure Artifacts. The pipeline restores packages using 'nuget restore'. You want to cache the NuGet packages on the agent to avoid downloading them on every build. What should you do?

A.Use a self-hosted agent with persistent storage.
B.Use a hosted Azure Artifacts feed with upstream sources.
C.Increase the agent's compute resources by selecting a higher SKU.
D.Add a CacheBeta task before the restore step to cache the packages folder.
AnswerD

Caching the packages folder avoids re-downloading on subsequent builds.

Why this answer

Option B is correct because the CacheBeta task allows caching folders between builds, reducing download time. Option A is wrong because self-hosted agents might not be available or cost-effective. Option C is wrong because upgrading to a higher SKU of Microsoft-hosted agents does not affect package caching.

Option D is wrong because a hosted NuGet feed does not inherently cache packages locally.

400
MCQhard

Your organization uses GitHub Actions for CI/CD. You have a workflow that builds a .NET application and runs tests. The workflow uses a self-hosted runner on an on-premises Windows server. Recently, builds started failing with 'Access to the path is denied' errors when the runner tries to restore NuGet packages. The runner has been working for months. What is the most likely cause?

A.The runner's authentication token to GitHub has expired.
B.The runner service account's permissions have changed, and it no longer has write access to the working directory or cache.
C.The NuGet cache directory on the runner has been deleted.
D.The runner has been updated to a newer version that no longer supports NuGet restore.
AnswerB

Permission changes can cause access denied errors.

Why this answer

Option C is correct because the runner service runs under a specific account, and if that account's permissions changed (e.g., password reset, group membership changed), it may lose access to the NuGet cache directory. Option A is wrong because the runner doesn't need to authenticate to GitHub for NuGet restore. Option B is wrong because network issues would cause different errors.

Option D is wrong because the runner itself doesn't install NuGet packages; it uses dotnet restore.

401
MCQeasy

Your team uses GitHub for source control and wants to set up continuous integration using GitHub Actions. Which file should you create in the repository to define the workflow?

A.Jenkinsfile
B..github/workflows/ci.yml
C.Dockerfile
D.azure-pipelines.yml
AnswerB

Standard location for GitHub Actions workflows.

Why this answer

Option A is correct because GitHub Actions workflows are defined in YAML files under the .github/workflows directory. Option B is wrong because azure-pipelines.yml is for Azure Pipelines. Option C is wrong because the Dockerfile is for building Docker images.

Option D is wrong because Jenkinsfile is for Jenkins.

402
MCQeasy

Your organization uses Azure Pipelines and wants to implement a continuous feedback loop by collecting user analytics from the production environment and automatically creating work items in Azure Boards for critical issues. You need to design a solution that integrates monitoring data with the pipeline. What should you do?

A.Use Power BI to visualize Application Insights data and set up data-driven alerts that send emails to the team.
B.Set up Azure Monitor alerts based on Application Insights data, and configure the alerts to invoke a webhook that calls the Azure Boards REST API to create a work item.
C.Configure the release pipeline to output logs to Azure Monitor and use Log Analytics to create work items.
D.Use Azure Application Insights to collect user analytics, and manually review dashboards to create work items.
AnswerB

This automates the creation of work items from alerts.

Why this answer

Option C is correct: Azure Monitor alerts can trigger webhooks that call Azure DevOps REST API to create work items. Option A is incorrect because release logs are not for user analytics. Option B is incorrect because manual creation is not automated.

Option D is incorrect because Power BI is for reporting, not automated issue creation.

403
MCQhard

Your organization is adopting GitHub Actions for CI/CD. You need to enforce that all workflows must pass required status checks before merging pull requests to the main branch. The repository is in an organization. What should you configure?

A.Add an environment protection rule requiring approval from specific reviewers.
B.Set the workflow to have 'contents: write' permission.
C.Define a CODEOWNERS file that requires team review for main branch changes.
D.Create a branch protection rule for the main branch with required status checks.
AnswerD

Branch protection rules enforce required checks before merging.

Why this answer

Branch protection rules with required status checks enforce that workflows pass before merging. Option A is wrong because environment protection rules apply to deployments, not PR merges. Option B is wrong because workflow permissions control what workflows can do, not merge requirements.

Option D is wrong because CODEOWNERS defines reviewers, not checks.

404
MCQmedium

Your organization uses GitHub for source control and Azure Pipelines for CI/CD. You need to implement a policy that requires all pull requests to be built and pass tests before merging. What should you do?

A.Add a branch protection rule in the GitHub repository requiring status checks.
B.Set the pipeline trigger to run on pull request.
C.Configure pipeline permissions to require approval.
D.Add a pre-deployment check on the environment.
AnswerA

Branch protection rules enforce that status checks (from pipelines) pass before merging.

Why this answer

Option B is correct because branch protection rules in GitHub can require status checks to pass. Option A is wrong because pipeline permissions don't enforce PR checks. Option C is wrong because trigger controls build triggers, not merge requirements.

Option D is wrong because environment checks are for deployments.

405
MCQmedium

You are designing a multi-stage YAML pipeline that deploys to multiple environments. You need to ensure that the pipeline can be triggered manually for a specific stage without running previous stages. Which feature should you use?

A.Use the 'Run pipeline' button with 'Stages to run' and set 'stagesToSkip' parameter
B.Use 'condition: always()' on the stage
C.Use 'dependsOn: []' to make the stage independent
D.Use 'trigger: none' at the stage level
AnswerA

When manually running a pipeline, you can specify which stages to skip using the 'stagesToSkip' parameter, allowing you to run only the desired stage.

Why this answer

Option C is correct because stage-level triggers are not supported in YAML pipelines; however, the 'stagesToSkip' parameter in the REST API when manually running a pipeline allows skipping previous stages. Option A is wrong because multi-stage YAML pipelines do not support stage-specific triggers. Option B is wrong because the 'dependsOn' condition runs all dependencies.

Option D is wrong because 'condition: always()' still runs all stages if triggered.

406
Multi-Selecthard

Which TWO actions should you take to implement a secure CI/CD pipeline that uses Azure Pipelines and prevents unauthorized access to production? (Choose two.)

Select 2 answers
A.Store production secrets as pipeline variables marked as 'Secret'.
B.Configure deployment approvals and checks on the production stage.
C.Enable PR triggers for the production stage to validate changes.
D.Use a service connection with a managed identity for Azure resources.
E.Use self-hosted agents running on-premises for all pipelines.
AnswersB, D

Approvals ensure that only authorized personnel can approve deployments to production.

Why this answer

Options A and C are correct. Option A: Using a service connection with a managed identity reduces the need for secrets and provides secure, auditable access. Option C: Using approvals and checks ensures that only authorized users can approve deployments to production.

Option B is wrong because storing secrets in pipeline variables, even as secrets, is less secure than using Key Vault or managed identities. Option D is wrong because self-hosted agents can be secure but do not inherently prevent unauthorized access. Option E is wrong because enabling PR triggers for production deployments could allow unauthorized changes.

407
Multi-Selecteasy

Which TWO triggers can be used to automatically start a pipeline in Azure Pipelines? (Choose two.)

Select 2 answers
A.Continuous integration (CI) trigger
B.Webhook trigger
C.Pull request trigger
D.Manual trigger
E.Scheduled trigger
AnswersA, C

Triggers on code commits.

Why this answer

Options A and C are correct. A: Continuous integration (CI) trigger runs on code push. C: Pull request trigger runs on PR creation.

Option B is wrong because a manual trigger requires user action. Option D is wrong because a scheduled trigger is time-based, but not automatic on code changes. Option E is wrong because a webhook trigger is also automatic but not a built-in trigger type in Azure Pipelines (it's a service hook).

408
MCQhard

You have a YAML pipeline that uses a self-hosted agent. The agent runs on a VM in Azure. The pipeline fails intermittently with the error: '##[error]The job running on agent MyAgent has been cancelled because the agent was idle for more than the maximum idle time.' You need to resolve this issue. What should you do?

A.Configure the agent's idle timeout setting to a higher value or disable it.
B.Add more agents to the agent pool.
C.Increase the job's timeout in minutes.
D.Reduce the number of parallel jobs to avoid overloading the agent.
AnswerA

The idle timeout cancels the job if the agent is idle too long; increasing it prevents premature cancellation.

Why this answer

Option B is correct because the agent is being reaped due to idle timeout. Disabling the idle timeout or increasing its value prevents the agent from being cancelled when the job takes time to start (e.g., waiting for dependencies). Option A is wrong because communication timeout is different from idle timeout.

Option C is wrong because increasing agent pool size does not prevent individual agent timeout. Option D is wrong because parallel jobs do not affect idle timeout.

409
MCQhard

Refer to the exhibit. A developer pushes a commit to the main branch. Which stages will run?

A.Only the Test stage.
B.Only the Build stage.
C.Neither stage.
D.Both Build and Test stages.
AnswerB

Correct: Build runs, Test is skipped due to condition.

Why this answer

The exhibit shows a pipeline with a trigger condition set to 'main' for the Build stage only. The Test stage has no trigger condition defined, meaning it will only run if explicitly triggered by a preceding stage or a separate trigger. When a developer pushes a commit to the main branch, only the Build stage is triggered because it is the only stage with a branch filter matching 'main'.

The Test stage does not have a trigger, so it will not run automatically.

Exam trap

The trap here is that candidates assume all stages in a pipeline run automatically when a commit is pushed, but Azure Pipelines allows stage-level triggers that can prevent stages from running unless their specific conditions are met.

How to eliminate wrong answers

Option A is wrong because the Test stage has no trigger condition defined, so it will not run when a commit is pushed to main; only the Build stage runs. Option C is wrong because the Build stage has a trigger condition set to 'main', so it will run when a commit is pushed to main. Option D is wrong because the Test stage does not have a trigger condition, so it will not run alongside the Build stage.

410
MCQeasy

Your team uses Azure Pipelines for CI/CD. You need to ensure that only approved branches can trigger production deployments. Which feature should you use?

A.YAML template expressions
B.Branch control for environments
C.Deployment gates
D.Pipeline decorators
AnswerB

Branch control restricts which branches can deploy to an environment.

Why this answer

Branch control policies in environments restrict which branches can deploy to each environment. Option A is wrong because pipeline decorators inject steps but don't restrict branches. Option B is wrong because deployment gates check health metrics.

Option D is wrong because YAML templates organize jobs, not branch permissions.

411
MCQeasy

Your organization uses Azure Repos for source control and Azure Pipelines for CI/CD. You need to implement a policy that ensures every commit to the main branch is built and passes all tests before it can be merged. The team uses feature branches for development. What is the most efficient way to enforce this?

A.Require developers to manually run the pipeline before merging.
B.Use a pre-merge validation pipeline that runs on pull requests but does not block merging.
C.Configure a branch policy on the main branch that requires a successful build from a pull request trigger.
D.Set up a CI trigger on the main branch to run the pipeline on every commit.
AnswerC

Branch policies enforce build success before merge.

Why this answer

Option A is correct because branch policies on the main branch can require a successful build before merging. Option B is incorrect because pipeline triggers don't enforce merge requirements. Option C is incorrect because manual builds don't enforce.

Option D is incorrect because it doesn't enforce before merge.

412
Multi-Selectmedium

Which TWO actions can you take to improve the security of secrets in Azure Pipelines? (Choose two.)

Select 2 answers
A.Log secret values for debugging purposes
B.Limit variable group permissions to specific pipelines
C.Allow pipeline users to override secret values at queue time
D.Use Azure Key Vault to store secrets and map them as secret variables
E.Store secrets as plain text variables in the pipeline
AnswersB, D

Restricting access to variable groups ensures only authorized pipelines can use the secrets.

Why this answer

Options B and C are correct. Option B: Using Azure Key Vault to store secrets and mapping them as secret variables prevents exposure. Option C: Limiting variable group permissions ensures only authorized pipelines can access secrets.

Option A is wrong because storing secrets as plain text variables exposes them in logs. Option D is wrong because checking 'Allow at queue time' exposes secrets to users. Option E is wrong because logging secret values defeats the purpose.

413
MCQmedium

Your team uses Azure Pipelines for CI/CD. You need to enforce that all pipeline runs use approved agents from a specific agent pool with the latest security patches. The agents are self-hosted on Azure VMs. What should you implement?

A.Configure pipeline permissions for the agent pool
B.Create a deployment pool and assign the agents to it
C.Set the agent pool to use a specific agent queue with an isolation scope
D.Add a demand on the agent for a custom capability that only approved agents have
AnswerC

An agent pool with an isolation scope ensures only approved agents from that queue are used.

Why this answer

Option C is correct because setting the agent pool to use a specific agent queue with an isolation scope ensures that only approved, security-patched agents from that queue are used for pipeline runs. This configuration restricts the pool to a designated set of self-hosted agents, preventing unauthorized or unpatched agents from executing jobs.

Exam trap

The trap here is that candidates often confuse agent pool permissions (access control) with agent selection enforcement, or mistakenly think deployment pools (used for release targets) can restrict build agent usage, when the correct mechanism is isolating agents via a dedicated queue with scope restrictions.

How to eliminate wrong answers

Option A is wrong because configuring pipeline permissions for the agent pool controls who can use the pool, but does not enforce that only agents with the latest security patches are selected; it manages access, not agent eligibility. Option B is wrong because a deployment pool is designed for managing deployment targets (e.g., VMs for releases), not for controlling which build agents are used in pipeline runs; it does not enforce agent patching or approval. Option D is wrong because adding a demand for a custom capability only filters agents based on that capability label, but it does not inherently ensure the agent has the latest security patches unless the capability is manually and reliably updated, which is error-prone and not a built-in enforcement mechanism.

414
MCQhard

Your team uses GitHub Actions to deploy a microservices application to a Kubernetes cluster. The workflow builds Docker images and pushes them to a container registry, then updates the Kubernetes deployment. The deployment often fails due to image pull errors, specifically 'ErrImagePull' and 'ImagePullBackOff'. You investigate and find that the image tag in the Kubernetes manifest is the commit SHA. The workflow uses the 'azure/k8s-deploy@v1' action. You suspect that the image is not being pulled because the registry credentials are not properly configured. You have stored the registry credentials as secrets. What is the most likely cause and solution?

A.The commit SHA tag is not valid; use 'latest' tag instead.
B.The image name is incorrect; verify the registry URL.
C.The 'azure/k8s-deploy' action does not support private registries; use a different action.
D.The action does not automatically create imagePullSecrets; you need to add a step to create the secret in the cluster and reference it in the deployment.
AnswerD

The action requires that the cluster already has the image pull secret or you must create it.

Why this answer

Option A is correct because the k8s-deploy action by default uses the kubeconfig file for cluster access but does not automatically set up image pull secrets for the registry. The credentials need to be explicitly configured as imagePullSecrets in the deployment manifest. Option B is wrong because the image tag is correct; the issue is authentication.

Option C is wrong because the image name is likely correct; the issue is pulling. Option D is wrong because the action is capable of deploying; the issue is configuration.

415
MCQmedium

You have a YAML pipeline that builds a .NET application. You want to cache the NuGet packages to speed up subsequent builds. Which task should you use?

A.CopyFiles task to copy packages to a staging directory.
B.NuGet restore task with 'cacheRestore' option.
C.Cache task with a key based on the packages.lock.json hash.
D.PublishBuildArtifacts task to upload packages.
AnswerC

Cache task uses key to restore/save packages.

Why this answer

Option A is correct because Cache task restores/saves a cache keyed by hash. Option B is wrong because NuGet restore does not cache by itself. Option C is wrong because CopyFiles copies files, not caches.

Option D is wrong because PublishBuildArtifacts is for artifacts, not caching.

416
MCQmedium

A development team is designing a build pipeline for a microservices application. They want to ensure that each service is built and tested independently, but they also need to run integration tests that span multiple services. What is the recommended approach?

A.Use a single release pipeline that triggers manual deployment for each service.
B.Create a single build pipeline that builds all services together to ensure consistency.
C.Create individual build pipelines for each service, and a separate release pipeline that deploys all services to an integration environment for testing.
D.Build each service separately, but skip integration tests to avoid complexity.
AnswerC

This allows independent builds and integration tests.

Why this answer

Option C is correct because it aligns with microservices best practices: each service has its own build pipeline for independent compilation, unit testing, and artifact generation, while a separate release pipeline orchestrates deployment of all services to a shared integration environment for cross-service testing. This decouples build concerns from deployment concerns, enabling parallel development and faster feedback loops.

Exam trap

The trap here is that candidates confuse 'building independently' with 'testing independently' and assume integration tests must be run within the build pipeline, when in fact they should be run in a separate release pipeline after deployment to a shared environment.

How to eliminate wrong answers

Option A is wrong because using a single release pipeline with manual deployment for each service introduces human delay and inconsistency, and it does not address independent building or automated integration testing. Option B is wrong because a single build pipeline that builds all services together violates the microservices principle of independent deployability, creating tight coupling and longer build times. Option D is wrong because skipping integration tests entirely defeats the purpose of verifying inter-service communication and data consistency, which is critical in a microservices architecture.

417
MCQmedium

Your team uses Azure Pipelines and wants to automatically create a release every time a build succeeds on the main branch. Which trigger should you configure?

A.Pull request trigger in the build pipeline
B.Continuous integration (CI) trigger in the release pipeline
C.Build completion trigger in the release pipeline
D.Scheduled trigger in the release pipeline
AnswerC

This triggers a release when a specific build pipeline completes.

Why this answer

Option D is correct because the build completion trigger in a release pipeline automatically creates a release when a build completes. Option A is wrong for a release pipeline. Option B is wrong because CI triggers are for build pipelines.

Option C is wrong because scheduled triggers run at specific times, not on build completion.

418
Multi-Selecthard

Your team uses GitHub Actions to build a multi-container application. The build must produce container images that are scanned for vulnerabilities and signed. Which THREE actions are required in the workflow?

Select 3 answers
A.Use the docker/login-action to authenticate with Docker Hub.
B.Add a step to run a container scan tool like Trivy.
C.Add a step to sign the container image using cosign.
D.Use the actions/checkout action to checkout the code.
E.Use the docker/build-push-action to build and push images.
AnswersB, C, E

Trivy scans for vulnerabilities.

Why this answer

Option A is correct because Docker Build Push action creates images. Option C is correct because container scanning uses tools like Trivy or Grype. Option E is correct because signing requires a step to sign images.

Options B and D are not required for the given tasks.

419
MCQmedium

Your team uses a YAML-based build pipeline in Azure Pipelines. You need to ensure that the pipeline runs automatically when a pull request is created against the main branch, but only if the changes include modifications to the 'src/' directory. Which trigger configuration should you use?

A.trigger: - main; pr: none
B.trigger: none; pr: branches: include: - main paths: include: - src/*
C.trigger: none; pr: - main
D.pr: - main; trigger: - main
AnswerB

This limits PR triggers to changes in src/ on main branch.

Why this answer

Option B is correct because the 'pr' trigger with path filters ensures the pipeline runs on PRs only when changes match the specified paths. Option A is wrong because it triggers on all PRs without filtering. Option C is wrong because branch filters alone do not filter by path.

Option D is wrong because 'trigger' is for CI builds, not PR triggers.

420
MCQmedium

The pipeline above fails with: 'The deployment job 'DeployToProd' references environment 'Production' which does not exist.' What should you do to resolve this error?

A.Remove the 'environment' property from the deployment job.
B.Change the deployment strategy from 'runOnce' to 'rolling'.
C.Add a script step before the deployment job to create the environment.
D.Create an environment named 'Production' in Azure DevOps project settings.
AnswerD

The environment must exist before referencing it.

Why this answer

Option D is correct because creating the 'Production' environment in Azure DevOps will resolve the reference. Option A is wrong because changing to runOnce doesn't fix missing environment. Option B is wrong because adding a new job doesn't help.

Option C is wrong because removing the environment reference removes the deployment strategy.

421
MCQmedium

Your team is using Azure Pipelines to deploy a web application to Azure App Service. The application uses a configuration file (appsettings.json) that contains environment-specific settings. You need to manage these settings across development, staging, and production environments without exposing secrets in the source code. The pipeline should automatically replace the settings during deployment. What should you configure?

A.Use the 'File Transform' task in the release pipeline to replace tokens in the configuration file with variables defined in pipeline variable groups.
B.Create separate build configurations for each environment and use the 'Transform Web.config' task.
C.Use the 'Azure App Service Deploy' task with the 'Use Web Deploy' option and configure parameterization.
D.Set environment variables in the Azure App Service and read them in the application code.
AnswerA

This task supports token replacement and can reference variables securely.

Why this answer

Option A is correct: Use the 'File Transform' task to substitute variables from pipeline variables or variable groups. Option B is incorrect because build configuration transforms are for .NET projects and require specific setup. Option C is incorrect because environment variables are not directly used for file transforms.

Option D is incorrect because Azure App Service application settings are for the runtime, not for transforming configuration files during deployment.

422
MCQmedium

Refer to the exhibit. You have an Azure Pipelines YAML file for a .NET Core application. The pipeline is triggered on changes to the main branch, but only for files under src/. After a push to main that modifies a file in src/, the pipeline does not start. What is the most likely reason?

A.The branch filter is missing the 'refs/heads/' prefix.
B.The trigger configuration has a syntax error: 'include' should be 'includes'.
C.The variable 'buildConfiguration' is not defined at the top level.
D.The path filter 'src/*' does not match files in subdirectories of src/.
AnswerD

Azure Pipelines path filters require '**' for recursive matching.

Why this answer

Option B is correct because the trigger has a path filter with include but no exclude, which is correct, but the indentation of 'paths' is wrong (it should be at the same level as 'branch')? Actually the exhibit shows correct indentation. Another common issue: The trigger definition is inside an array, but the YAML might be parsed incorrectly. Actually the root cause is that the pipeline is defined as a multi-stage YAML but the trigger is configured at the top level; however, the exhibit shows the trigger correctly.

The real issue: The trigger path filter 'include' pattern 'src/*' does not recursively match files in subdirectories. Azure Pipelines path filters require '**' for recursive matches. So the pipeline does not trigger because 'src/*' only matches files directly in src/, not in subfolders.

Option A is wrong because the syntax is valid. Option C is wrong because the branch is main. Option D is wrong because the build configuration variable does not affect triggers.

423
MCQmedium

Your organization uses GitHub Actions for CI/CD. You have a workflow that deploys to Azure App Service. The deployment uses a publish profile secret stored as a GitHub secret. You want to improve security by using OpenID Connect (OIDC) to authenticate to Azure without storing secrets. What should you do?

A.Remove the secret and use Azure AD Managed Identity directly from the GitHub runner.
B.Configure the GitHub workflow to use the 'azure/login' action with OIDC, and set up a federated identity credential in Microsoft Entra ID for the GitHub environment.
C.Replace the publish profile secret with an Azure service principal secret stored as a GitHub secret.
D.Use the 'Azure App Service Deploy' task with the 'Publish Profile' parameter set to an empty string.
AnswerB

OIDC eliminates the need for long-lived secrets.

Why this answer

Option B is correct: Configuring OIDC with Azure AD (now Microsoft Entra ID) app registration and federated credentials allows token-based authentication without secrets. Option A is incorrect because GitHub secrets are still secrets. Option C is incorrect because Azure AD is not required to be replaced; OIDC works with it.

Option D is incorrect because the Azure/login action supports OIDC.

424
Multi-Selectmedium

Which TWO conditions must be met to use the 'Approvals and gates' feature in a release pipeline? (Choose two.)

Select 2 answers
A.A manual intervention task must be added.
B.A post-deployment approval must be configured.
C.A pre-deployment approval must be configured.
D.A variable group must be linked to the pipeline.
E.The pipeline must use a service connection.
AnswersB, C

Post-deployment approvals are also a type of approval.

Why this answer

Options A and C are correct. Approvals and gates require a pre-deployment approval and a post-deployment approval. Option B is incorrect because gates can be used without manual approval.

Option D is incorrect because variable groups are not required. Option E is incorrect because service connections are not specifically required for approvals.

425
MCQmedium

You have a build pipeline that produces several artifacts. You need to publish these artifacts to Azure Artifacts feed, but only if the build succeeds. Which task should you add to the pipeline?

A.Add a 'Publish Build Artifacts' task and then a 'Universal Publish' task.
B.Add an 'npm publish' task to publish packages.
C.Add a 'Copy Files' task to copy artifacts to the feed location.
D.Add a 'NuGet push' task to push packages to the feed.
AnswerA

Correct: Publish build artifacts first, then publish to Azure Artifacts feed.

Why this answer

The 'Publish Build Artifacts' task makes the build outputs available as pipeline artifacts, and the 'Universal Publish' task is the correct way to publish those artifacts to an Azure Artifacts feed (which supports Universal Packages). This combination ensures artifacts are only published after the build succeeds because both tasks run in the pipeline's job sequence, and by default, subsequent tasks execute only if the previous task succeeded.

Exam trap

The trap here is that candidates often assume any package-specific task (npm, NuGet) can publish to Azure Artifacts, but the question asks for publishing 'several artifacts' (not just one package type), so the Universal Publish task is the only correct choice for a generic, multi-artifact scenario.

How to eliminate wrong answers

Option B is wrong because 'npm publish' is specific to npm packages and cannot publish arbitrary build artifacts to an Azure Artifacts feed. Option C is wrong because 'Copy Files' only copies files to a local or network path, not to an Azure Artifacts feed; it does not perform any publish operation. Option D is wrong because 'NuGet push' is limited to NuGet packages and cannot handle other artifact types like Universal Packages or Maven artifacts.

426
MCQmedium

Your organization uses GitHub for source control and Azure Pipelines for CI/CD. You need to implement a pipeline that automatically builds and tests a Python application on every pull request to the main branch, but only if the pull request is from a fork. The pipeline must also publish test results as a build artifact. What should you do?

A.Use GitHub Actions to build and test the application on PRs, and then trigger Azure Pipelines for deployment.
B.Use a scheduled trigger to run the pipeline every hour and check for new PRs from forks.
C.Set up a pipeline completion trigger on the main branch that runs the pipeline after every merge.
D.Configure a branch protection rule on main that requires status checks from Azure Pipelines. Set the pipeline trigger to 'Pull request validation' and include a condition to run only if the pull request is from a fork.
AnswerD

Branch protection enforces status check, and trigger condition filters fork PRs.

Why this answer

Option A is correct because GitHub branch protection can require status checks from Azure Pipelines, and the pipeline can be triggered on pull request events. Option B is incorrect because pipeline completion trigger is not for PR from forks. Option C is incorrect because manual trigger doesn't automate.

Option D is incorrect because GitHub Actions is not Azure Pipelines.

427
MCQeasy

Your team uses Azure Pipelines to build a Node.js application. The build pipeline runs linting, unit tests, and creates a production build. You want to ensure that the pipeline fails if the test coverage drops below 80%. You need to implement this check. What should you do?

A.Configure a pipeline variable 'CoverageThreshold' and use it in a gate.
B.Set a branch policy that requires code coverage to be at least 80%.
C.Use the 'Visual Studio Test' task with code coverage enabled and set the 'Minimum coverage' option.
D.Add a 'Publish Test Results' task with code coverage enabled, then use a 'Script' task that reads the coverage report and fails if below 80%.
AnswerD

This allows custom logic to enforce the coverage threshold.

Why this answer

Option A is correct: The 'Publish Test Results' task can publish coverage results, and you can use a 'Check for coverage' task or script to fail the pipeline. Option B is incorrect because the task itself does not enforce a minimum coverage. Option C is incorrect because pipeline variables cannot enforce coverage thresholds.

Option D is incorrect because code coverage is not a branch policy.

428
Multi-Selectmedium

Which THREE of the following are true about GitHub Actions self-hosted runners?

Select 3 answers
A.They can have custom software installed.
B.They are automatically scaled by GitHub.
C.They are free and do not incur any costs.
D.They can run on Windows, Linux, or macOS.
E.They can access on-premises resources.
AnswersA, D, E

Self-hosted runners allow custom software.

Why this answer

Option A is correct because GitHub Actions self-hosted runners are machines you manage, allowing you to install any custom software, libraries, or tools required by your workflows. Unlike GitHub-hosted runners, which have a fixed set of pre-installed software, self-hosted runners give you full administrative control over the environment, enabling you to meet specific build or test dependencies.

Exam trap

The trap here is that candidates often assume self-hosted runners are entirely free and automatically managed by GitHub, overlooking the operational overhead and infrastructure costs, while also forgetting that GitHub does not handle scaling for self-hosted runners.

429
Multi-Selecthard

Which THREE are valid deployment strategies supported by Azure Pipelines and GitHub Actions? (Choose three.)

Select 3 answers
A.Blue-green
B.Canary
C.Rolling
D.Immutable
E.Recreate
AnswersA, B, C

Blue-green is supported in both platforms.

Why this answer

Options A, C, and D are correct. Canary, blue-green, and rolling are all supported deployment strategies. Option B is wrong because 'immutable' is not a built-in strategy in Azure Pipelines or GitHub Actions; it is a concept in some platforms but not as a predefined strategy.

Option E is wrong because 'recreate' is not a standard strategy name; the standard is 'recreate' but it is not in the list; however, 'recreate' is actually a valid strategy in some contexts, but the question asks for supported strategies. In Azure Pipelines and GitHub Actions, canary, blue-green, and rolling are explicitly supported. Recreate is also supported, but since we need exactly three, and the options include immutable which is not, we choose A, C, D.

430
MCQmedium

Your pipeline runs on a Microsoft-hosted agent. You need to securely reference an Azure Key Vault secret in a pipeline variable without exposing the value in logs. Which variable group type should you use and how should you reference the secret?

A.Create a variable group linked to Key Vault, then reference as $(KeyVaultName.SecretName)
B.Use the 'Azure Key Vault' task to download secrets and assign to variables
C.Store the secret as a plain text variable and mark it as 'secret'
D.Reference the secret directly as $(SecretName) from a library variable group
AnswerA

Why this answer

Option A is correct because linking a variable group to Azure Key Vault allows you to securely reference secrets as pipeline variables without exposing their values in logs. The $(KeyVaultName.SecretName) syntax retrieves the secret value at runtime from Key Vault, and the value is automatically masked in any output.

Exam trap

The trap here is that candidates often confuse the 'Azure Key Vault' task with a variable group linked to Key Vault, not realizing that the task requires explicit variable mapping and can still leak secrets if not handled carefully, whereas the linked variable group provides automatic masking and on-demand retrieval.

Why the other options are wrong

B

This is an alternative but not the simplest; variable groups are preferred.

C

This would expose the secret in the pipeline definition and version control.

D

Variable groups from library can store secrets, but they are not automatically linked to Key Vault.

431
MCQeasy

Your team uses Azure Repos and wants to trigger a pipeline automatically when a pull request is created targeting the main branch. The pipeline should run validations and report the status to the PR. Which trigger type should you configure?

A.Path filter
B.Scheduled trigger
C.PR trigger
D.CI trigger
AnswerC

PR triggers run on pull request events.

Why this answer

Option A is correct because PR triggers are specifically designed to run pipelines on pull request creation and report status back. Option B is wrong because CI triggers run on pushes to branches. Option C is wrong because scheduled triggers run on a schedule.

Option D is wrong because path filters restrict which files trigger, not the event type.

432
MCQeasy

You are configuring a build pipeline for a JavaScript application. You want to run linting, unit tests, and build steps only when changes are pushed to the 'develop' branch. Which trigger should you configure?

A.Enable pull request trigger.
B.Enable scheduled trigger.
C.Enable continuous integration (CI) trigger without branch filters.
D.Enable CI trigger with a branch filter for 'develop'.
AnswerD

Limits pipeline execution to the 'develop' branch.

Why this answer

Option B is correct because CI triggers can be filtered by branch. Option A is wrong because it runs on all branches. Option C is wrong because PR triggers are for pull requests.

Option D is wrong because scheduled triggers run on a schedule, not on push.

433
Multi-Selecthard

Which THREE factors should you consider when designing a release pipeline for a critical production application? (Choose three.)

Select 3 answers
A.Use of service principal with least privilege
B.Rollback strategy
C.Single environment deployment
D.Deployment health monitoring
E.Approval gates before production deployment
AnswersB, D, E

Allows reverting to a known good state.

Why this answer

Options A, B, and D are correct. A: Approval gates ensure controlled deployments. B: Rollback strategy is essential for failures.

D: Monitoring deployment health is crucial. Option C is wrong because least privilege is a security principle, not specific to release pipeline design. Option E is wrong because single environment is not a factor; you typically have multiple environments.

434
Multi-Selectmedium

You are designing a release pipeline that uses Azure App Service deployment slots. The pipeline must perform a swap after deployment to the staging slot. Which three tasks or actions should you include in the pipeline? (Select all that apply.)

Select 3 answers
A.Azure App Service deploy: Deploy to staging slot
B.Azure App Service manage: Swap slots
C.Azure App Service manage: Start staging slot
D.Azure App Service manage: Delete staging slot
E.Azure CLI: Run az webapp deployment slot swap
AnswersA, B, C

Why this answer

Option A is correct because the Azure App Service deploy task with the 'Deploy to staging slot' action is the standard method to deploy an application to a staging slot before a swap. This ensures the new release is validated in an isolated environment without affecting the production slot.

Exam trap

The trap here is that candidates may confuse the Azure CLI command (Option E) as a valid pipeline task, but Azure DevOps provides dedicated tasks (Azure App Service manage) that are simpler and more reliable for slot operations within a release pipeline.

Why the other options are wrong

D

Deleting the staging slot is not part of the swap process.

E

While this works, it's not a built-in task; the question expects Azure App Service tasks.

435
MCQmedium

Your team is implementing a CI/CD pipeline for a .NET application. The build pipeline should only run when changes are pushed to the main branch, but a recent push to a feature branch triggered the pipeline. What is the most likely cause?

A.The trigger includes 'main' and also has no branch filters, so all branches trigger builds.
B.The pull request trigger is enabled for the feature branch.
C.Path filters are configured to include all paths.
D.The CI trigger is disabled in the pipeline YAML.
AnswerA

Without branch filters, the CI trigger applies to all branches.

Why this answer

Option C is correct because the trigger should be set to include 'main' branch only. Option A is wrong because disabling CI trigger would stop all automatic builds. Option B is wrong because path filters affect file paths, not branches.

Option D is wrong because PR triggers are separate.

436
MCQmedium

Your team uses Azure Pipelines to deploy a Docker container to Azure Kubernetes Service (AKS). The pipeline builds a Docker image, pushes it to Azure Container Registry (ACR), and then runs a deployment to AKS. You want to ensure that the deployment uses the exact image that was built in the same pipeline run. Which approach should you use?

A.Use two separate pipelines: one for build/push, one for deploy, and share the image tag via a variable group.
B.Use a single task for build and push, and rely on ACR's internal pull-through cache.
C.Generate a unique tag (e.g., Build.BuildId) and pass it to both the Docker build and Kubernetes manifest via variable substitution.
D.Tag the image as 'latest' and reference it in the Kubernetes manifest.
AnswerC

Unique tag ensures exact image is used.

Why this answer

Option C is correct because using a manifest file with build-specific variables ensures the correct image tag is used. Option A is wrong because 'latest' tag can be overwritten. Option B is wrong because the ACR task can be reused.

Option D is wrong because separate pipelines may have different image builds.

437
MCQeasy

You are setting up a release pipeline for a web application. The pipeline must deploy to three environments: Dev, Test, and Prod. The deployment to Prod must be triggered only after a successful deployment to Test and after a manual approval. How should you configure the pipeline?

A.Add a manual intervention task before the Prod deployment in the pipeline.
B.Use a condition on the Prod stage to require success from Test and manual intervention variable.
C.Schedule the Prod deployment to run after Test, and require manual trigger.
D.Add a pre-deployment approval gate on the Prod environment.
AnswerD

Pre-deployment approval requires manual approval before Prod.

Why this answer

Option A is correct because pre-deployment approvals on the Prod stage ensure manual approval before deployment. Option B is wrong because a separate manual task would not block the pipeline. Option C is wrong because conditions alone don't enforce manual approval.

Option D is wrong because schedule ignores approval.

438
MCQhard

Your Azure DevOps pipeline deploys to multiple environments (Dev, Test, Prod) using YAML multi-stage pipelines. The Prod deployment requires manual approval. However, the approval gate shows 'Pending' even after an authorized user approves. What is the most likely cause?

A.The pipeline run was triggered by a PR merge, and the approval needs to be re-applied after the build completes.
B.The build pipeline includes a step that modifies the approval settings.
C.The approval gate is configured to require approval on the latest commit, but a newer commit was pushed after the approval.
D.The approver is not a member of the security group defined in the approval settings.
AnswerC

Azure Pipelines requires re-approval if the commit changes.

Why this answer

Option D is correct because branch policy requires the approval to be on the specific commit that triggered the release. Option A is wrong because re-running does not change the commit. Option B is wrong because the policy is not about the build but the commit.

Option C is wrong because the user is authorized.

439
MCQhard

You are designing a release pipeline for a critical application that requires zero-downtime deployments. The application runs on Azure Kubernetes Service (AKS) with multiple replicas. You are using Azure Pipelines with a canary deployment strategy. What is the best approach to gradually shift traffic to the new version while monitoring for errors?

A.Use a service mesh like Istio to route a percentage of traffic to the new version.
B.Use Azure Application Gateway as an ingress controller with weighted backend pools.
C.Use the AKS rolling update strategy with max surge.
D.Deploy to a staging environment, then swap VIPs with production.
AnswerA

Istio enables precise traffic routing for canary deployments.

Why this answer

Option B is correct because AKS native features for canary deployments using Istio or similar service mesh provide fine-grained traffic shifting. Option A is incorrect because blue-green with full swap does not allow gradual traffic shift. Option C is incorrect because rolling update in AKS is not canary; it replaces pods gradually but does not split traffic.

Option D is incorrect because using Application Gateway does not provide gradual traffic shift at the pod level.

440
MCQmedium

Your build pipeline uses a self-hosted agent. The agent is running low on disk space. You need to clean up the agent's working directory after each build. Which option should you configure in the pipeline?

A.Set the 'Clean' option to 'Sources' in the pipeline settings.
B.Add a 'Delete Files' task at the end of the pipeline to delete the sources directory.
C.Add a 'Cleanup' task from the marketplace to clean the agent.
D.Use the 'clean' parameter in the checkout step of the YAML pipeline.
AnswerD

Correct: 'clean: true' cleans the working directory before checkout.

Why this answer

Option C is correct because setting 'clean: true' in the checkout step ensures the working directory is cleaned before each build. Option A is wrong because the 'workspace' cleanup option in agent configuration is not a pipeline setting. Option B is wrong because 'Delete Files' task is manual and not automatic.

Option D is wrong because 'Cleanup' task is not a built-in task.

441
MCQhard

Your release pipeline uses Azure Kubernetes Service (AKS) and Helm charts. You need to roll back to a previous release quickly if the new release fails health checks. What is the BEST approach?

A.Manually redeploy the previous Helm chart version.
B.Use a canary deployment strategy.
C.Use Helm rollback command.
D.Use a Kubernetes Deployment rollout undo.
AnswerC

Helm natively supports rolling back to a previous release.

Why this answer

Option C is correct because Helm provides built-in rollback functionality. Option A is wrong because manual redeployment is slow. Option B is wrong because it requires additional tooling and scripting.

Option D is wrong because it is not native to Helm and requires custom logic.

442
MCQhard

Your release pipeline deploys to multiple environments (Dev, QA, Prod) using approvals. You need to ensure that the deployment to Prod only proceeds if the deployment to QA succeeded and an approval is granted. Which combination of triggers and pre-deployment conditions should you configure?

A.Set the trigger on Prod to 'Automatic' and add a post-deployment approval on QA.
B.Set the trigger on Prod to 'After release' and add a pre-deployment approval on Prod.
C.Set the trigger on Prod to 'Manual only' and add a pre-deployment approval on Prod.
D.Set the trigger on Prod to 'After stage' and select QA as the stage, and add a pre-deployment approval on Prod.
AnswerD

This ensures QA succeeded before Prod deployment, and approval is needed.

Why this answer

Option C is correct because setting the trigger to 'After stage' on the QA stage and adding a pre-deployment approval on Prod ensures both conditions. Option A is wrong because automatic trigger does not enforce QA success. Option B is wrong because 'After release' ignores QA.

Option D is wrong because manual only trigger ignores QA.

443
MCQeasy

You are configuring a release pipeline in Azure DevOps to deploy to multiple environments (dev, test, prod). You need to ensure that the production deployment requires manual approval from the release manager. What should you configure?

A.Set pre-deployment approvals on the production stage.
B.Add a manual intervention task before the production deployment.
C.Set post-deployment approvals on the test stage.
D.Use a condition on the production stage to check a variable.
AnswerA

Pre-deployment approvals require approval before the stage runs.

Why this answer

Pre-deployment approvals on the production stage gate the deployment until the specified approvers grant approval.

444
MCQeasy

You are setting up a GitHub Actions workflow to deploy an Azure Resource Manager (ARM) template. The workflow must run whenever a pull request is opened against the main branch. Which trigger should you use?

A.pull_request: branches: [main] types: [opened]
B.pull_request_target: branches: [main]
C.workflow_dispatch
D.push: branches: [main]
AnswerA

This triggers when a PR is opened against main.

Why this answer

Option D is correct because pull_request trigger with types: [opened] runs the workflow when a PR is opened. Option A is incorrect because push trigger runs on commits, not PRs. Option B is incorrect because pull_request_target runs in the context of the base branch and is used for PRs from forks.

Option C is incorrect because workflow_dispatch requires manual trigger.

445
MCQeasy

Your team needs to automatically run a pipeline whenever a pull request is created in GitHub. Which trigger should you configure in Azure Pipelines?

A.Pipeline completion trigger
B.Scheduled trigger
C.Pull request trigger
D.Continuous integration trigger
AnswerC

PR trigger runs on pull request creation.

Why this answer

PR trigger automatically runs pipeline on pull request creation. Option A is wrong because continuous integration trigger runs on branch pushes. Option C is wrong because scheduled trigger runs at specific times.

Option D is wrong because pipeline completion trigger runs after another pipeline finishes.

446
MCQmedium

You are designing a release pipeline that deploys to multiple environments (dev, test, prod) with approval gates between each. You need to ensure that the same build artifact is deployed to all environments. Which strategy should you use?

A.Use a multi-stage YAML pipeline with a separate artifact for each stage.
B.Create a separate build pipeline for each environment to ensure environment-specific configurations.
C.Use a single build pipeline but trigger a new build for each environment.
D.Use a single build pipeline and promote the same build artifact through each environment.
AnswerD

Promoting the same artifact ensures consistency across environments.

Why this answer

Option C is correct because releasing the same artifact version across stages ensures consistency; promoting the build from dev to test to prod without rebuilding. Option A is wrong because rebuilding for each environment may produce different artifacts. Option B is wrong because separate pipelines for each environment do not guarantee the same artifact.

Option D is wrong because the release pipeline should use a single artifact source.

447
MCQmedium

Your team uses GitHub Actions for CI/CD. You want to reuse a workflow across multiple repositories without duplicating code. Which approach should you use?

A.Store the workflow in a shared repository and use environment secrets to share credentials.
B.Create a reusable workflow in a central repository and reference it using 'uses: owner/repo/.github/workflows/workflow.yml@ref'.
C.Create a composite action and reference it from each workflow.
D.Create a workflow template in the organization's .github repository.
AnswerB

Reusable workflows allow calling another workflow from a different repository.

Why this answer

Option D is correct because GitHub Actions supports reusable workflows by using the 'uses' keyword with a path to a workflow file in another repository. Option A is wrong because composite actions are for grouping steps, not entire workflows. Option B is wrong because workflow templates are for creating new workflows from a template, not for reuse.

Option C is wrong because environment secrets are for storing secrets, not for reusing workflow logic.

448
Multi-Selecteasy

Which TWO of the following are benefits of using deployment slots in Azure App Service? (Select TWO.)

Select 2 answers
A.Automatic rollback on failure.
B.Independent scaling of each slot.
C.Zero-downtime deployments.
D.Validate changes in a staging environment before production.
E.Geographic redundancy.
AnswersC, D

Swap slots to switch traffic instantly.

Why this answer

Options A and D are correct. Zero-downtime deployments (A) are achieved by swapping slots; staging validation (D) allows pre-production testing. Option B is wrong because slot swap is not automatic rollback but can be reversed.

Option C is wrong because slots share the same App Service plan, so scaling applies to all. Option E is wrong because slots are in the same region.

449
MCQmedium

Refer to the exhibit. You are reviewing an ARM template used in an Azure Pipeline deployment. Which security concern should you address?

A.The VM size is too small for production
B.The apiVersion is outdated
C.The admin password is hardcoded in the template
D.The location parameter has a default value
AnswerC

Hardcoded passwords are insecure; should use a secure parameter or Key Vault reference.

Why this answer

Option B is correct because the admin password is hardcoded in plain text, which is a security vulnerability. Option A is wrong because the param default is acceptable. Option C is wrong because API version is valid.

Option D is wrong because VM size is fine.

450
Multi-Selecthard

You are creating a YAML pipeline that builds a .NET Core application. The pipeline must use a multi-stage build with separate stages for 'Build', 'Test', and 'Deploy'. The 'Deploy' stage should only run if both 'Build' and 'Test' succeed. Which two conditions can you use to achieve this? (Select all that apply.)

Select 2 answers
A.In the Deploy stage, set 'dependsOn: [Build, Test]'
B.In the Deploy stage, set 'condition: and(succeeded('Build'), succeeded('Test'))'
C.In the Deploy stage, set 'condition: succeeded()' and 'dependsOn: [Build, Test]'
D.In the Deploy stage, set 'dependsOn: [Build, Test]' and 'condition: stageDependencies.Build.result == 'Succeeded''
AnswersA, C

Why this answer

Option A is correct because setting 'dependsOn: [Build, Test]' in the Deploy stage ensures that the Deploy stage only starts after both the Build and Test stages have completed. By default, a stage runs only if all its dependencies succeed, so this alone meets the requirement without needing an explicit condition. This is the standard way to enforce sequential execution in multi-stage YAML pipelines.

Exam trap

The trap here is that candidates often confuse the 'succeeded()' function with the ability to check individual stage results, leading them to incorrectly select Option B, or they misremember the exact syntax for accessing stage dependencies in Option D.

Why the other options are wrong

B

This syntax is for job conditions; stage conditions do not accept string arguments for succeeded().

D

'stageDependencies' is not a valid expression; you would use 'dependencies.Build.result'.

← PreviousPage 6 of 7 · 461 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design and implement build and release pipelines questions.