Back to Microsoft Azure DevOps Engineer Expert AZ-400 questions

Scenario-based practice

Hard Difficulty Questions

Practise Microsoft Azure DevOps Engineer Expert AZ-400 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
AZ-400
exam code
Microsoft
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related AZ-400 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A development team uses a forking workflow in Azure Repos. They want to ensure that only specific users can create forks of the main repository. How can they achieve this?

Question 2hardmulti select
Full question →

A team uses Azure Boards to manage work items. They want to automatically update the state of a work item when a related pull request is merged in Azure Repos. Which TWO actions should they configure to enable this integration?

Question 3hardmulti select
Full question →

Which THREE are benefits of using a monorepo vs multiple repositories?

Question 4hardmultiple choice
Full question →

A financial services company uses Azure DevOps and requires that all secrets (e.g., API keys, connection strings) be stored in Azure Key Vault. They have a pipeline that runs automated tests and deploys to staging. The pipeline uses a variable group linked to Key Vault to retrieve secrets. Recently, the pipeline failed with the error: 'Secret 'DbPassword' not found in Key Vault 'kv-prod'. Ensure the secret exists and the service principal has List permission.' The secret exists in the vault. What is the most likely cause?

Question 5hardmultiple choice
Full question →

Your organization uses Azure DevOps and Azure Key Vault to manage secrets. You have a pipeline that deploys a web app to Azure App Service. The pipeline uses a variable group linked to Key Vault to retrieve the database connection string. Recently, the build started failing with the error: 'Access to Key Vault is denied. Please ensure the service connection has Get and List permissions on secrets.' The service connection uses a service principal. You have verified that the service principal has the correct Key Vault access policy with Get and List permissions. What is the most likely cause of the failure?

Question 6hardmultiple choice
Full question →

You are designing a centralized logging strategy for multiple microservices hosted in Azure Kubernetes Service (AKS). Each microservice writes logs in JSON format to stdout/stderr. The operations team needs to query logs across all services and correlate them with application performance metrics. Which solution provides the best integration?

Question 7hardmultiple choice
Full question →

You are debugging a production issue using Application Insights Snapshot Debugger. The exhibit shows a snapshot from a NullReferenceException. The variable _dbContext is null. What is the most likely root cause?

Exhibit

Refer to the exhibit.

```
Application Insights Snapshot Debugger

Snapshot 1: 
  Thread: 1234
  Exception: NullReferenceException
  Stack:
    Contoso.Web.Pages.Index.OnGet() line 42
    Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeHandlerMethod()
    ...
  Local variables:
    _dbContext: null (Contoso.Data.AppDbContext)
```
Question 8hardmultiple choice
Full question →

You are troubleshooting an intermittent performance issue in a web application. Application Insights shows a high number of failed dependency calls to Azure SQL Database. The errors are SqlException with error code -2 (timeout). What is the most likely cause and recommended fix?

Question 9hardmultiple choice
Full question →

A team uses Terraform to manage Azure infrastructure. They want to store the Terraform state file securely and enable collaboration. What is the recommended approach?

Question 10hardmultiple choice
Full question →

An Azure Policy is defined as shown in the exhibit. You attempt to create a storage account with HTTPS traffic only set to false. What will happen?

Exhibit

Refer to the exhibit.

```
{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
```
Question 11hardmultiple choice
Full question →

Your team uses Azure DevOps and wants to implement a change management process where all production releases must be approved by a change advisory board (CAB) after the build is complete but before deployment. The approval must be recorded in the pipeline. What is the best approach?

Question 12hardmultiple choice
Full question →

You are reviewing an Azure Policy definition applied to an Azure DevOps project. The project has a build pipeline that deploys to production. What is the effect of this policy on the build pipeline?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "description": "Policy to require multiple reviewers for critical repos",
    "policyType": "Build",
    "mode": "Validation",
    "initiative": "RequireMinimumReviewers",
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.TeamFoundation/teamProjects"
      },
      "then": {
        "effect": "audit",
        "details": {
          "minimumApproverCount": 2
        }
      }
    }
  }
}
```

A development team is implementing a distributed tracing solution for a microservices application deployed on Azure. They want to correlate requests across services using OpenTelemetry and send data to Azure Monitor. The application currently generates traces, but the traces are incomplete, showing only individual service spans without end-to-end correlation. The team has already instrumented each service with the OpenTelemetry SDK. What should the team do to ensure proper end-to-end trace correlation?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses Azure Repos with multiple Git repositories. They want to enforce that all commits to the main branch are signed using GPG keys. Which combination of actions is required to enforce commit signing?

Question 15hardmulti select
Full question →

Which TWO of the following are valid ways to trigger a pipeline in Azure DevOps when a pull request is created?

Question 16hardmultiple choice
Full question →

A company uses Azure Pipelines with YAML-based pipelines stored in a Git repository. The pipeline triggers on every push to the main branch, but the team wants to reduce unnecessary builds when only documentation files are changed. What is the best way to achieve this?

Question 17hardmulti select
Full question →

You are designing a release pipeline that must deploy to Azure App Service across multiple regions. Which two practices should you implement to minimize downtime during deployments? (Choose 2)

Question 18hardmultiple choice
Full question →

Refer to the exhibit. The pipeline is configured as shown. A developer pushes a change to the `main` branch that modifies a file under `src/Controllers/HomeController.cs` and also adds a new file under `docs/readme.md`. Which of the following best describes what happens?

Network Topology
configuration $(buildConfiguration)'arguments: 'configuration $no-build'Refer to the exhibit.```yaml# azure-pipelines.ymltrigger:branches:include:- main- release/*paths:exclude:- docs/*- tests/*pool:vmImage: 'ubuntu-latest'variables:buildConfiguration: 'Release'steps:- task: DotNetCoreCLI@2inputs:command: 'build'projects: '**/*.csproj'displayName: 'Build project'command: 'test'projects: '**/*Tests/*.csproj'displayName: 'Run tests'```
Question 19hardmulti select
Full question →

A company uses Azure Monitor and Application Insights to monitor a microservices application deployed on Azure Kubernetes Service (AKS). The development team wants to implement distributed tracing to correlate requests across services. They currently have Application Insights SDKs instrumented in each service. Which TWO configurations are required to enable end-to-end distributed tracing?

Question 20hardmultiple choice
Full question →

You have a YAML pipeline that deploys to multiple environments. The pipeline uses environment approvals. You need to ensure that the pipeline waits for manual approval before deploying to the production environment. The production environment is named 'Production'. Which configuration should you add to the deployment job?

These AZ-400 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style AZ-400 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.