CCNA Build Release Pipelines Questions

75 of 461 questions · Page 1/7 · Build Release Pipelines topic · Answers revealed

1
MCQhard

Your organization uses GitHub Actions for CI/CD. You need to ensure that secrets stored in GitHub are not exposed in logs. A developer reports that a secret value appeared in the workflow run log. What is the most likely reason?

A.The workflow was triggered via repository_dispatch.
B.The secret was printed using a script that bypassed automatic masking.
C.The secret name was used in the log output.
D.The workflow used 'debug' log level.
AnswerB

Manual echo or printing of secret values can bypass masking if not handled correctly.

Why this answer

Option D is correct because GitHub Actions automatically masks secrets in logs, but if a secret is explicitly printed or used in a way that bypasses masking (e.g., using echo with variable substitution), it may appear. Option A is wrong because the log level does not affect masking. Option B is wrong because secret names are not masked, only values.

Option C is wrong because the trigger does not affect logging.

2
MCQeasy

You are using Azure Pipelines to deploy a function app. You need to automatically roll back the deployment if the post-deployment smoke tests fail. What should you do?

A.Add a stage that runs only when the previous stage fails, executing a rollback script.
B.Configure the pipeline to retry the deployment on failure.
C.Use a pre-deployment approval gate to validate the build before deployment.
D.Set up a manual validation gate that requires operations to initiate a rollback.
AnswerA

A conditional stage on failure can automate rollback.

Why this answer

Option D is correct because a conditional stage that runs on failure can execute a rollback deployment. Option A is wrong because retrying the same deployment does not roll back. Option B is wrong because manual intervention is not automatic.

Option C is wrong because approval gates prevent deployment but do not roll back after failure.

3
Multi-Selecthard

You are designing a build pipeline for a .NET Core application. You need to ensure that the pipeline restores NuGet packages from both an Azure Artifacts feed and the public NuGet gallery. The pipeline must fail if a package is not found in either source. Which two actions must you take? (Select two.)

Select 2 answers
A.Create a NuGet.config file that includes both feeds as package sources and reference it in the restore task.
B.Set the 'NoWarn' property to NU1603 to ignore warnings about missing packages.
C.Use the 'dotnet restore' task with the '--no-cache' flag.
D.Set the 'CheckConsistency' flag to true in the restore task.
E.Configure the Azure Artifacts feed to use the public NuGet gallery as an upstream source.
AnswersA, D

Why this answer

Option A is correct because a NuGet.config file explicitly defines the package sources (both the Azure Artifacts feed and the public NuGet gallery) that the restore task will query. By referencing this file in the restore task, the pipeline ensures it searches both sources. Option D is correct because setting the 'CheckConsistency' flag to true in the restore task enforces that the restore operation fails if any package cannot be resolved from the configured sources, meeting the requirement to fail on missing packages.

Exam trap

The trap here is that candidates often confuse upstream sources (which provide automatic fallback) with explicit source configuration and error handling, leading them to select Option E instead of understanding that upstream sources prevent failures rather than enforce them.

Why the other options are wrong

B

This would suppress warnings, not cause failure on missing packages.

C

This bypasses cache but does not enforce failure on missing packages.

E

This is a feed configuration, not a pipeline setting, and does not cause failure if a package is missing.

4
MCQhard

Your team uses GitHub Actions to build and deploy a Node.js application to Azure Functions. You need to implement a CI/CD pipeline that automatically deploys to a staging environment on every push to the main branch, and then promotes to production after a manual approval via GitHub Environments. The pipeline must also run unit tests and linting. You want to use the official Azure actions. What should you do?

A.Create two separate workflows: one for CI (build, test, deploy staging) and one for CD (deploy production) that triggers manually.
B.Use a single workflow with a step that deploys to staging and then to production, using a condition to require manual approval via GitHub Issues.
C.Create a single GitHub Actions workflow with multiple jobs. Use a job for build and test, then a job for deploy to staging, and a job for deploy to production with an environment that requires approval.
D.Use Azure Pipelines with a multi-stage YAML pipeline that includes a stage for staging and a stage for production with pre-deployment approvals.
AnswerC

Environments support required reviewers for manual approval.

Why this answer

Option C is correct because it uses a single workflow with jobs for build, test, and deploy, and uses environments for staging and production with required reviewers. Option A is incorrect because GitHub Actions does not use multi-stage YAML. Option B is incorrect because separate workflows cannot share artifacts easily.

Option D is incorrect because Azure Pipelines is not GitHub Actions.

5
Multi-Selecthard

Your build pipeline uses a YAML template that references variables from a variable group. The variable group is linked to a library. You need to ensure that sensitive variables are not exposed in logs. Which THREE actions should you take?

Select 3 answers
A.Set the variable group to 'Allow access to all pipelines'.
B.Store the secrets in Azure Key Vault and reference them in the variable group.
C.Use 'Write-Host' to output the variable values for debugging.
D.Mark the variables as 'secret' in the variable group.
E.Configure permissions on the library to restrict which pipelines can use the variable group.
AnswersB, D, E

Key Vault provides secure secret storage and retrieval.

Why this answer

Option A is correct because marking variables as 'secret' masks them in logs. Option C is correct because limiting access to the variable group reduces exposure. Option E is correct because using Azure Key Vault provides secure storage.

Option B is wrong because logs can still show secret variable names. Option D is wrong because logging commands can still output secrets if not handled.

6
MCQmedium

Refer to the exhibit. This YAML pipeline snippet is configured in an Azure Pipelines YAML file. The team reports that the pipeline does not trigger when changes are pushed to the main branch that modify files outside the /src folder. What is the most likely reason?

A.The path filter restricts the trigger to only changes in /src/.
B.The trigger syntax is incorrect; 'branch' should be 'branches'.
C.The script step is missing a display name.
D.The pool vmImage is not specified correctly.
AnswerA

The include filter limits triggers to those paths.

Why this answer

The trigger includes a path filter that only includes /src/*. This means the pipeline will only trigger if changes are in /src. Option C is correct.

Option A is incorrect because the trigger is valid. Option B is incorrect because vmImage is not the issue. Option D is incorrect because script is valid.

7
MCQmedium

You are designing a build pipeline for a Python application that uses Anaconda environments. The pipeline must create a Conda environment, install dependencies, and run tests. The pipeline should also cache the Conda environment to speed up subsequent builds. Which configuration should you use?

A.Use the 'UsePythonVersion' task with a version spec, and add a script to create the Conda environment.
B.Use a Docker container with Anaconda pre-installed and run the pipeline inside the container.
C.Use the 'CondaEnvironment' task to create the environment, and use the 'Cache' task to cache the Conda packages folder.
D.Use a script to run 'conda create' and 'conda install', and manually cache the environment by specifying a path.
AnswerC

The CondaEnvironment task creates the environment; caching speeds up subsequent runs.

Why this answer

Option B is correct because the 'UsePythonVersion' task can set up Python, but not Conda environments. The 'CondaEnvironment' task manages Conda environments and can be combined with caching. Option A is wrong because 'UsePythonVersion' doesn't handle Conda.

Option C is wrong because script alone doesn't leverage built-in caching. Option D is wrong because Docker is unnecessary overhead.

8
MCQhard

Your organization requires that all code changes must be built and tested before merging to the main branch. You plan to use branch policies in Azure Repos. Which policy enforcement will ensure that a pull request cannot be completed unless the build succeeds?

A.Require a linked work item in the pull request.
B.Require a minimum number of reviewers.
C.Add a build validation policy that triggers a build on each PR update.
D.Reset code reviewer votes when new changes are pushed.
AnswerC

Build validation ensures the build must succeed.

Why this answer

Option C is correct because 'Build validation' enforces that a build must succeed before the PR is completed. Option A is wrong because 'Require a minimum number of reviewers' does not enforce build success. Option B is wrong because 'Comment resolution' is about comments.

Option D is wrong because 'Check for linked work items' is about work items.

9
MCQhard

Your organization uses Azure Pipelines to build a large monolithic application. The build takes over 60 minutes. Management wants to reduce the build time to under 30 minutes. The application has multiple independent modules that could be built in parallel. What is the most effective strategy to reduce build time?

A.Reduce the number of unit tests run during the build.
B.Upgrade the build agent to a larger VM size with more CPU and memory.
C.Move the build to a self-hosted agent in the same network as the source code repository.
D.Refactor the build pipeline to use multiple parallel jobs, each building a separate module.
AnswerD

Parallel jobs leverage multiple agents to build modules concurrently, reducing overall time.

Why this answer

Option C is correct because parallel jobs and multi-agent builds can significantly reduce build time by running independent modules concurrently. Option A is incorrect because larger VMs may have limited impact. Option B is incorrect because reducing code coverage is counterproductive.

Option D is incorrect because using a self-hosted agent does not inherently reduce build time.

10
Multi-Selecteasy

Which TWO tasks can be used to run unit tests in an Azure Pipeline?

Select 2 answers
A.DotNetCoreCLI@2
B.VSTest@2
C.NuGetCommand@2
D.PublishBuildArtifacts@1
E.CopyFiles@2
AnswersA, B

Can run 'dotnet test' to execute tests.

Why this answer

The VSTest task runs Visual Studio tests, and the DotNetCoreCLI task with 'test' command runs .NET tests. The NuGet task restores packages, not tests. The CopyFiles task copies files.

The PublishBuildArtifacts task publishes artifacts.

11
MCQhard

Your company uses GitHub Actions to build and deploy a Python application. The workflow includes a job that runs on a self-hosted runner. You need to ensure that sensitive environment variables are not exposed in the workflow logs. What is the best approach?

A.Use a custom action to read secrets from a file.
B.Use GitHub environment secrets and mark the secret as sensitive to ensure it is masked in logs.
C.Store secrets in GitHub repository secrets and reference them in the workflow.
D.Define the variables directly in the workflow YAML.
AnswerB

Environment secrets provide scoped access and are automatically masked.

Why this answer

Option D is correct because marking a secret as sensitive or using environment secrets with masking ensures they are redacted. Option A is incorrect because environment variables are not automatically masked. Option B is incorrect because storing in repository secrets and referencing them is good, but they are still masked in logs automatically; however, the question asks for best approach to ensure no exposure, and using environment secrets provides additional scoping.

Option D is the most comprehensive.

12
MCQeasy

Your team uses GitHub for source control and Azure Pipelines for CI/CD. You need to ensure that only pull requests from specific branches trigger a build pipeline. Which trigger configuration should you use?

A.pr: paths: include: - main - develop
B.pr: branches: only: - main
C.trigger: branches: include: - main - develop
D.pr: branches: include: - main - develop
AnswerD

Correct syntax to filter PR triggers by branch.

Why this answer

In Azure Pipelines, you can specify branch filters for PR triggers using 'pr:' with 'branches:' and 'include:' to list the branches. Option A is correct. Option B is wrong because 'trigger:' is for CI triggers, not PR triggers.

Option C is wrong because the syntax is incorrect. Option D is wrong because 'paths:' filters changes to specific files, not branches.

13
MCQeasy

You need to enforce that all builds in Azure Pipelines use a specific version of the .NET SDK. What is the best approach?

A.Add a UseDotNet task to the pipeline that specifies the required SDK version.
B.Set a pipeline variable DotNetVersion and use it in the DotNetCoreCLI task.
C.Install the SDK manually on the build agent using a script.
D.Include a global.json file in the repository and rely on the build agent to respect it.
AnswerA

This task explicitly sets the SDK version.

Why this answer

Option A is correct because the UseDotNet task allows specifying a precise SDK version. Option B is wrong because global.json is not enforced by default. Option C is wrong because the pipeline doesn't auto-update global.json.

Option D is wrong because the task exists.

14
MCQhard

Your team uses Azure Pipelines with a YAML-based build pipeline. The pipeline builds a .NET application and runs unit tests. Recently, the unit tests are failing intermittently due to flaky tests. You need to ensure that the pipeline fails only if the same test fails in two consecutive runs. Which feature should you configure?

A.Implement a GitHub Actions workflow with 're-run' trigger.
B.Use the 'Re-run failed stages' option in the pipeline run.
C.Enable 'Automatically rerun failed jobs' in the pipeline settings.
D.Configure the 'retry failed tests' setting in the pipeline's test tab.
AnswerD

This is the Test Retry feature for flaky tests.

Why this answer

The Test Retry feature in Azure Pipelines automatically retries a failed test a specified number of times. If the test passes on retry, the pipeline is marked as succeeded with warnings. Option A is correct because it allows retrying flaky tests.

Option B is a preview feature for rerunning failed stages, not tests. Option C is for rerunning failed jobs, not individual tests. Option D is a GitHub feature, not Azure Pipelines.

15
MCQhard

You are designing a build pipeline that must be triggered only when changes are made to specific folders in the repository. The pipeline should ignore documentation changes. Which trigger configuration should you use?

A.Configure a scheduled trigger to run the pipeline daily.
B.Configure a branch trigger with an include filter for the main branch.
C.Configure a path trigger with include paths for source code and exclude paths for docs.
D.Configure a tag trigger with a pattern that matches release tags.
AnswerC

Path triggers filter by file paths, allowing include/exclude rules.

Why this answer

Path filters in triggers allow specifying include and exclude patterns. Option A is wrong because branch filters are for branches, not folders. Option B is wrong because tags are for releases.

Option D is wrong because schedules are time-based.

16
MCQhard

You run the above KQL query in Log Analytics to troubleshoot a failing container in a Kubernetes deployment. The query returns no results even though you know there are errors. What is the most likely cause?

A.The 'project' clause filters out relevant rows.
B.Container logs are not being sent to the ContainerLog table.
C.The 'contains' operator is case-sensitive.
D.The KQL syntax is incorrect.
AnswerB

Logs may be in ContainerLogV2 or not collected.

Why this answer

Option D is correct because container logs may be sent to a different table (e.g., ContainerLogV2) or the log collection is not configured. Option A is wrong because the query is correct syntax. Option B is wrong because 'contains' is case-insensitive.

Option C is wrong because the query returns only three columns, not affecting results.

17
MCQhard

You have a YAML pipeline that deploys to multiple environments. The pipeline uses environment approvals. You need to ensure that the pipeline waits for manual approval before deploying to the production environment. The production environment is named 'Production'. Which configuration should you add to the deployment job?

A.Add 'environment: Production' to the deployment job and configure approvals on the environment in the Azure DevOps portal
B.Add 'approvals: Production' to the deployment job
C.Add 'checks: Production' to the deployment job
D.Add 'dependsOn: ProductionApproval' and use a separate stage for approval
AnswerA

Why this answer

Option A is correct because environment approvals in Azure DevOps are configured on the environment resource itself, not in the pipeline YAML. By adding 'environment: Production' to the deployment job, the pipeline references the environment, and the manual approval gate is enforced by the approvals configured on that environment in the Azure DevOps portal. This ensures the pipeline waits for approval before proceeding to the production deployment job.

Exam trap

The trap here is that candidates often assume approvals can be defined directly in the YAML pipeline (like a task or a key), but Azure DevOps requires approvals to be configured on the environment resource in the portal, not in the pipeline code.

Why the other options are wrong

B

'approvals' is not a valid keyword in YAML pipeline syntax.

C

'checks' is not a valid keyword; checks are configured on environments.

D

While you can create a separate stage for approval, it's not the standard way; environment approvals are built-in.

18
MCQhard

You have the YAML pipeline shown in the exhibit. What will be the output of the script in the Deploy stage?

A.The Deploy stage will be skipped
B.Deploying to prod
C.Deploying to dev
D.The script will fail because variable is not defined
AnswerB

Variable 'environment' is set to 'prod' in Deploy stage.

Why this answer

Option B is correct because the Deploy stage overrides the variable 'environment' to 'prod' for that stage. Option A is wrong because the variable is overridden. Option C is wrong because the condition only checks if Build succeeded.

Option D is wrong because the script will run and echo the variable.

19
MCQhard

You have a multi-stage pipeline that builds a .NET application and deploys it to Azure App Service. The build stage produces a drop artifact that is used by the deployment stage. Recently, the deployment stage started failing intermittently with a '403 Forbidden' error when trying to download the artifact. The service connection used for deployment has 'Contributor' role at the resource group level. The artifact is stored in Azure Artifacts. What is the most likely cause of the failure?

A.The service connection does not have 'Website Contributor' role on the App Service.
B.The pipeline has 'Limit job authorization scope to current project' enabled, restricting access to the artifact.
C.The artifact is stored in a different Azure region than the App Service, causing a cross-region access error.
D.The service principal used by the service connection lacks 'Reader' permissions on the Azure Artifacts feed.
AnswerD

To download artifacts from Azure Artifacts, the identity needs at least Reader role on the feed.

Why this answer

Option B is correct because Azure Artifacts requires the 'Reader' role at the project level to read packages. The deployment stage uses a service principal that may not have the necessary permissions on the artifact feed. Option A is incorrect because the service connection is for Azure App Service, not for reading artifacts.

Option C is not relevant as the error is not about pipeline permissions. Option D is incorrect because the pipeline does not need to be in the same region.

20
MCQhard

You are implementing a multi-stage YAML pipeline in Azure Pipelines for a microservices application. You need to ensure that the 'deploy' stage only runs if the 'build' stage succeeds and that the 'test' stage runs in parallel with 'build' for different services. How should you structure the pipeline?

A.Define stages 'build', 'test', 'deploy' with 'dependsOn: []' on 'test' and 'dependsOn: build' on 'deploy'
B.Define stages 'build', 'test', 'deploy' with 'dependsOn: build' on 'test' and 'dependsOn: test' on 'deploy' but use 'condition: always()' on test
C.Define stages 'build', 'test', 'deploy' with 'dependsOn: build' on 'test' and 'dependsOn: test' on 'deploy'
D.Define stages 'build', 'test', 'deploy' with no dependsOn; by default they run sequentially
AnswerA

test runs in parallel with build because it has no dependencies; deploy runs after build.

Why this answer

Option B is correct because stages run sequentially by default, and you can use dependsOn with 'none' for parallel stages. Option A is wrong because 'dependsOn: build' on test makes it sequential. Option C is wrong because stages cannot run in parallel if they depend on each other.

Option D is wrong because you cannot run stages in parallel without using dependsOn.

21
MCQeasy

You need to trigger a pipeline whenever changes are pushed to the 'main' branch of a GitHub repository. Which trigger should you configure in the YAML pipeline?

A.trigger: branches: include: - main
B.pr: branches: include: - main
C.resources: repositories: - repository: self trigger: branches: include: - main
D.schedules: - cron: "0 0 * * *" branches: include: - main
AnswerA

Why this answer

Option A is correct because the `trigger` keyword at the root of a YAML pipeline defines the CI trigger that automatically starts a pipeline run when changes are pushed to the specified branch. By including `main` under `branches.include`, the pipeline will trigger on any push to the `main` branch of the GitHub repository, which is the standard way to set up a CI trigger for a single branch.

Exam trap

The trap here is that candidates often confuse the `trigger` (CI push trigger) with the `pr` (pull request trigger), or incorrectly assume that a resource-level trigger is required for the self repository, when the root-level `trigger` is the correct and simplest configuration for push-based CI on the same repository.

Why the other options are wrong

B

This triggers on pull request creation, not on push.

C

This is for triggering from another repository, not the self repo.

D

This is a scheduled trigger, not on push.

22
Multi-Selecthard

Which THREE steps should you take to implement a blue-green deployment strategy for an Azure App Service using Azure Pipelines? (Choose three.)

Select 3 answers
A.Create a deployment slot named 'staging' for the App Service.
B.Enable 'Auto swap' on the staging slot.
C.Deploy the new version to the staging slot.
D.Delete the production slot after swapping.
E.Route 100% of traffic to the staging slot.
AnswersA, B, C

Staging slot is the 'green' environment.

Why this answer

Blue-green deployment: deploy to a staging slot (A), swap slots after validation (B), and enable auto-swap for zero-downtime (E). Option C is wrong because deleting the production slot is not part of blue-green; you swap to make it active. Option D is wrong because you typically route a percentage of traffic to the staging slot for testing, not 100%.

23
MCQmedium

Your team uses GitHub Actions to build and deploy a Node.js application to Azure App Service. The deployment succeeds, but the app crashes after startup with an error indicating a missing module. The build artifact includes the node_modules folder. What is the most likely cause?

A.The .gitignore file excludes node_modules from the artifact.
B.The Node.js version on the runner differs from the App Service runtime, causing native module incompatibility.
C.The workflow YAML has an indentation error that causes the deploy step to fail silently.
D.The build step does not run npm ci, so the package-lock.json is ignored.
AnswerB

Native modules compiled for a different Node.js version can fail.

Why this answer

Option C is correct because GitHub Actions runners may include a different Node.js version than the target App Service, causing native module incompatibility. Option A is wrong because the node_modules folder is included. Option B is wrong because the YAML syntax is valid.

Option D is wrong because build optimization does not cause missing modules.

24
MCQhard

Your organization uses Azure Pipelines to manage infrastructure as code with Terraform. The pipeline runs terraform plan and apply. You need to ensure that the state file is stored securely and can be locked to prevent concurrent modifications. What should you configure?

A.Store the state file in a Git repository with LFS.
B.Use the Terraform Cloud backend with remote operations.
C.Store the state file in Azure Pipelines secure files.
D.Use an Azure Storage account as the backend with a container for the state file.
AnswerD

Azure Storage supports leasing for state locking.

Why this answer

Option A is correct because Azure Storage supports state locking with leases. Option B is wrong because Terraform Cloud is external. Option C is wrong because Azure DevOps does not offer state locking.

Option D is wrong because Git is not suitable for state files.

25
MCQmedium

Your team uses Azure DevOps to build a .NET application. The build pipeline takes 45 minutes to complete. You want to reduce build times by caching dependencies. What should you configure in the pipeline?

A.Configure a Build Retention Policy to keep only the latest build.
B.Add a Cache task with a key based on the package-lock.json file hash.
C.Use Pipeline Artifacts to store dependencies between builds.
D.Enable Incremental builds in the pipeline settings.
AnswerB

The Cache task caches dependencies and restores them if the key matches, reducing build time.

Why this answer

Using the Cache task with a key based on the package-lock.json file restores cached dependencies when the file hasn't changed, reducing build time. Option A is wrong because Build Retention Policy controls artifact retention, not caching. Option B is wrong because Incremental builds are not natively supported in YAML pipelines.

Option D is wrong because Pipeline Artifacts are for sharing files between stages, not caching.

26
MCQmedium

Your team uses GitHub Actions for CI/CD. You need to ensure that secrets stored in GitHub repository secrets are not exposed in build logs. Which security practice should you implement?

A.Use GitHub Actions secrets and ensure they are marked as masked
B.Store secrets in a YAML file within the repository
C.Pass secrets as environment variables in the workflow
D.Use a third-party secret management service and fetch secrets at runtime
AnswerA

Masked secrets are automatically hidden in logs.

Why this answer

Option B is correct because marking secrets as masked prevents them from appearing in logs. Option A is wrong because storing secrets in code is insecure. Option C is wrong because secrets in environment variables can still be logged if not masked.

Option D is wrong because it does not prevent exposure in logs.

27
Multi-Selecthard

Which THREE of the following are valid considerations when designing a release pipeline to deploy to multiple environments (dev, test, prod) using Azure Pipelines YAML?

Select 3 answers
A.Use variable groups scoped to environments to override variables per stage.
B.Use environment-level approvals to gate production deployments.
C.Use stage-level approvals to gate each stage.
D.Use conditions on stages to filter based on branch.
E.Use YAML templates to define each environment's deployment steps.
AnswersA, B, D

Variable groups can be linked to environments.

Why this answer

Approval gates are configured on environments, not stages. Stage filters with conditions can control deployment to specific branches. Variables can be overridden per stage using variable groups scoped to environments.

Option A is correct because approvals are set on environments. Option C is correct because stage filters can restrict branches. Option D is correct because variable groups can be scoped to environments.

Option B is incorrect because stages don't have approvals. Option E is incorrect because YAML templates are not required.

28
MCQeasy

You are designing a release pipeline that deploys a web app to Azure App Service. You need to ensure that configuration secrets (e.g., database connection strings) are not stored in the pipeline YAML file. Which approach should you use?

A.Define the secrets as agent-scoped variables in the release pipeline.
B.Hardcode the secrets in the App Service configuration and reference them in the pipeline.
C.Use an Azure Key Vault variable group linked to the pipeline.
D.Store the secrets as pipeline variables and mark them as 'Secret'.
AnswerC

Key Vault variable groups securely fetch secrets at runtime and are not stored in the pipeline.

Why this answer

Option B is correct because Azure Key Vault securely stores secrets and integrates with Azure Pipelines via variable groups linked to Key Vault. Option A is wrong because pipeline variables are stored in YAML or in the pipeline settings, not encrypted at rest in a secure vault. Option C is wrong because agent-scoped variables are not designed for secret management and are still visible in logs.

Option D is wrong because environment variables in the App Service configuration are not managed by the pipeline securely.

29
MCQhard

You configured a multi-stage YAML pipeline with a deployment job that uses a deployment strategy like 'runOnce' or 'rolling'. You need to ensure that the deployment target is marked as 'succeeded' only after the deployment job completes successfully, and that any previous deployment to the same environment is preserved for rollback. Which setting must you configure?

A.Set the environment's 'retain' property to 1 or more
B.Set the deployment job's 'continueOnError' to true
C.Use the 'deployment' job with 'strategy: rolling'
D.Set the 'deploymentStrategy' to 'blueGreen'
AnswerA

Why this answer

Option A is correct because setting the environment's 'retain' property to 1 or more ensures that the previous deployment (e.g., the last successful run) is preserved as a 'retained' revision in the environment. This allows you to redeploy that specific revision for rollback purposes. The deployment job marks the environment target as 'succeeded' only after the job completes successfully, and retaining previous revisions prevents them from being automatically cleaned up.

Exam trap

The trap here is that candidates often confuse deployment strategies (rolling, blue-green) with revision retention, assuming that a strategy like 'rolling' or 'blueGreen' inherently preserves previous deployments for rollback, when in fact retention is a separate environment-level setting.

Why the other options are wrong

B

This would continue on failure, not preserve previous deployments.

C

This defines the update strategy but does not control retention of history.

D

Blue-green is a deployment strategy, but retention is still controlled by environment settings.

30
MCQmedium

Your team uses GitHub Actions to build a Python application. The workflow includes a step to run unit tests with pytest. The tests pass locally but fail in CI with 'ModuleNotFoundError: No module named 'myapp''. The repository structure has the application code in a subdirectory 'src/'. What is the most likely fix?

A.Set the working directory of the test step to 'src/'.
B.Add a step to install dependencies with 'pip install -r requirements.txt'.
C.Set the environment variable PYTHONPATH to 'src/' before running tests.
D.Add a step to run 'pip install -e .' from the repository root.
AnswerC

PYTHONPATH adds the directory to the module search path.

Why this answer

Option C is correct because the CI environment does not have the 'src' directory in the Python path. Setting PYTHONPATH ensures the module is found. Option A is wrong because the working directory changes the context but not the Python path.

Option B is wrong because installing the package in editable mode requires a setup.py. Option D is wrong because the dependencies are already installed.

31
MCQmedium

Your team uses Azure Pipelines to build a .NET application. Recently, builds have been failing intermittently with NuGet restore errors. The pipeline uses a hosted agent. You need to ensure consistent package restoration. What should you do?

A.Use a self-hosted agent with persistent NuGet package caches.
B.Clear the NuGet cache in the pipeline using 'dotnet nuget locals all --clear' before restore.
C.Enable multi-stage Docker builds for the application.
D.Configure the pipeline to use the Dapr sidecar for package management.
AnswerA

Persistent caches reduce reliance on external feeds and improve reliability.

Why this answer

Using a self-hosted agent with persistent package caches avoids re-downloading packages on each build, reducing network issues. Option A is wrong because clearing caches would worsen the problem. Option C is wrong because multi-stage builds are for Docker, not NuGet.

Option D is wrong because Dapr is unrelated.

32
MCQhard

You have a YAML pipeline that uses a multi-stage build. You want to cache the restored NuGet packages across builds to improve performance. Which caching strategy should you use?

A.Use the Cache@2 task with key: 'nuget | "$(Agent.OS)" | packages.lock.json', path: '$(System.DefaultWorkingDirectory)/packages'
B.Use the NuGetCommand@2 task with the -Cache argument.
C.Set the NUGET_PACKAGES environment variable to a custom path and rely on pipeline caching plugin.
D.Use the DotNetCoreCLI@2 task with the --no-restore flag and manually copy packages.
AnswerA

Why this answer

Option A is correct because the Cache@2 task is the recommended way to cache NuGet packages in Azure Pipelines. By using a cache key that includes the agent OS and the packages.lock.json file, the cache is invalidated only when the lock file changes, ensuring restored packages are reused across builds. The path points to the NuGet global packages folder, which is typically $(System.DefaultWorkingDirectory)/packages when NUGET_PACKAGES is set.

Exam trap

The trap here is that candidates may confuse the Cache@2 task's explicit key-path pairing with other NuGet-specific arguments or environment variables, assuming a simpler flag exists, when in fact Azure DevOps requires the Cache@2 task for reliable cross-build caching.

Why the other options are wrong

B

NuGetCommand does not have a -Cache argument for cross-build caching.

C

The environment variable is useful but caching must be explicitly configured.

D

--no-restore skips restore, not caching.

33
MCQmedium

Refer to the exhibit. This YAML pipeline snippet uses parameters to deploy to different environments. The team wants to run the pipeline for a specific environment by providing the parameter at queue time. However, the pipeline fails with 'Invalid stage name'. What is the most likely cause?

A.The parameter values must be defined in a separate file.
B.Stage names cannot contain template expressions; they must be static.
C.The 'AzureWebApp@1' task inputs are incorrectly formatted.
D.The 'stage' keyword should be 'stageName'.
AnswerB

Stage names must be compile-time constants.

Why this answer

Stage names cannot contain template expressions like '${{ parameters.environment }}' directly; they must be resolved to a static string. In YAML, stage names are used for dependencies and must be known at compile time. Using a parameter in the stage name is not allowed because the parameter value is not known when the YAML is parsed.

Option A is correct. Option B is incorrect because the task inputs are fine. Option C is incorrect.

Option D is incorrect.

34
MCQmedium

You have a multi-stage YAML pipeline that deploys to a Linux-based Azure App Service. The pipeline uses a 'Deploy to Azure App Service' task. You need to ensure that the deployment uses the Kudu REST API with ZIP deployment. Which value should you set for the 'packageForLinux' task input?

A.Set 'enableCustomDeployment' to true
B.Set 'packageForLinux' to true
C.Set 'useWebDeploy' to false
D.Set 'enableKuduDeploy' to true
AnswerB

Why this answer

The 'packageForLinux' input must be set to 'true' to force the 'Deploy to Azure App Service' task to use the Kudu REST API with ZIP deployment when targeting a Linux-based Azure App Service. This is required because Linux App Services do not support WebDeploy (MSDeploy) and rely on the Kudu endpoint for ZIP-based deployments.

Exam trap

The trap here is that candidates confuse the 'packageForLinux' input with a generic 'enableKudu' switch, not realizing that Kudu is the underlying mechanism for ZIP deployment on Linux and that this specific input is required to activate it.

Why the other options are wrong

A

This enables custom deployment scripts, not specifically ZIP deployment via Kudu for Linux.

C

This disables Web Deploy, but does not enable ZIP deployment for Linux.

D

There is no such input 'enableKuduDeploy' in the Azure Web App task.

35
Multi-Selecteasy

You are configuring a YAML pipeline in Azure Pipelines. The pipeline must trigger only when changes are pushed to the main branch. Which TWO settings should you configure?

Select 2 answers
A.Set the PR trigger to include main.
B.Set the pipeline to run on every push regardless of branch.
C.Use a schedule trigger with cron expression.
D.Set the trigger to include the main branch.
E.Set the trigger to none for other branches.
AnswersD, E

The trigger section specifies which branches trigger the pipeline.

Why this answer

Option A is correct because trigger defines branches to trigger on. Option D is correct because setting trigger to none disables CI triggers for other branches. Options B, C, and E are not required.

36
MCQeasy

You are designing a release pipeline for a mission-critical application. The pipeline must deploy to multiple environments (dev, test, prod) in sequence, with manual approval required before production deployment. Which Azure Pipelines feature should you use?

A.Pre-deployment approvals
B.Variable groups
C.Pipeline triggers
D.Deployment gates
AnswerA

Pre-deployment approvals require manual sign-off before deploying to a stage.

Why this answer

Pre-deployment approvals allow manual approval before deployment to a stage. Option A is wrong because gates evaluate conditions automatically. Option B is wrong because pipeline triggers start runs automatically.

Option D is wrong because variable groups store variables, not approvals.

37
MCQhard

Your team uses a monorepo in Azure Repos with multiple projects. You want to trigger a pipeline only when changes are made to a specific subfolder. Which configuration should you use?

A.Use a branch filter in the CI trigger.
B.Add a 'paths' filter to the CI trigger.
C.Configure the checkout step to only include the subfolder.
D.Use a 'file_match' condition on the job.
AnswerB

Paths filter triggers the pipeline only when files in the specified path change.

Why this answer

Option A is correct because the 'paths' trigger filter allows specifying include/exclude patterns. Option B is wrong because branch filters limit which branches trigger, not paths. Option C is wrong because the checkout step is for fetching code, not triggering.

Option D is wrong because file matching is not a trigger property.

38
MCQeasy

Your build pipeline uses a hosted agent. You notice that every build starts with a clean workspace, increasing build time. You want to improve performance by caching the Node.js 'node_modules' folder. Which task should you add to the pipeline?

A.Publish Build Artifacts task
B.Copy Files task
C.Download Build Artifacts task
D.Cache task
AnswerD

Caches the specified folder for subsequent runs.

Why this answer

Option B is correct because the Cache task is designed to cache folders between runs. Option A is wrong because the Copy Files task does not cache. Option C is wrong because the Publish Build Artifacts task publishes artifacts but does not cache on the agent.

Option D is wrong because the Download Build Artifacts task downloads artifacts, not cache.

39
MCQhard

Refer to the exhibit. You are deploying this ARM template using Azure Pipelines. The pipeline passes the parameter 'environmentName' with value 'prod'. What will be the name of the virtual network?

A.vnet-default
B.vnet-prod
C.vnet-prod-vnet
D.vnet-dev
AnswerB

The variable concatenates 'vnet-' with the parameter value 'prod'.

Why this answer

The variables section concatenates 'vnet-' with the parameter value, so 'vnet-prod'. Option A is wrong because it uses the default. Option C is wrong because it ignores the concatenation.

Option D is wrong because it uses a static name.

40
MCQmedium

A team uses Azure Pipelines to build a .NET application. The build takes 30 minutes, and developers complain that the pipeline runs slowly. The pipeline uses the 'windows-latest' agent and installs the .NET SDK in each run. Which action would MOST reduce the build time?

A.Enable pipeline caching for the .NET SDK.
B.Deploy a self-hosted agent in Azure.
C.Increase the number of parallel jobs.
D.Change the agent pool to 'ubuntu-latest'.
AnswerA

Caching avoids re-downloading the SDK each run, reducing build time.

Why this answer

Option B is correct because using a Microsoft-hosted agent with caching for the .NET SDK avoids downloading it each time, significantly reducing build time. Option A is wrong because more agents won't speed a single job. Option C is wrong because moving to Linux doesn't address SDK download overhead.

Option D is wrong because self-hosted agents require maintenance and may not reduce time if SDK still downloads.

41
Multi-Selectmedium

Which TWO conditions must be met for a self-hosted agent to be used in an Azure Pipelines agent pool? (Choose two.)

Select 2 answers
A.The agent must be in the Default pool.
B.The agent must have network access to Azure Pipelines.
C.The agent must run on Windows Server.
D.The agent must be installed on a virtual machine.
E.The agent must be registered with the agent pool.
AnswersB, E

Needs to communicate with Azure Pipelines service.

Why this answer

Options A and C are correct. A: The agent must be registered with the agent pool. C: The agent must have network access to Azure Pipelines.

Option B is wrong because the agent can run on any OS. Option D is wrong because the agent can be registered to any pool. Option E is wrong because the agent can be on any machine.

42
MCQhard

Your organization uses GitHub Actions for CI/CD. You need to implement a deployment strategy where a new version of the application is gradually shifted from the stable environment to a canary environment, and if health checks pass, the traffic is fully shifted to the canary. Which GitHub Actions deployment strategy should you use?

A.Recreate deployment
B.Canary deployment
C.Blue-green deployment
D.Rolling deployment
AnswerB

Canary gradually shifts traffic to the new version and promotes if health checks pass.

Why this answer

Option B is correct because the 'canary' deployment strategy in GitHub Actions gradually shifts traffic to the new version and promotes if health checks pass. Option A is wrong because 'blue-green' switches all traffic at once. Option C is wrong because 'rolling' updates instances in batches but doesn't use canary traffic shifting.

Option D is wrong because 'recreate' replaces all instances at once.

43
MCQmedium

You have a multi-stage YAML pipeline that builds and deploys a Java application. The pipeline runs on a Microsoft-hosted agent. The build stage fails intermittently with 'OutOfMemoryError: Java heap space'. What should you do to resolve this issue?

A.Set the environment variable 'MAVEN_OPTS' to '-Xmx2048m'.
B.Use a self-hosted agent with more memory.
C.Set the environment variable 'GRADLE_OPTS' to '-Xmx2048m'.
D.Use the 'Maven@3' task with the 'jdkVersion' option set to 'jdk11'.
AnswerA

Correct: MAVEN_OPTS sets JVM options for Maven, increasing heap space.

Why this answer

Option D is correct because you can set JAVA_OPTS to increase heap size for the Maven build. Option A is wrong because using a self-hosted agent doesn't directly increase heap; you would still set JAVA_OPTS. Option B is wrong because parallel jobs would increase resource usage, not fix memory.

Option C is wrong because the variable is for Gradle, not Maven.

44
MCQmedium

You are implementing a release pipeline for a web application deployed to multiple Azure App Service instances across different regions (West US, East US, and North Europe). The deployment must follow a phased rollout: first West US, then East US, then North Europe, with a manual approval gate between each region. Each region should have its own slot for staging and production. You need to design the pipeline to minimize duplication of stages and tasks. What should you do?

A.Use a multi-stage YAML pipeline with environment per region and a manual approval on each environment.
B.Create three separate stages (one per region) and duplicate the deployment tasks in each.
C.Use a single stage with parallel deployment to all regions and add manual approvals before each region's deployment.
D.Use a single stage with a deployment group job that targets agents tagged with region names, and use deployment group tags to control phased rollout.
AnswerD

Allows reuse of tasks and phased rollout with tags.

Why this answer

Option A is correct because a deployment group job with deployment group tags allows targeting regions and reusing tasks. Option B is incorrect because each region would need separate stages. Option C is incorrect because environment-based strategy requires separate environments.

Option D is incorrect because parallel deployment does not support phased rollout with approvals.

45
Multi-Selecthard

Your release pipeline uses a deployment group to deploy to multiple on-premises servers. You need to ensure that only healthy servers receive the deployment and that deployment history is retained. Which THREE actions should you include?

Select 3 answers
A.Set a retention policy to keep deployment history for a specified number of days.
B.Tag each server with its role (e.g., web, API).
C.Configure health checks in the deployment group to verify server status before deployment.
D.Use a single deployment group for all servers.
E.Disable parallel deployment to avoid conflicts.
AnswersA, B, C

Retention policy preserves deployment history.

Why this answer

Option A is correct because tagging servers by role enables targeted deployments. Option C is correct because deployment groups include health checks. Option E is correct because retention policies preserve history.

Options B and D are not needed.

46
MCQhard

Your team uses Azure DevOps to deploy a Node.js web app to Azure App Service on Linux. The build pipeline runs `npm install` and `npm run build`, then publishes the `dist` folder. The release pipeline uses the 'Azure App Service deploy' task. Recently, deployments fail intermittently with 'ERR_MODULE_NOT_FOUND' for a custom module. The module is listed in `package.json` and is present in the `node_modules` folder on the build agent. What is the most likely cause?

A.The 'Azure App Service deploy' task modifies package.json during deployment.
B.The 'Azure App Service deploy' task runs npm install on the target, but it fails due to network restrictions.
C.The build artifact does not include node_modules; the app requires them at runtime.
D.The deployment slot's Kudu service fails to sync the dist folder.
AnswerC

Only the dist folder is published; node_modules are missing.

Why this answer

Option B is correct because the App Service on Linux runs the app directly from the `dist` folder, but the `node_modules` folder is not included in the published artifact since only the `dist` folder is published. Hence, modules outside `dist` are missing. Option A is wrong because the task does not modify `package.json`.

Option C is wrong because Kudu syncs all files, but the root issue is missing modules. Option D is wrong because the task does not run `npm install` by default.

47
MCQeasy

You need to integrate security scanning into your build pipeline to detect vulnerable open-source dependencies. Which Azure DevOps extension should you use?

A.WhiteSource Bolt
B.Azure Policy
C.GitHub Advanced Security
D.SonarQube
AnswerA

Scans open-source dependencies for vulnerabilities.

Why this answer

Option A is correct because WhiteSource Bolt (Mend) is a popular extension for open-source vulnerability scanning. Option B is wrong because SonarQube is for code quality, not dependency scanning. Option C is wrong because Azure Policy is for compliance of Azure resources.

Option D is wrong because GitHub Advanced Security is for GitHub repos, not Azure Repos.

48
MCQhard

Your organization uses GitHub Actions for CI/CD. You need to ensure that secrets stored in GitHub are not exposed in build logs. A developer accidentally printed a secret to the console in a workflow step. How can you prevent this from happening in the future?

A.Enable 'Secret scanning' and 'Push protection' for the repository.
B.Add the secret to the 'Secret scanning' exclusion list.
C.Instruct developers to avoid using 'echo' and use '::set-output' instead.
D.Use the 'actions/secrets' action to mask secrets automatically.
AnswerA

These features detect and block secrets in code and logs.

Why this answer

Option D is correct because enabling 'Secret scanning' and 'Push protection' in the repository automatically blocks secrets from being committed or printed in logs. Option A would mask the secret but only after it's already been printed. Option B is impractical and error-prone.

Option C is not a built-in feature.

49
MCQeasy

The exhibit shows an Azure CLI command to run a pipeline. What does this command do?

A.Runs the pipeline on all branches with the variable.
B.Runs the pipeline and sets a secret variable.
C.Runs the pipeline named 'MyPipeline' on the 'main' branch with a variable 'myVar' set to 'value1'.
D.Creates a new pipeline named 'MyPipeline' with a variable.
AnswerC

This is the correct interpretation of the command.

Why this answer

Option D is correct because the command runs the pipeline named 'MyPipeline' on the 'main' branch, with a variable 'myVar' set to 'value1'. Option A is wrong because it runs the pipeline, does not create one. Option B is wrong because it runs on the 'main' branch, not all branches.

Option C is wrong because it sets a variable, not a secret.

50
MCQhard

Your organization uses GitHub Actions for CI/CD. You need to ensure that deployment to production only occurs after a successful deployment to a staging environment and requires approval from a senior developer. The deployment workflow is defined in a single YAML file. What is the most efficient way to achieve this?

A.Add a step that pauses the pipeline until a manual approval is received via a custom webhook.
B.Use a workflow_dispatch trigger and require the senior developer to manually run the production deployment.
C.Use a build matrix to run staging and production deployments in parallel.
D.Use two environments (staging and production) with required reviewers on the production environment, and use conditional steps to deploy to staging first.
AnswerD

Environment protection rules enforce approvals, and conditional steps ensure order.

Why this answer

Option C is correct because GitHub Actions supports environment protection rules, including required reviewers, and environment variables can control deployment steps. Option A is incorrect because matrix builds are for parallel builds, not sequential approvals. Option B is incorrect because workflow run is not a step.

Option D is incorrect because manual triggers don't enforce sequential deployment.

51
MCQhard

Your release pipeline uses deployment groups to deploy to on-premises servers. You want to ensure that only one deployment runs at a time on each server. Which option should you configure?

A.Set the deployment queue to 'Deploy one at a time' with 'Exclusive lock'.
B.Configure a pre-deployment condition that checks the current deployment status.
C.Add a manual approval step before each deployment.
D.Set the deployment queue to 'Deploy all in parallel' with 'Number of parallel deployments' set to 1.
AnswerA

Exclusive lock ensures that only one deployment runs on each target at a time.

Why this answer

Option A is correct because deployment groups support 'Exclusive lock' deployment queue settings to prevent concurrent deployments to the same target. Option B is wrong because parallel deployment settings control the overall number of parallel deployments, not per-target locking. Option C is wrong because stage-level pre-deployment conditions do not enforce per-target locking.

Option D is wrong because environment-level approvals are for manual intervention, not concurrency control.

52
MCQmedium

Your team uses a multi-stage YAML pipeline in Azure Pipelines. The pipeline includes a stage that runs integration tests against a test environment. You want to ensure that the integration tests are not affected by other pipelines that deploy to the same environment concurrently. What should you implement?

A.Set the environment's 'Exclusive lock' check to enabled.
B.Set the pipeline's 'Maximum number of parallel deployments' to 1.
C.Configure a required template check on the environment.
D.Add a manual approval check on the environment.
AnswerA

Exclusive lock prevents other pipeline runs from deploying to the same environment simultaneously.

Why this answer

Option C is correct because exclusive lock check ensures only one pipeline runs at a time for a given environment. Option A is incorrect because manual approval does not prevent concurrency. Option B is incorrect because environment checks only evaluate conditions, not concurrency.

Option D is incorrect because deployment queue settings with 'Number of parallel deployments' set to 1 provide exclusive lock, but the correct answer is exclusive lock resourced by environment.

53
MCQmedium

Your team uses GitHub Actions for CI/CD. You have a workflow that builds and deploys a Node.js application to Azure App Service. The workflow uses the 'azure/webapps-deploy@v2' action. You notice that the deployment often fails with a 403 error during the 'Deploy to Azure' step. The error message indicates that the publish profile credentials are invalid. You have stored the publish profile as a secret in the repository. The secret name is AZURE_WEBAPP_PUBLISH_PROFILE. The workflow step uses the secret correctly. However, the secret value might have been rotated. You need to ensure that the deployment works reliably. What should you do?

A.Use OpenID Connect with a service principal instead of publish profile.
B.Check the workflow run log for the exact error and update the secret accordingly.
C.Replace the 'azure/webapps-deploy' action with 'Azure/cli' action and run az webapp deployment source config-zip.
D.Recreate the secret in GitHub by deleting and adding it again with the same value.
AnswerA

OIDC provides token-based authentication that does not rely on static secrets.

Why this answer

Option C is correct because using a service principal with a managed identity or Azure AD application is more secure and reliable than publish profile. Option A is wrong because checking the log does not fix the issue. Option B is wrong because using a different action still relies on the same secret.

Option D is wrong because the secret is already defined; recreating it does not guarantee it will work if the underlying credentials are rotated.

54
MCQhard

Your team uses Azure Pipelines to deploy a web app to Azure App Service. The deployment uses the 'AzureWebApp@1' task with a deployment slot. You need to ensure that after a successful deployment to the staging slot, the slot swap happens automatically and the staging slot is warmed up before the swap. Which configuration should you use?

A.Use the 'Azure App Service manage' task to swap slots after deployment.
B.Set the 'Slot' parameter to 'staging' and enable 'Swap with production' in the task.
C.Use the 'Azure CLI' task to run 'az webapp deployment slot swap' after deployment.
D.Configure the deployment task to deploy to staging and then use a separate task to swap.
AnswerB

This automatically swaps after deployment with warmup.

Why this answer

Option B is correct because the 'AzureWebApp@1' task includes a 'Swap with production' checkbox that, when enabled, automatically performs a slot swap after the deployment to the specified slot (e.g., staging) completes. This ensures the staging slot is warmed up by the deployment process before the swap, as the swap operation respects the warm-up phase of the target slot, preventing downtime and ensuring the production slot receives a fully initialized application.

Exam trap

The trap here is that candidates often think a separate swap task or CLI command is required for slot swapping, but the 'AzureWebApp@1' task's built-in 'Swap with production' option handles both deployment and warm-up automatically, making it the simplest and most reliable choice.

How to eliminate wrong answers

Option A is wrong because the 'Azure App Service manage' task is a separate task that can swap slots, but it does not inherently integrate with the deployment task to ensure automatic warm-up before swap; it requires manual sequencing and does not leverage the built-in warm-up behavior of the deployment task. Option C is wrong because using the 'Azure CLI' task to run 'az webapp deployment slot swap' after deployment adds unnecessary complexity and does not automatically handle warm-up; the CLI command performs a swap but does not guarantee the staging slot is warmed up before the swap unless additional warm-up logic is explicitly implemented. Option D is wrong because deploying to staging and then using a separate task to swap is a valid approach but lacks the automatic warm-up guarantee provided by the 'Swap with production' setting in the 'AzureWebApp@1' task; the separate swap task may swap before the staging slot is fully warmed up, leading to potential downtime or cold-start issues.

55
Multi-Selecthard

Which THREE components are required to implement a self-hosted agent pool in Azure Pipelines?

Select 3 answers
A.An Azure Resource Manager service connection.
B.A YAML pipeline definition.
C.The Azure Pipelines agent software installed on the machine.
D.A virtual machine or physical server to host the agent.
E.A personal access token (PAT) with agent pool management permissions.
AnswersC, D, E

The agent software is necessary.

Why this answer

Options A, B, and C are correct. A self-hosted agent requires a virtual machine to run the agent, the agent software installed, and a personal access token (PAT) to register the agent with Azure DevOps. Option D is wrong because a service connection is not needed for the agent registration.

Option E is wrong because a YAML pipeline is not required to set up the agent.

56
MCQeasy

You are creating a release pipeline that deploys to Azure App Service. You want to ensure that the deployment uses the 'Run from package' feature for faster deployments and reduced downtime. Which deployment method should you select in the 'Azure App Service deploy' task?

A.Web Deploy
B.Container
C.RunFromPackage
D.Zip Deploy
AnswerC

This method deploys a zip package and sets the app to run from it.

Why this answer

The 'Run from package' feature is enabled by selecting 'Web Deploy' with 'Package' or 'RunFromPackage' option. The correct option is to select 'RunFromPackage' as the deployment method. Option A is wrong because 'Zip Deploy' is a different method.

Option B is wrong because 'Web Deploy' alone does not enable run from package. Option D is wrong because 'Container' is for containerized apps.

57
MCQmedium

Your team uses GitHub Actions to build and deploy a static website to Azure Storage. The workflow uses the 'azure/webapps-deploy' action to deploy to a storage account static website. Recently, deployments started failing with 'Error: Failed to get credentials'. The workflow uses OpenID Connect (OIDC) for authentication. What is the most likely cause?

A.The service principal used for OIDC does not have the 'Storage Blob Data Contributor' role on the storage account.
B.The storage account firewall is blocking the GitHub Actions IP range.
C.The OIDC configuration in GitHub is missing the 'client secret' field.
D.The 'azure/webapps-deploy' action does not support static websites.
AnswerA

Role assignment is required for OIDC to access the resource.

Why this answer

Option A is correct because OIDC authentication requires the Azure AD application (service principal) to have the appropriate role assignment on the target resource (storage account). If the role assignment is missing, the OIDC token exchange fails. Option B is wrong because OIDC does not require client secret.

Option C is wrong because the action works with static websites. Option D is wrong because the issue is not network-related.

58
Multi-Selectmedium

Your release pipeline deploys to multiple environments (dev, test, prod). You need to ensure that only authorized users can approve production deployments. Which TWO actions should you take?

Select 2 answers
A.Use a manual intervention task in the pipeline.
B.Set environment permissions to allow only specific users to create releases.
C.Configure deployment gates to check for user approval.
D.Add a 'Approval' check on the production environment.
E.Add a pre-deployment approval to the production stage.
AnswersD, E

Checks can require approval from specific users or groups.

Why this answer

Option A is correct because pre-deployment approvals enforce approval before deployment. Option D is correct because checks can restrict based on user or group. Option B is wrong because gates are for health checks, not approvals.

Option C is wrong because environment permissions control who can create releases, not deploy to production. Option E is wrong because manual validation task is for interactive validation, not approval control.

59
MCQhard

You are designing a release pipeline for a microservices application deployed to Azure Kubernetes Service (AKS). You need to implement a strategy that allows rolling back to the previous version quickly if a deployment fails. The pipeline should also support canary deployments. Which tool or feature should you use?

A.Terraform with Kubernetes provider.
B.Helm package manager with Helm deploy task.
C.Azure Pipelines Kubernetes manifest task with kubectl apply.
D.Kubectl task with rolling update strategy.
AnswerB

Correct: Helm supports rollback and canary deployments.

Why this answer

Helm is the correct choice because it provides native support for rollbacks via `helm rollback`, which can revert a release to a previous revision quickly. Additionally, Helm supports canary deployments through its upgrade strategy (e.g., `--set canary.enabled=true`) and integration with tools like Flagger or Argo Rollouts, enabling fine-grained traffic shifting. The Helm deploy task in Azure Pipelines wraps these capabilities, making it the most suitable tool for both rollback and canary requirements.

Exam trap

The trap here is that candidates often confuse `kubectl apply` (which only applies manifests) with a full release management tool, overlooking Helm's built-in rollback and canary support that are explicitly required by the question.

How to eliminate wrong answers

Option A is wrong because Terraform with Kubernetes provider is an infrastructure-as-code tool focused on provisioning and managing Kubernetes resources, not on release management or rollback strategies; it lacks native support for canary deployments or quick rollbacks of application releases. Option C is wrong because the Azure Pipelines Kubernetes manifest task with `kubectl apply` applies manifests directly but does not provide built-in rollback mechanisms or canary deployment capabilities; it relies on manual `kubectl rollout undo` commands and lacks revision history management. Option D is wrong because the `kubectl task with rolling update strategy` only supports basic rolling updates and does not natively support canary deployments or automated rollbacks; it requires custom scripting for traffic splitting and revision tracking.

60
Multi-Selectmedium

Which TWO tasks can be used to deploy an Azure Web App using YAML pipelines in Azure DevOps?

Select 2 answers
A.AzureWebApp
B.CopyFilesOverSSH
C.AzureRmWebAppDeployment
D.AzureFunctionApp
E.AzureVMAppDeployment
AnswersA, C

This task deploys to Azure Web Apps.

Why this answer

Options A and B are correct. The AzureWebApp task and the AzureRmWebAppDeployment task are standard for deploying web apps. Option C is for Azure Functions, D is for VM applications, and E is a generic file copy task that does not perform deployment.

61
MCQeasy

Your team uses Azure Pipelines for CI/CD. You want to enforce that every build produces a versioned artifact that includes the Git commit ID. Which predefined variable should you use to get the commit ID in a YAML pipeline?

A.Build.Repository.Name
B.Build.BuildId
C.Build.SourceVersion
D.Build.SourceBranch
AnswerC

Correct: Build.SourceVersion contains the commit ID.

Why this answer

Option C is correct because Build.SourceVersion returns the commit ID. Option A is wrong because Build.BuildId is the pipeline build number. Option B is wrong because Build.SourceBranch is the branch name.

Option D is wrong because Build.Repository.Name is the repo name.

62
MCQhard

Your release pipeline uses a multi-stage YAML with environments. You need to ensure that only one deployment runs at a time to a production environment to avoid conflicts. Which feature should you use?

A.Use a condition to check if a previous deployment is in progress.
B.Add a pre-deployment approval gate.
C.Set the 'parallel' deployment option to 1.
D.Configure an exclusive lock policy on the production environment.
AnswerD

Correct: Exclusive lock ensures only one deployment runs at a time.

Why this answer

Option D is correct because an exclusive lock policy on an environment ensures that only one deployment can run at a time to that environment. When a deployment starts, it acquires a lock on the environment; subsequent deployments are queued until the lock is released. This prevents conflicts from concurrent deployments to the same production environment.

Exam trap

The trap here is that candidates often confuse 'parallel deployment' settings (which control concurrency within a single stage) with environment-level locking (which controls concurrency across multiple pipeline runs targeting the same environment).

How to eliminate wrong answers

Option A is wrong because conditions in YAML evaluate at runtime based on variables or previous job status, but they do not provide a queuing mechanism to prevent concurrent deployments; they only skip or run a stage based on a boolean expression. Option B is wrong because pre-deployment approval gates add manual or automated checks before a deployment starts, but they do not serialize deployments; multiple approvals can be granted concurrently, leading to simultaneous deployments. Option C is wrong because the 'parallel' deployment option controls the number of parallel deployment jobs within a single stage, not across stages or environments; setting it to 1 only limits parallelism within that stage, not across different pipeline runs targeting the same environment.

63
MCQhard

You are designing a build pipeline that produces a NuGet package. The pipeline must conditionally sign the assembly only when the build is triggered by a tag starting with 'v' (e.g., v1.0.0). The pipeline uses a script task that signs the assembly. Which expression should you use in the condition of the script task?

A.and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/tags/v'))
B.and(succeeded(), startsWith(variables['Build.SourceBranchName'], 'v'))
C.and(succeeded(), startsWith(variables['Build.SourceVersion'], 'v'))
D.and(succeeded(), eq(variables['Build.Reason'], 'IndividualCI'))
AnswerA

Why this answer

Option A is correct because the condition uses `startsWith(variables['Build.SourceBranch'], 'refs/tags/v')` to check if the build was triggered by a tag whose full Git ref starts with `refs/tags/v`. This ensures the signing script runs only when the source branch is a tag reference matching the 'v' prefix, which is the standard way to identify version tags in Azure Pipelines. The `and(succeeded(), ...)` wrapper guarantees the previous tasks completed successfully before signing.

Exam trap

The trap here is that candidates often confuse `Build.SourceBranchName` (short name) with `Build.SourceBranch` (full ref), leading them to choose Option B, which would incorrectly match branches or other refs starting with 'v' instead of only tags.

Why the other options are wrong

B

Build.SourceBranchName for a tag is the tag name, so this would also work but is less precise; however, the official documentation recommends using Build.SourceBranch.

C

Build.SourceVersion is the commit SHA, not the tag.

D

Build.Reason checks for CI trigger, not tag.

64
MCQmedium

Your team is using GitHub Actions for CI/CD. The workflow builds a container image and pushes it to Azure Container Registry (ACR). However, the workflow fails with an authentication error when pushing to ACR. What is the most likely cause?

A.The repository name in the workflow is incorrect.
B.The Dockerfile is missing a required LABEL instruction.
C.The ACR allows anonymous pull access.
D.The workflow does not include an 'azure/login' step to authenticate with Azure.
AnswerD

Azure login action is required to get credentials for ACR.

Why this answer

Option A is correct because the most common cause is that the Azure login action is missing or misconfigured. Option B is wrong because Docker login is handled by the Azure login action. Option C is wrong because ACR allows anonymous pull but not push.

Option D is wrong because the issue is authentication, not repository name.

65
MCQmedium

Refer to the exhibit. The pipeline YAML includes an Azure CLI script that sets an app setting on a Web App. The pipeline fails with an authentication error. What is the most likely cause?

A.The resource group name is incorrect.
B.The pipeline does not have an Azure service connection configured for authentication.
C.The DEPLOYMENT_SLOT setting name is invalid.
D.The script syntax is invalid.
AnswerB

The Azure CLI task requires authentication via a service connection.

Why this answer

The Azure CLI script requires authentication to Azure. Without an Azure CLI task or service connection, it fails. Option A is wrong because the resource group name is correct.

Option B is wrong because the script syntax is valid. Option D is wrong because the script is not missing any parameters; it lacks authentication.

66
MCQhard

You are managing a pipeline that deploys a microservices application to multiple Azure Kubernetes Service (AKS) clusters in different regions. You want to implement a progressive exposure strategy where the deployment first goes to a small cluster (canary), then to a medium cluster, and finally to all clusters. The deployment should be automated but with the ability to halt if errors occur. What should you use?

A.Use manual approval gates between stages.
B.Use deployment gates with evaluation of health metrics (e.g., error rate) before proceeding to the next stage.
C.Configure a rolling deployment strategy on each cluster.
D.Use a manual validation step in the pipeline.
AnswerB

Gates automatically evaluate metrics and can halt progression if thresholds are exceeded.

Why this answer

Option B is correct because deployment gates with metrics evaluation allow progressive exposure and automated halt. Option A is incorrect because approvals are manual. Option C is incorrect because manual validation steps require human intervention.

Option D is incorrect because rolling deployment strategy is not about progressive exposure across clusters.

67
MCQhard

Your team uses Azure Pipelines for CI/CD. A release pipeline fails intermittently during deployment to an Azure App Service slot. The error message indicates 'Failed to fetch access token for Azure Resource Manager service endpoint.' The service principal used has been granted Contributor role on the resource group. The issue resolves after re-creating the service connection in Azure DevOps. What is the most likely cause?

A.The service principal client secret has expired.
B.The user who created the service connection has been removed from Azure DevOps.
C.The Azure DevOps organization is behind a firewall that blocks outbound requests to Azure Resource Manager.
D.The service principal lacks the required role on the target resource group.
AnswerA

Expired secrets cause intermittent token failures; re-creating the connection generates a new secret.

Why this answer

Option A is correct because service principal credentials (client secret) can expire, causing intermittent token fetch failures. Re-creating the service connection generates a new secret, temporarily resolving the issue until it expires again. Option B is wrong because RBAC permissions do not affect token acquisition from Entra ID.

Option C is wrong because network restrictions would cause consistent failure, not intermittent. Option D is wrong because the service connection is specific to the service principal, not user credentials.

68
MCQeasy

You are setting up a build pipeline for a .NET Core application. The build should run on every pull request to the 'main' branch. Which trigger configuration should you use in the YAML pipeline?

A.trigger: pr: branches: include: - main
B.trigger: branches: include: - main
C.pr: branches: include: - main
D.pr: autoCancel: false branches: include: - '*'
AnswerC

Correctly sets PR trigger for changes targeting main.

Why this answer

Option C is correct because 'pr: branches: include: - main' triggers the pipeline on PRs targeting main. Option A is wrong because it uses 'trigger' for CI, not PR triggers. Option B is wrong because it uses 'trigger' for PRs, but the syntax is incorrect.

Option D is wrong because it includes all branches, which is too broad.

69
Multi-Selecthard

Which THREE options are valid strategies for implementing progressive exposure in Azure Pipelines?

Select 3 answers
A.Rolling update.
B.Ring-based deployment.
C.Canary deployment.
D.Immutable infrastructure.
E.Blue-green deployment.
AnswersB, C, E

Ring-based deployment releases to increasing user groups.

Why this answer

Options A, C, and D are correct. Canary, blue-green, and ring-based deployments are all progressive exposure strategies. Option B is not progressive exposure; it's a deployment method.

Option E is a deployment strategy but not typically progressive exposure.

70
Multi-Selectmedium

Which TWO are valid strategies for managing secrets in Azure Pipelines?

Select 2 answers
A.Store secrets in plain text in a variable group.
B.Use a variable group linked to Azure Key Vault and mark variables as secret.
C.Store secrets in a Git repository and read them during build.
D.Embed secrets directly in the pipeline YAML file.
E.Use the Azure Key Vault task to fetch secrets and map them to pipeline variables.
AnswersB, E

Variable groups can reference Key Vault secrets securely.

Why this answer

Option B is correct because linking a variable group to Azure Key Vault allows secrets to be securely referenced in pipelines without exposing them in plaintext. When variables are marked as secret, Azure Pipelines automatically masks their values in logs and output, ensuring sensitive data remains protected throughout the build and release process.

Exam trap

The trap here is that candidates may think variable groups alone are secure, but only when linked to Key Vault and marked as secret do they provide proper secret management; plain-text variable groups or YAML embedding are common missteps.

71
Multi-Selectmedium

Which TWO of the following are valid strategies to securely store and use secrets in Azure Pipelines?

Select 2 answers
A.Link a variable group to Azure Key Vault and reference variables in the pipeline.
B.Use the 'AzureKeyVault' task to download secrets during the pipeline run.
C.Use the 'secret' variable type in YAML and hardcode the value.
D.Store secrets in a text file in the repository and use a script to read them.
E.Use encrypted environment variables in GitHub Actions.
AnswersA, B

This securely stores secrets in Key Vault.

Why this answer

Variable groups can be linked to Azure Key Vault to store secrets securely. The 'AzureKeyVault@1' task can retrieve secrets from Key Vault at runtime. Option A is correct because variable groups support Key Vault integration.

Option D is correct because the task can download secrets. Option B is not secure; Option C is not secure; Option E is not a pipeline feature.

72
MCQhard

You have the above YAML task in a pipeline. The task runs but no secrets are available in subsequent tasks. What is the most likely cause?

A.The secrets are not automatically mapped to environment variables; you must reference them using $(secretName).
B.The SecretsFilter is set to '*' which is invalid.
C.The service principal does not have 'Get' permission on the key vault.
D.The key vault name 'mykv' does not exist.
AnswerA

With RunAsPreJob: false, secrets are not injected as environment variables; they must be explicitly referenced.

Why this answer

Option B is correct because when RunAsPreJob is false, secrets are fetched during the job but may not be available as environment variables automatically; they need to be referenced as $(secretName). Option A is wrong because the service connection likely has permissions. Option C is wrong because the filter '*' fetches all secrets.

Option D is wrong because Key Vault exists.

73
MCQmedium

Your Azure DevOps pipeline deploys an ARM template to create a storage account. The deployment fails with 'AuthorizationFailed' error. The service principal used by the service connection has 'Contributor' role on the resource group. What is the most likely issue?

A.The service principal is not registered for the 'Microsoft.Storage' resource provider.
B.The storage account name is already taken.
C.The ARM template is using an unsupported API version.
D.The service principal does not have 'Contributor' role at the subscription scope.
AnswerD

If the deployment is at subscription scope, subscription-level permissions are needed.

Why this answer

Option B is correct because ARM template deployments require 'Microsoft.Resources/deployments/write' permission, which is included in Contributor. However, if the deployment is at subscription scope, the service principal needs Contributor on the subscription. Option A is incorrect because the error is authorization, not conflict.

Option C is not required. Option D is incorrect because ARM templates don't require a specific provider registration for deployment itself.

74
MCQhard

Refer to the exhibit. This multi-stage YAML pipeline has a variable 'publishEnabled' set to false. The team wants the Publish stage to run only when 'publishEnabled' is true. However, the Publish stage never runs, even when the variable is changed to true at queue time. What is the most likely cause?

A.The condition syntax is wrong; it should use 'eq(variables.publishEnabled, true)'.
B.The Publish stage is missing 'dependsOn: Build'.
C.The variable 'publishEnabled' is not settable at queue time; it is a compile-time variable.
D.The 'dependsOn' syntax is incorrect; it should be 'dependsOn: Build'.
AnswerC

Variables in the 'variables' section are compile-time unless explicitly allowed.

Why this answer

In YAML pipelines, variables defined in the 'variables' section are compile-time and cannot be overridden at queue time unless they are marked as 'queue-time' settable. The condition 'eq(variables['publishEnabled'], true)' evaluates at runtime, but the variable value is fixed at compile time. Option C is correct.

Option A is incorrect because 'dependsOn' is correct. Option B is incorrect because the condition syntax is valid. Option D is incorrect because the variable is not runtime-settable.

75
MCQeasy

Your team uses GitHub Actions for CI/CD. You want to securely store a database connection string used in a workflow. Where should you store it?

A.GitHub Secrets.
B.Workflow environment variables.
C.Directly in the workflow YAML.
D.In a configuration file committed to repo.
AnswerA

Secrets are encrypted and secure for sensitive values.

Why this answer

Option A is correct because GitHub Secrets are encrypted and designed for sensitive data. Option B is wrong because environment variables are not encrypted. Option C is wrong because hardcoding is insecure.

Option D is wrong because configuration file in repo is not secure.

Page 1 of 7 · 461 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Build Release Pipelines questions.