CCNA Build Release Pipelines Questions

75 of 461 questions · Page 4/7 · Build Release Pipelines topic · Answers revealed

226
MCQhard

During a release pipeline, you notice that the deployment to staging fails intermittently due to a timeout waiting for the health check endpoint to return 200. The health check typically passes within 30 seconds, but occasionally takes up to 2 minutes. You need to make the deployment more reliable without affecting the overall release time. What should you do?

A.Remove the health check from the pipeline and rely on monitoring.
B.Add a retry task that runs the health check again after a failure.
C.Increase the health check timeout in the pipeline task to 3 minutes.
D.Reduce the health check timeout to 10 seconds to fail fast and trigger a rollback.
AnswerC

Allowing up to 3 minutes accommodates the occasional delay without causing failure.

Why this answer

Option A is correct because increasing the health check timeout to 3 minutes accommodates the occasional 2-minute delay without failing the deployment. Option B is wrong because retrying the task would restart the entire deployment, increasing total time. Option C is wrong because removing the health check removes validation.

Option D is wrong because reducing the timeout would cause more failures.

227
MCQhard

You are designing a release pipeline for a microservices application deployed to Azure Kubernetes Service (AKS). You need to implement a strategy that minimizes downtime during updates by gradually shifting traffic to the new version while monitoring for errors. Which deployment strategy should you use?

A.Recreate deployment
B.Blue-green deployment
C.Canary deployment
D.Rolling update
AnswerC

Correct: Canary releases a small subset of new version and gradually increases traffic with monitoring.

Why this answer

Option C is correct because canary deployment gradually shifts traffic and allows monitoring. Option A is wrong because rolling replacement updates pods incrementally but doesn't shift traffic gradually. Option B is wrong because blue-green deploys a full new environment and switches all traffic, not gradual.

Option D is wrong because recreate replaces all pods at once, causing downtime.

228
Multi-Selectmedium

Which TWO of the following are valid ways to trigger a release pipeline in Azure DevOps? (Select TWO.)

Select 2 answers
A.Continuous deployment trigger after a build completes.
B.Source version trigger.
C.Manual trigger via the 'Create release' button.
D.Pull request trigger.
E.Scheduled release trigger.
AnswersA, E

This triggers a release automatically when a build artifact is available.

Why this answer

Option A is correct because Azure DevOps release pipelines can be configured with a continuous deployment trigger that automatically creates a release whenever a build artifact is successfully produced. This is a core feature for enabling automated delivery pipelines, where the release is triggered immediately after the build pipeline completes, ensuring rapid feedback and deployment.

Exam trap

The trap here is that candidates confuse manual release creation (an action) with a configured trigger (an automated event), and they may incorrectly assume that pull request triggers apply to release pipelines when they are only valid for build pipelines.

229
MCQmedium

You are designing a release pipeline for a microservices application deployed to Azure Kubernetes Service (AKS). Each microservice has its own build pipeline that produces a container image. You need a single release pipeline that can deploy multiple microservices in a coordinated manner, but you want to avoid rebuilding the deployment pipeline for each microservice. The deployment should use Helm charts. What should you do?

A.Create a separate release pipeline for each microservice and trigger them in sequence using pipeline completion triggers.
B.Create a single build pipeline that produces all container images, then a release pipeline that deploys the single artifact.
C.Create a single release pipeline that consumes multiple build artifacts (one per microservice) and uses a Helm chart per microservice, deploying them in stages.
D.Create a single multi-stage YAML pipeline that builds and deploys all microservices together.
AnswerC

Single pipeline coordinates deployments.

Why this answer

Option B is correct because a single release pipeline can use multiple artifacts and deploy them sequentially or in parallel. Option A is incorrect because separate pipelines for each microservice lack coordination. Option C is incorrect because a multi-stage pipeline per microservice still duplicates.

Option D is incorrect because a single build pipeline would couple all builds.

230
MCQmedium

You have a YAML pipeline with multiple jobs that need to run in parallel. However, one job depends on artifacts produced by a previous job. How should you configure the dependency?

A.Set dependsOn on the dependent job and use PublishBuildArtifacts and DownloadBuildArtifacts tasks.
B.Use the 'dependsOn' keyword only, artifacts are automatically shared.
C.Set the 'condition' to 'eq(variables['Agent.JobStatus'], 'Succeeded')' on the dependent job.
D.Use the 'pool' keyword to ensure both jobs run on the same agent.
AnswerA

Why this answer

Option A is correct because in Azure DevOps YAML pipelines, job dependencies are explicitly declared using the `dependsOn` keyword, and artifacts must be published and downloaded using `PublishBuildArtifacts` and `DownloadBuildArtifacts` tasks (or the `publish` and `download` pipeline decorators). Without explicit artifact sharing, outputs from one job are not automatically available to another job, even if `dependsOn` is set.

Exam trap

The trap here is that candidates assume `dependsOn` alone handles artifact sharing, but Azure DevOps requires explicit publish/download tasks because jobs may run on different agents with no shared file system.

Why the other options are wrong

B

Artifacts must be explicitly published and downloaded.

C

Condition controls execution but does not handle artifact sharing.

D

Same agent is not guaranteed and doesn't handle dependencies.

231
Multi-Selectmedium

Which THREE components are essential for implementing a canary deployment strategy using Azure Kubernetes Service (AKS) and Azure Pipelines? (Choose three.)

Select 3 answers
A.Azure Traffic Manager for global load balancing.
B.A service mesh like Istio or Linkerd for traffic splitting.
C.A health check endpoint to validate the canary deployment.
D.Multiple Kubernetes namespaces to separate canary and stable deployments.
E.Azure Front Door for routing traffic to the canary.
AnswersB, C, D

Service mesh enables fine-grained traffic routing between versions.

Why this answer

Options A, C, and D are correct. Option A: A service mesh (e.g., Istio, Linkerd) enables traffic splitting between canary and stable versions. Option C: Multiple Kubernetes namespaces help isolate environments.

Option D: A health check endpoint is necessary to validate the canary before routing more traffic. Option B is wrong because Azure Traffic Manager is for global traffic routing, not within a cluster. Option E is wrong because Azure Front Door is for HTTP(S) load balancing at the edge, not for in-cluster traffic splitting.

232
Multi-Selectmedium

Your team is adopting Azure Pipelines for a new project. You need to ensure that only authorized users can approve releases to production. Which two methods can you use to implement approval checks?

Select 2 answers
A.Configure pre-deployment approvals on the Production environment.
B.Use Deployment Gates with a manual approval gate.
C.Set the 'Required approvers' field on the environment to a specific user or group.
D.Add a Manual Intervention task in the release pipeline.
E.Add an Approval Check to the agent pool.
AnswersA, C

Correct: Pre-deployment approvals require manual approval before deployment to that environment.

Why this answer

Options B and E are correct. Pre-deployment approvals can be added to a specific environment, and a single required approver can be designated. Options A and C are not valid for classic release pipelines; manual intervention is a task, not an approval.

Option D is wrong because there is no 'Approval Gates' feature; gates are automated.

233
Multi-Selecthard

You are designing a release pipeline that must deploy to Azure App Service across multiple regions. Which two practices should you implement to minimize downtime during deployments? (Choose 2)

Select 2 answers
A.Use Azure App Service deployment slots and perform a swap
B.Stop the web app before deploying, then start it after
C.Implement a rolling deployment strategy across regions
D.Deploy to all regions simultaneously
E.Use a single deployment slot for all regions
AnswersA, C

Why this answer

Option A is correct because Azure App Service deployment slots allow you to deploy a new version of your application to a staging slot, perform validation, and then swap it into production with zero downtime. The swap operation warms up the target slot and smoothly transitions traffic, ensuring no requests are dropped during the update.

Exam trap

The trap here is that candidates often confuse 'minimizing downtime' with 'eliminating all risk' and may incorrectly choose to stop the app (Option B) or deploy simultaneously (Option D), not realizing that deployment slots and rolling updates are the standard Azure patterns for zero-downtime deployments.

Why the other options are wrong

B

Stopping the app causes downtime.

D

Simultaneous deployment can cause full outage if something goes wrong.

E

A single slot doesn't allow zero-downtime swap.

234
Multi-Selecthard

You have a YAML pipeline that builds a Docker image and pushes it to Azure Container Registry (ACR). You need to ensure the pipeline uses the latest version of Docker and that the build is cached for faster subsequent runs. Which two tasks should you include? (Choose two.)

Select 2 answers
A.DockerInstaller@0
B.Docker@2 with arguments: --cache-from
C.DockerCompose@0
D.HelmDeploy@0
AnswersA, B

Why this answer

Option A (DockerInstaller@0) is correct because it ensures the pipeline uses the latest version of Docker by installing or upgrading the Docker engine on the build agent. Option B (Docker@2 with --cache-from) is correct because it enables layer caching by pulling the previously built image from ACR as a cache source, which speeds up subsequent builds by reusing unchanged layers.

Exam trap

The trap here is that candidates often confuse DockerCompose@0 (used for orchestrating multiple containers) with Docker@2 (used for building and pushing single images), or assume HelmDeploy@0 is relevant because it involves containers, but it is strictly for Kubernetes deployments.

Why the other options are wrong

C

Docker Compose is not needed for a single image build.

D

Helm is for package management, not Docker build.

235
MCQeasy

You need to automatically run a pipeline when a new tag is pushed to the repository. Which trigger configuration should you use?

A.Tags trigger
B.Schedule trigger
C.PR trigger
D.CI trigger with branch filters
AnswerA

Tags trigger runs the pipeline when tags are pushed.

Why this answer

Tags trigger allows running pipelines on tag creation or update. Option B is wrong because CI trigger is for branches. Option C is wrong because PR trigger is for pull requests.

Option D is wrong because schedule trigger is time-based.

236
Multi-Selecthard

Which THREE steps should you take to implement a secure CI/CD pipeline that uses secrets from Azure Key Vault?

Select 3 answers
A.Use the Azure Key Vault task to download secrets as variables
B.Use secret variables in the pipeline that reference Key Vault secrets
C.Store secrets as plain text variables in the pipeline library
D.Hardcode secrets in the YAML file and use variables to mask them
E.Grant the build agent managed identity access to the Key Vault
AnswersA, B, E

Task retrieves secrets at runtime.

Why this answer

Granting agent access to Key Vault, using secret variables, and leveraging the Key Vault task are all correct. Option D (plain text) is insecure. Option E (hardcoded) is also insecure.

237
MCQhard

Your organization uses GitHub Actions for CI/CD. You need to ensure that secrets stored in GitHub Actions are not exposed in logs. A developer accidentally logs a secret using 'echo ${{ secrets.API_KEY }}' in a workflow step. What is the default behavior?

A.The secret value is replaced with an empty string in the log
B.The workflow run fails with an error about secret exposure
C.The secret is redacted before the step runs, and the step fails if it tries to use the secret
D.The secret value is masked with asterisks in the log output
AnswerD

GitHub Actions automatically masks secrets in log output.

Why this answer

Option D is correct because GitHub Actions automatically masks secrets in workflow logs. When a secret is used in a step (e.g., via `${{ secrets.API_KEY }}`), GitHub replaces any occurrence of the secret's value in the log output with `***`. This redaction happens at runtime, so even if a developer accidentally echoes the secret, the log will show asterisks instead of the actual value.

Exam trap

The trap here is that candidates may confuse GitHub Actions' automatic log masking with a workflow failure or pre-execution redaction, but the key is that masking happens at runtime in the log output without stopping the workflow.

How to eliminate wrong answers

Option A is wrong because secrets are not replaced with an empty string; they are masked with asterisks (`***`) to preserve log readability while hiding the value. Option B is wrong because the workflow does not fail due to secret exposure; GitHub Actions does not automatically fail a run when a secret is logged—it only masks the output. Option C is wrong because the secret is not redacted before the step runs; it is available for use, and the step does not fail if it tries to use the secret—the masking occurs in the log output after execution.

238
MCQhard

Your team uses Azure Pipelines with Microsoft-hosted agents. You need to ensure that sensitive variables like API keys are securely passed to build tasks, but not exposed in logs. Which approach should you use?

A.Retrieve the API key from Azure Key Vault at runtime using the Azure Key Vault task, but do not mark the output as secret
B.Store the API key as a secret variable in the pipeline library or variable group
C.Define the API key in a variable template with 'isSecret: false'
D.Store the API key as a plain text variable in the pipeline and use it as an environment variable
AnswerB

Secret variables are masked in logs and encrypted at rest.

Why this answer

Option B is correct because marking variables as 'secret' in Azure Pipelines ensures they are masked in logs and encrypted. Option A is wrong because environment variables are still visible in logs unless masked. Option C is wrong because Azure Key Vault can store secrets, but you still need to map them as secret variables to mask them.

Option D is wrong because pipeline variables with 'isSecret: false' are visible.

239
MCQhard

Refer to the exhibit. This is a deployment job definition in a multi-stage YAML pipeline. The deployment fails because the Kubernetes service connection 'aks-prod' cannot be found. What is the most likely cause?

A.The approval for production environment is blocking the deployment.
B.The agent pool does not have access to the AKS cluster.
C.The service connection 'aks-prod' does not exist in the Azure DevOps project.
D.The namespace 'prod' does not exist in the AKS cluster.
AnswerC

The YAML references a service connection that must be created in the project.

Why this answer

The service connection name in YAML must match the name defined in Azure DevOps project settings. Option A is wrong because agent pool configuration does not affect service connection resolution. Option C is wrong because the approval only affects gate, not service connection existence.

Option D is wrong because namespace is a Kubernetes concept, not related to service connection.

240
Multi-Selectmedium

Which TWO benefits does using deployment groups provide in Azure Pipelines? (Choose two.)

Select 2 answers
A.You can deploy to a specific set of target servers (e.g., all web servers in a farm).
B.They enable rolling deployments with health validation.
C.You can assign multiple deployment groups to a single agent.
D.Each target server must have its own agent.
E.Deployment groups can only be used with classic release pipelines.
AnswersA, B

Deployment groups are collections of target servers for parallel deployments.

Why this answer

Options A and D are correct. A: Deployment groups allow targeting specific sets of servers for deployments. D: They support rolling deployments with health checks.

Option B is wrong because you can have multiple agents per deployment group. Option C is wrong because deployment groups are not limited to classic releases; they work with YAML pipelines too. Option E is wrong because agents in deployment groups are registered to the group, not individual machines.

241
MCQeasy

Your organization uses Azure DevOps. You have a classic release pipeline that deploys to multiple stages: Dev, QA, and Prod. Each stage has a pre-deployment approval gate. Recently, the QA team complained that they are not receiving approval notifications. You have verified that the approval configuration is correct and the approvers are members of the 'QA Approvers' group. The release pipeline is set to send email notifications to the approvers. However, the QA approvers report they do not receive any emails when a release is pending their approval. What should you check first?

A.Ask the QA team to check their spam folder.
B.Verify that the organization-level notification settings allow email notifications for approvals.
C.Add a 'Send email' task in the pipeline before the approval gate.
D.Check the 'Release Pipeline' logs for a warning about email delivery failure.
AnswerB

If email notifications are disabled at the organization level, approvers won't receive emails.

Why this answer

Option A is correct because the most common cause of missing notifications is incorrect email settings in the Azure DevOps organization. Option B is wrong because the notification is sent by Azure DevOps, not via a separate pipeline. Option C is wrong because the pipeline does not have a separate notification step.

Option D is wrong because the approval step is already on the stage; the issue is notification delivery.

242
MCQmedium

Refer to the exhibit. You run an Azure CLI command during a pipeline to get the state of a web app. The output shows the state as 'Running'. You want to ensure the pipeline only proceeds if the state is 'Running'. Which task should you use to evaluate the condition?

A.A Download Build Artifacts task that verifies the state.
B.A Bash task that runs 'az webapp show' and checks the state.
C.A PowerShell task that checks the state variable and exits with code 1 if not 'Running'.
D.A Publish Test Results task configured to check the state.
AnswerB, C

A Bash task can run the CLI and check the state using jq or grep.

Why this answer

The Bash task can run a script to check the state and set a variable or fail. Option A is wrong because PowerShell task is also valid but Bash is shown. Option B is wrong because PublishTestResults is for test results.

Option D is wrong because DownloadBuildArtifacts downloads artifacts.

243
Drag & Dropmedium

Drag and drop the steps to implement a disaster recovery plan for Azure App Service into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Disaster recovery begins with identification, then backup, geo-replication, failover configuration, and testing.

244
MCQmedium

Your organization is adopting GitHub Actions for CI/CD. You need to ensure that only approved actions from your enterprise can be used in workflows. What should you configure?

A.Use a third-party tool to scan workflows for disallowed actions after each commit.
B.Set the enterprise policy to 'Allow all actions' and rely on code review.
C.Configure repository permissions to restrict actions to only those created by your organization.
D.Set the enterprise policy to 'Allow only specific actions' and add approved actions.
AnswerD

This enforces that only approved actions can be used across the enterprise.

Why this answer

Option C is correct because GitHub's 'Allow only specific actions' policy lets you restrict actions to a list of approved actions or marketplaces. Option A is wrong because the 'Allow all actions' policy does not restrict. Option B is wrong because GitHub Actions permissions are per repository, not enterprise-wide restriction.

Option D is wrong because using third-party actions without restriction is against the requirement.

245
MCQmedium

You are designing a multi-stage YAML pipeline for a .NET Core application. The pipeline must build, test, and deploy to a staging environment. You want to ensure that the deployment stage only runs if the build and test stages succeed, and that the staging deployment uses the exact same bits that were built. Which strategy should you use?

A.Set up a release pipeline that uses the same build artifact and requires manual approval.
B.Create separate stages for build, test, and deploy. Use the 'dependsOn' keyword and publish artifact in build stage, download in deploy stage.
C.Use a build trigger on the staging branch to deploy after each commit, ignoring test results.
D.Define the pipeline with a single stage and use a condition to skip test on failure.
AnswerB

DependsOn ensures sequential execution, and artifacts preserve build output.

Why this answer

Option B is correct because using pipeline artifacts with dependency on build stage ensures the deployment uses the exact build output from the previous successful stage. Option A is wrong because the standard YAML template doesn't automatically share artifacts. Option C is wrong because triggers would not enforce stage dependency.

Option D is wrong because manual intervention requires human approval, not automatic dependency.

246
Multi-Selectmedium

Which TWO actions should you take to ensure that a build pipeline fails if code coverage drops below 80%?

Select 2 answers
A.Use the PublishTestResults@2 task with the 'codeCoverage' option.
B.Add a script task that parses the coverage file and exits with non-zero if below threshold.
C.Use the PublishCodeCoverageResults@1 task to publish coverage data.
D.Use the ReportGenerator@5 task to create a coverage report.
E.Use the CopyFiles@2 task to move coverage files to a shared location.
AnswersB, C

A script can enforce the threshold by failing the step.

Why this answer

Options A and C are correct. The Publish Code Coverage Results task can publish coverage data, and a script can check the coverage and fail the build if below threshold. Option B is wrong because the Publish Test Results task is for test results, not coverage.

Option D is wrong because the Report Generator task generates reports but does not enforce thresholds. Option E is wrong because the Copy Files task does not analyze coverage.

247
MCQhard

You are implementing a build pipeline for a .NET application that uses GitHub Advanced Security (GHAS) for code scanning. The pipeline must run CodeQL analysis on every pull request to the main branch. You have added the CodeQL task to the pipeline. However, the analysis results are not appearing in the 'Security' tab of the repository on GitHub. What is the most likely cause?

A.The pipeline is missing the 'Publish Security Analysis Logs' step to upload SARIF results to GitHub.
B.The GitHub repository is private, so security alerts are disabled.
C.The .NET project is not supported by CodeQL.
D.CodeQL analysis is not supported on pull request triggers.
AnswerA

Results need to be uploaded to appear in Security tab.

Why this answer

Option D is correct because CodeQL results are uploaded as SARIF files, and the 'CodeQL Analysis' task includes an option to upload results to GitHub. If that step is omitted or fails, results won't appear. Option A is wrong because CodeQL supports pull request analysis.

Option B is wrong because CodeQL works with .NET. Option C is wrong because GitHub Advanced Security is available even in private repos.

248
Multi-Selecteasy

Which TWO triggers can start a release in Azure Pipelines?

Select 2 answers
A.Continuous integration
B.Schedule
C.Build completion
D.Work item state change
E.Pull request
AnswersB, C

A schedule trigger starts a release at a specified time.

Why this answer

In Azure Pipelines, a release can be triggered by a schedule, which allows you to define a cron-based trigger to deploy at specific times (e.g., nightly builds). The 'Build completion' trigger starts a release when a specific build pipeline completes, enabling chained deployments. Both are native release triggers in classic release pipelines.

Exam trap

The trap here is that candidates confuse triggers that apply to build pipelines (CI, PR) with those that apply to release pipelines, leading them to select 'Continuous integration' or 'Pull request' as valid release triggers.

249
MCQeasy

Your team uses GitHub Actions for CI/CD. You need to ensure that only specific branches can trigger the deployment workflow to production. Which workflow trigger should you configure?

A.on: push: branches: [main]
B.on: pull_request: branches: [main]
C.on: workflow_dispatch: inputs: branch: description: 'Select branch'
D.on: schedule: cron: '0 0 * * *'
AnswerA

Push trigger with branch filter limits to main.

Why this answer

Option C is correct because the 'on: push: branches: [main]' trigger restricts workflow to pushes on main. Option A is wrong because pull_request triggers on PRs, not branches. Option B is wrong because schedule triggers on cron.

Option D is wrong because workflow_dispatch is manual.

250
MCQhard

You are configuring a branch policy for the main branch using the Azure DevOps REST API. The JSON above is the policy configuration. A developer pushes a new commit to an existing pull request. What happens to the existing approvals?

A.The existing approvals remain valid.
B.The policy blocks the push until re-reviewed.
C.The pull request is automatically rejected.
D.All existing approvals are reset.
AnswerA

Correct: resetOnPush: false means approvals are not reset.

Why this answer

Option A is correct because, by default, Azure DevOps branch policies do not automatically reset approvals when a new commit is pushed to a pull request. The policy configuration shown does not include the 'resetOnPush' property (or its equivalent in the REST API), which is required to invalidate existing approvals. Without that setting, approvals remain valid even after new commits are pushed.

Exam trap

The trap here is that candidates often assume any new commit to a pull request automatically resets approvals, but Azure DevOps requires explicit configuration (the 'resetOnPush' property) to enable that behavior.

How to eliminate wrong answers

Option B is wrong because the policy does not block the push; Azure DevOps allows pushes to pull requests by default, and only blocks them if a 'Require a minimum number of reviewers' policy with 'Reset on push' is enabled. Option C is wrong because the pull request is not automatically rejected; rejection only occurs if the policy explicitly requires re-approval after a push, which is not configured here. Option D is wrong because approvals are not reset unless the policy configuration includes the 'resetOnPush' property set to true; without it, existing approvals persist.

251
MCQmedium

Your team uses a multi-stage YAML pipeline to build and deploy a .NET Core application. The build stage runs successfully, but the deployment to a Linux web app fails with an error indicating that the Kudu service cannot start because the startup command is missing. What is the most likely cause?

A.The pipeline is missing the 'AzureWebApp@1' task with a 'StartupCommand' parameter.
B.The service connection lacks permission to access the web app.
C.The web app is configured with a Windows runtime stack.
D.The build output does not include the web.config file.
AnswerA

For Linux web apps, the startup command must be provided in the task or in the app settings.

Why this answer

The Azure Web App task for Linux web apps requires a startup command to be specified if the container image does not have a default entry point. Without it, Kudu cannot start.

252
MCQhard

Your organization uses a monorepo in Azure Repos containing multiple microservices. You need to design a build pipeline that only builds and tests the services that have changed in a given commit, to optimize build times. The pipeline must trigger on any push to any branch, but only the affected services should be built. You also need to ensure that dependent services are rebuilt if their dependencies change. The services are located in subdirectories: /services/serviceA, /services/serviceB, etc. Each service has a Dockerfile and a unit test project. You plan to use a script to determine which services changed. Which approach should you use to implement this pipeline?

A.Use a script step to determine which services changed, then output variables to dynamically create a job matrix or use the 'each' keyword to iterate over changed services.
B.Create a multi-stage pipeline where each stage represents a service, and use a 'dependsOn' condition to run stages only if the corresponding service changed.
C.Create a single job that runs all unit tests for all services on every commit. Use caching to speed up the build.
D.Create a job for each service that runs in parallel on every commit. Use conditions to skip jobs if the service has not changed, but the conditions would need to check every service, which is complex.
AnswerA

This allows the pipeline to dynamically build only the affected services.

Why this answer

Option D is correct because the pipeline can use a script to detect changed files in the commit, map them to services, and then dynamically create jobs or stages for each affected service. This is efficient and flexible. Option A is wrong because using a single job that runs all tests ignores the requirement to only build changed services.

Option B is wrong because using multiple jobs for all services would build everything every time, not optimizing. Option C is wrong because using a multi-stage pipeline with stages for each service would also build all services every time.

253
MCQeasy

You need to create a build pipeline that runs on a Microsoft-hosted agent. You want to use the latest Ubuntu image. Which YAML snippet should you use?

A.pool: vmImage: 'ubuntu-latest'
B.pool: name: 'ubuntu-latest'
C.agent: vmImage: 'ubuntu-latest'
D.resources: vmImage: 'ubuntu-latest'
AnswerA

Why this answer

Option A is correct because in Azure Pipelines YAML, the `pool` keyword is used to specify the agent pool, and `vmImage` is a sub-property that defines the virtual machine image for Microsoft-hosted agents. Setting `vmImage: 'ubuntu-latest'` within the `pool` section selects the latest Ubuntu LTS image provided by Microsoft, ensuring the build runs on a current, maintained environment.

Exam trap

The trap here is that candidates confuse the `pool.name` property (used for self-hosted agents) with `pool.vmImage` (used for Microsoft-hosted agents), leading them to select option B, or they mistakenly use `agent` or `resources` as top-level keys for specifying the VM image.

Why the other options are wrong

B

The 'name' property is for agent pools, not VM images.

C

'agent' is not a valid top-level key; use 'pool'.

D

Resources are for external resources, not agent specification.

254
Multi-Selectmedium

Which TWO are valid ways to pass build artifacts from one stage to another in a multi-stage YAML pipeline in Azure Pipelines?

Select 2 answers
A.Use the Pipeline Artifact task to publish artifacts, which are automatically available to subsequent stages without download.
B.Use the Publish Pipeline Artifact task in the first stage and Download Pipeline Artifact task in the second stage.
C.Use the Publish Build Artifacts task and then the Download Build Artifacts task.
D.Use the Copy Files task to copy artifacts to a shared network drive.
E.Define variables in the first stage and reference them in the second stage.
AnswersB, D

This is the standard method to share artifacts between stages.

Why this answer

Publishing and downloading artifacts is the standard way. Option C is misleading because pipeline artifacts are a type of artifact. Option D is wrong because stages run sequentially? Actually stages can run in parallel, but publishing/downloading is still needed.

Option E is wrong because variables are not for artifacts.

255
MCQmedium

Your team uses a multi-stage YAML pipeline. The 'Build' stage compiles the code and runs unit tests. The 'Deploy' stage deploys to a staging environment. You notice that if the 'Build' stage fails, the 'Deploy' stage still starts because it depends on a condition that always evaluates to true. How should you modify the pipeline to prevent the 'Deploy' stage from running if the 'Build' stage fails?

A.Add 'condition: succeeded()' to the Deploy stage.
B.Add 'condition: eq(variables['Build.Succeeded'], 'true')' to the Deploy stage.
C.Add 'condition: and(succeeded(), eq(variables['Build.Succeeded'], 'true'))' to the Deploy stage.
D.Add 'dependsOn: Build' to the Deploy stage.
AnswerA

succeeded() checks that all previous stages succeeded.

Why this answer

Option B is correct because using 'condition: succeeded()' ensures that the stage only runs if all previous stages succeeded. Option A is wrong because 'dependsOn: Build' alone does not enforce success. Option C is wrong because 'condition: eq(variables['Build.Succeeded'], 'true')' is not the recommended way.

Option D is wrong because 'condition: and(succeeded(), eq(variables['Build.Succeeded'], 'true'))' is redundant.

256
Multi-Selectmedium

Which TWO actions should you take to implement a gated check-in policy in Azure Repos that triggers a build before changes are merged?

Select 2 answers
A.Configure a build validation policy on the branch
B.Create a branch policy that requires a successful build to complete
C.Enable continuous integration (CI) trigger on the build pipeline
D.Set the build to run a 'pre-merge' validation
E.Require a manual build before merging
AnswersA, B

A build validation policy triggers a build when a pull request is created.

Why this answer

Option A is correct because a build validation policy triggers a build on pull request. Option C is correct because a branch policy is required to enforce the build. Option B is wrong because a pre-merge build is part of build validation, not a separate policy.

Option D is wrong because manual builds are not automatic. Option E is wrong because a CI trigger is for commits, not pull requests.

257
Multi-Selecthard

Which THREE are valid approaches to securely store secrets used in Azure Pipelines? (Choose three.)

Select 3 answers
A.Inline secret variables defined in the YAML file
B.Secret variables defined in the pipeline UI
C.Azure Key Vault task to fetch secrets at runtime
D.Variable groups linked to Azure Key Vault
E.Environment variables set on the build agent
AnswersB, C, D

Secret variables in the UI are encrypted and masked in logs.

Why this answer

Variable groups with Azure Key Vault integration, Azure Key Vault tasks, and Azure Pipelines secret variables are all secure ways to store secrets. Option B is wrong because storing secrets in YAML files is insecure. Option D is wrong because environment variables in build agents are not encrypted.

258
MCQmedium

Your build pipeline uses a Microsoft-hosted agent. The pipeline fails intermittently with 'Error: No space left on device'. What is the most effective solution?

A.Increase the agent's temporary storage by setting the TMP variable.
B.Switch to a self-hosted agent with more disk space.
C.Add a step to clean up temporary files before the build completes.
D.Configure the pipeline to use more parallel jobs.
AnswerC

Removing unnecessary files reduces disk usage and prevents space issues.

Why this answer

Option C is correct because the best approach is to reduce the build artifacts footprint by cleaning up unnecessary files before the build completes. Option A is wrong because using a self-hosted agent might not address the disk space issue if the same amount of data is produced. Option B is wrong because increasing the agent's disk space is not possible with Microsoft-hosted agents.

Option D is wrong because parallel jobs do not affect disk space on a single agent.

259
Multi-Selecthard

Which THREE conditions must be met for you to use the 'Approvals' feature in Azure Pipelines to control deployments to a production environment? (Choose three.)

Select 3 answers
A.The approver must be an individual user, not a group.
B.The approval must be configured in the release pipeline's pre-deployment conditions.
C.The approver must have the 'Approve pipeline permissions' permission for the environment.
D.The pipeline must be a Release Pipeline or a YAML pipeline that uses the 'environment' resource.
E.You must create an environment in Azure Pipelines and add an approval check to it.
AnswersC, D, E

Only users with this permission can approve.

Why this answer

Options A, B, and D are correct. Option A: The pipeline must be a release pipeline or a YAML pipeline with environment resource checks. Option B: You must define an environment and add an approval check to it.

Option D: The user approving must have the 'Approve pipeline permissions' permission (or be a member of the Approvers group). Option C is wrong because approvers can be groups, not just individuals. Option E is wrong because approvals can be set on environments, not just stages.

260
MCQeasy

Your team uses Azure Pipelines for CI/CD. The pipeline builds a Docker image and pushes it to Azure Container Registry (ACR). You need to ensure that only the main branch triggers a build of the Docker image. What should you configure in the pipeline YAML?

A.Set 'pr: branches: include: - main'
B.Add a condition: 'eq(variables['Build.SourceBranch'], 'refs/heads/main')' to the job.
C.Set 'trigger: branches: include: - *'
D.Set 'trigger: branches: include: - main'
AnswerD

This ensures the pipeline only triggers on commits to main.

Why this answer

Option A is correct because the 'trigger' section with branch inclusion filters which branches trigger the pipeline. Option B is incorrect because it triggers on any branch. Option C is incorrect because the 'pr' trigger is for pull requests.

Option D is incorrect because the condition evaluates at runtime, not at trigger time.

261
MCQmedium

You are configuring a multi-stage YAML pipeline that builds a .NET Core application and deploys it to Azure Kubernetes Service (AKS). The build stage produces a container image that is pushed to Azure Container Registry (ACR). The deploy stage needs to use the image from ACR. How should you pass the image tag from the build stage to the deploy stage?

A.Write the image tag to a file and publish it as a build artifact, then read it in the deploy stage.
B.Define a pipeline variable at the top level and set it in the build stage.
C.Use the 'stageDependencies' syntax to retrieve the output variable of a job in the build stage.
D.Use the 'Azure CLI' task in the deploy stage to query the ACR for the latest image tag.
AnswerC

Output variables from one stage can be consumed in another using dependencies.

Why this answer

The recommended way to pass variables between stages is to use 'stageDependencies' to access the output of a previous job. Option A is correct. Option B is wrong because pipeline variables defined at the top scope are not automatically available to subsequent stages unless explicitly output.

Option C is wrong because build artifacts are for files, not variables. Option D is wrong because the ACR task does not automatically set a variable for the image tag.

262
MCQhard

Your organization uses GitHub Actions with self-hosted runners on Azure virtual machines. You notice that some workflows are taking longer than expected because runners are busy. You need to improve the performance without adding more permanent runners. Which solution should you implement?

A.Migrate all workflows to GitHub-hosted runners.
B.Reduce the number of concurrent jobs in each workflow.
C.Implement auto-scaling for self-hosted runners using a scale set or Kubernetes-based runner controller.
D.Increase the size of the existing self-hosted runner VMs to handle more jobs.
AnswerC

Auto-scaling adds runners during peak demand and removes when idle.

Why this answer

GitHub Actions supports auto-scaling for self-hosted runners using scaling applications like 'actions-runner-controller' for Kubernetes or custom scripts. Option A is correct because it dynamically adds/removes runners based on demand. Option B increases cost and maintenance.

Option C is for GitHub-hosted runners. Option D reduces wait but doesn't address root cause.

263
MCQeasy

Your build pipeline fails intermittently with the error: 'The job running on agent 'Azure Pipelines' exceeded the maximum execution time of 60 minutes.' How can you resolve this issue?

A.Increase the 'timeoutInMinutes' property in the pipeline YAML for the job.
B.Split the pipeline into multiple stages to reduce job duration.
C.Enable parallel jobs to run the pipeline faster.
D.Use a self-hosted agent with more CPU cores.
AnswerA

Increasing timeout prevents premature termination.

Why this answer

Option A is correct because increasing the timeout allows the job to run longer. Option B is wrong because using a self-hosted agent does not change timeout limits. Option C is wrong because parallel jobs affect concurrency, not duration.

Option D is wrong because reducing stages may not address the timeout.

264
Multi-Selectmedium

Which TWO are valid strategies for reducing build times in Azure Pipelines? (Choose two.)

Select 2 answers
A.Reduce the number of parallel jobs and increase the number of steps in a single job.
B.Remove unit tests from the build pipeline and run them only in the release pipeline.
C.Implement caching for package dependencies (e.g., npm, NuGet, Maven) to avoid restoring on every build.
D.Configure incremental builds by enabling 'Build in parallel' and using 'msbuild' or 'dotnet' build with appropriate flags to skip unchanged projects.
E.Increase the number of agents in the pool and run all jobs on the same agent.
AnswersC, D

Caching reduces time spent downloading dependencies.

Why this answer

Options A and D are correct. Option A: Using incremental builds (e.g., with the 'dotnet build' incremental feature) reduces build time by only rebuilding changed files. Option D: Using a build cache (e.g., for NuGet packages, npm, or Maven) avoids downloading and restoring dependencies on every build.

Option B is wrong because using multiple agents without parallelization does not reduce build time. Option C is wrong because using a single agent with more steps increases build time. Option E is wrong because disabling tests is not a valid strategy as it compromises quality.

265
Multi-Selecthard

You are configuring a release pipeline in Azure Pipelines for a Java application. The pipeline must run integration tests after deployment to a test environment and only proceed to production if tests pass. Which THREE should you configure?

Select 3 answers
A.Use a pipeline condition on the production stage to run only if the test stage succeeded.
B.Set the agent job to run on the environment itself.
C.Set the integration test step to run only if the previous build succeeded.
D.Add a post-deployment gate that queries Azure Monitor for test failure signals.
E.Configure a post-deployment approval for the production stage.
AnswersA, D, E

Conditions control stage execution based on previous stage outcome.

Why this answer

Option A, Option C, and Option D are correct. A gate with Azure Monitor or Application Insights checks test results. A post-deployment approval ensures manual sign-off.

A condition on the production stage evaluates the test outcome. Option B is wrong because the task should not be skipped. Option E is wrong because the agent job runs on the agent, not in the environment.

266
MCQeasy

Refer to the exhibit. You run the Azure CLI command to trigger a pipeline run. The pipeline fails because tests were skipped but should have run. What is the most likely issue?

A.The JSON value for skipTests must be a boolean without quotes.
B.The pipeline name is incorrect.
C.The command uses a flag '--variables-parameters' which is not a valid Azure DevOps CLI option.
D.The branch 'feature/new-feature' does not exist.
AnswerC

The correct flag is '--variables'.

Why this answer

Option B is correct because the parameter name should be 'skipTests' but the command uses '-parameters' which passes parameters, not variables. The correct parameter for variables is '--variables'. The exhibit uses '--variables-parameters' which is incorrect.

Option A is wrong because the pipeline name is correct. Option C is wrong because the branch exists. Option D is wrong because the command syntax is invalid.

267
Multi-Selecteasy

Which TWO practices help you manage build artifacts efficiently in Azure Pipelines?

Select 2 answers
A.Set retention policies to automatically delete old artifacts
B.Copy artifacts to each agent's local storage
C.Download all artifacts manually after each build
D.Publish build artifacts using the Publish Build Artifacts task
E.Store artifacts as large single files to reduce number of files
AnswersA, D

Controls storage usage.

Why this answer

Publishing artifacts and using retention policies are efficient practices. Option A (manual download) is not efficient. Option D (large files) is inefficient.

Option E (copying to each agent) is wasteful.

268
MCQmedium

Your build pipeline runs on a self-hosted agent pool. You need to ensure that only authorized pipelines can use these agents. Which security measure should you implement?

A.Set permissions on the agent pool
B.Use agent tokens
C.Use variable groups
D.Configure agent queues
AnswerA

Restricts which pipelines can use the pool.

Why this answer

Option C is correct because agent pools can have permissions set to restrict which pipelines can use them. Option A is wrong because agent queues are deprecated and don't provide granular pipeline permissions. Option B is wrong because agent tokens are for agent registration, not pipeline authorization.

Option D is wrong because variable groups are for variables, not agent access.

269
MCQhard

Refer to the exhibit. An Azure CLI command outputs the configuration of an Azure Web App. Your pipeline deploys to this Web App using the 'AzureWebApp@1' task. The deployment fails with an error indicating that the runtime stack is not supported. What is the most likely cause?

A.The Web App is not a Linux app.
B.The ASPNETCORE_ENVIRONMENT setting is incorrect.
C.The runtime stack (DOTNETCORE|6.0) is not compatible with the deployed application.
D.The resource group name is incorrect.
AnswerC

If the application targets a different runtime version, the deployment fails.

Why this answer

The exhibit shows 'linuxFxVersion': 'DOTNETCORE|6.0', which indicates the runtime stack. If the task expects a different stack (e.g., .NET 8), it may fail. Option A is wrong because the app setting is correct.

Option C is wrong because the resource group is correct. Option D is wrong because the kind shows Linux, which is supported.

270
MCQhard

You are troubleshooting a release pipeline that deploys an ARM template to Azure. The deployment fails with the error 'The subscription '...' could not be found.' The service connection used has Contributor permissions on the subscription. The pipeline runs successfully from the Azure DevOps portal when triggered manually. What is the likely cause?

A.The service principal used by the service connection is not authorized in the subscription.
B.The service connection does not have sufficient permissions.
C.The subscription has been deleted.
D.The deployment is targeting a resource group in a different region.
AnswerA

The service principal might have been removed or the connection is misconfigured.

Why this answer

Option C is correct because the pipeline might be using a service principal that is not authorized in the subscription when running from a specific context (e.g., a different tenant or using a managed identity). Option A is wrong because manual triggers would also fail if the subscription didn't exist. Option B is wrong because Contributor role is sufficient for ARM deployments.

Option D is wrong because the issue is not about resource group location.

271
Multi-Selectmedium

Which TWO are true about Azure Pipelines YAML templates? (Choose two.)

Select 2 answers
A.Templates must be stored in the same repository as the main pipeline.
B.Template expressions are evaluated at compile time.
C.Templates require parameters to be defined.
D.Templates can be nested by including other templates.
E.Templates can only define a single job.
AnswersB, D

Expressions like '${{ variables.var }}' are evaluated before runtime.

Why this answer

Option B is correct because template expressions in Azure Pipelines YAML are evaluated at compile time, before the pipeline runs. This allows the template to inject variables, conditions, and other logic into the pipeline definition statically, ensuring that the final pipeline structure is fully resolved before execution begins.

Exam trap

The trap here is that candidates often confuse compile-time evaluation with runtime evaluation, leading them to think template expressions can use runtime variables, or they mistakenly believe templates must be in the same repo or require parameters, when in fact templates are flexible and optional in their structure.

272
MCQmedium

You need to implement a build retention policy that automatically deletes old builds after 30 days, but keeps the latest 5 builds regardless of age. Which configuration should you use?

A.Set 'Number of days to keep runs' to 30 and 'Number of runs to keep' to 5
B.Set 'Maximum retention policy' to 30 days and 'Number of builds to retain' to 5
C.Set 'Days to keep builds' to 30 and 'Minimum number of builds to keep' to 5
D.Set 'Number of days to keep artifacts' to 30 and 'Number of artifacts to keep' to 5
AnswerC

Deletes builds older than 30 days but keeps at least 5.

Why this answer

Option A is correct because in Azure Pipelines retention policy, you set 'Days to keep builds' to 30 and 'Minimum number of builds to keep' to 5. Option B is wrong because 'Maximum retention policy' is not a setting. Option C is wrong because 'Number of days to keep artifacts' is separate from builds.

Option D is wrong because 'Number of days to keep runs' is for GitHub Actions.

273
Multi-Selecthard

You are designing a release pipeline for a .NET Core application that must comply with regulatory requirements. The pipeline must sign the assembly with a code-signing certificate stored in Azure Key Vault. Which THREE actions should you perform?

Select 3 answers
A.Add a step to download the certificate from Key Vault using the AzureKeyVault task.
B.Use a script task to invoke the signing tool (e.g., signtool.exe) after the build.
C.Grant the Azure Pipelines service principal access to the Key Vault.
D.Store the certificate in a secure file in the build artifact.
E.Package the application before signing to avoid signature corruption.
AnswersA, B, C

The task retrieves the certificate securely.

Why this answer

Option A, Option C, and Option D are correct. The pipeline needs access to the certificate via a service connection, and the signing tool must run after the build. Option B is wrong because the certificate should be kept in Key Vault, not the build artifact.

Option E is wrong because signing should happen before packaging.

274
MCQmedium

Your team uses Azure DevOps for CI/CD. You want to ensure that only code from the main branch is deployed to production. The release pipeline has a pre-deployment condition that requires approval. However, you notice that a release created from a feature branch was approved and deployed. What is the most likely cause?

A.The deployment queue settings were set to 'Deploy all in parallel'.
B.The pre-deployment condition did not include a branch filter on the artifact.
C.The artifact was published from a build pipeline that allowed any branch.
D.The pre-deployment condition was set to 'After release' instead of 'Before deployment'.
AnswerB

Branch filters must be configured on the artifact trigger or pre-deployment condition to restrict branches.

Why this answer

Option C is correct because if the pre-deployment condition 'Require approval from a specific number of approvers' is not configured to check the artifact branch, any branch can be approved. Option A is wrong because branch filters on the artifact are the correct way to restrict, but they must be set on the trigger, not the condition. Option B is wrong because the deployment queue settings do not affect branch filtering.

Option D is wrong because the artifact source itself does not enforce branch restrictions; that is done via filters.

275
MCQeasy

You are designing a build pipeline for a Python application that uses multiple external packages from PyPI. You want to ensure that builds are reproducible and not affected by package updates. Which strategy should you use?

A.Use a Pipfile and Pipfile.lock without version pinning.
B.Use a dependency update tool like Dependabot weekly.
C.Pin exact versions in requirements.txt.
D.Use 'pip install <package>' without version specifiers.
AnswerC

Pinning exact versions ensures reproducibility.

Why this answer

Option C is correct because using a requirements.txt with pinned versions ensures exact package versions are installed. Option A is wrong because it suggests using latest, which breaks reproducibility. Option B is wrong because it only uses lock file but without version pinning.

Option D is wrong because it only updates lock file periodically, still allowing variability.

276
MCQmedium

Your organization uses GitHub Actions. You need to create a reusable workflow that builds and tests a Node.js application. Which approach should you use to define the workflow?

A.Define a standard workflow in .github/workflows/build.yml
B.Use a composite action to encapsulate the build steps
C.Create a custom action and reference it in multiple workflows
D.Define a reusable workflow with 'on: workflow_call'
AnswerD

Reusable workflows can be called from other workflows.

Why this answer

Option D is correct because reusable workflows are defined in a separate file with workflow_call trigger. Option A is wrong because it defines a workflow that cannot be reused. Option B is wrong because actions are different from workflows.

Option C is wrong because composite actions are for multiple steps, not entire workflows.

277
MCQmedium

Your team deploys a web application to Azure App Service using Azure Pipelines. The application requires a configuration file that contains connection strings and app settings. You need to ensure that the configuration is environment-specific and that sensitive values are not exposed in the pipeline logs. The configuration file is stored in a Git repository with different branches for each environment. You also need to support local development with the same configuration approach. Which strategy should you use?

A.Store all settings, including secrets, in the config file in each branch. Use a script to replace tokens.
B.Use Azure App Service slots with sticky settings and store all settings in a single config file committed to the repository.
C.Store environment-specific settings in Azure App Service configuration, and use variable groups in Azure Pipelines for secrets. Use token replacement in the config file during deployment.
D.Use the same config file for all environments and override settings using pipeline variables based on branch name.
AnswerC

App Service configuration handles non-secrets, variable groups for secrets, and token replacement for environment values.

Why this answer

Using environment-specific variable groups and token replacement is secure and supports local development with config transforms. Option B exposes secrets in logs. Option C relies on branch names, which is inflexible.

Option D uses a single config, which is not environment-specific.

278
MCQhard

You are implementing a release pipeline for a containerized application using Azure Kubernetes Service (AKS). The pipeline should use canary deployments to gradually shift traffic from the stable version to the new version. Which strategy should you use to manage the traffic shift?

A.Blue-green deployment strategy
B.Rolling update strategy
C.A/B testing with feature flags
D.Canary deployment using a service mesh (e.g., Istio)
AnswerD

Service mesh enables fine-grained traffic splitting for canary deployments.

Why this answer

Option C is correct because a virtual node or service mesh like Istio can be used to implement canary deployments with traffic splitting. Option A is wrong because rolling update replaces pods gradually but does not support fine-grained traffic splitting. Option B is wrong because blue-green deployment uses two environments, not gradual traffic shift.

Option D is wrong because A/B testing is typically feature-specific, not for traffic shifting at the deployment level.

279
Drag & Dropmedium

Drag and drop the steps to implement infrastructure as code with Azure Resource Manager (ARM) templates into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ARM template workflow includes definition, parameterization, deployment, validation, and version control.

280
MCQhard

You have the YAML pipeline snippet shown in the exhibit. The first run produces version 1.0.0. What will be the version produced on the third run?

A.1.0.1
B.1.0.3
C.1.0.2
D.1.0.0
AnswerC

Counter increments each run: 0,1,2.

Why this answer

Option C is correct because the counter expression starts at 0 for majorVersion=1 and increments each run. First run: 0, second: 1, third: 2. Option A is wrong because counter does not reset.

Option B is wrong because it is the first run value. Option D is wrong because counter increments by 1 each run, not by 2.

281
MCQhard

Refer to the exhibit. The workflow runs successfully but the deployment fails because the Azure CLI is not authenticated. What should you add to the workflow to authenticate?

A.Add the 'azure/login' action with Azure credentials
B.Add the 'actions/setup-node' action
C.Add the 'azure/webapps-deploy' action
D.Add the 'actions/github-script' action to use the GitHub token
AnswerA

The azure/login action authenticates the CLI with service principal credentials.

Why this answer

Option B is correct because the 'azure/login' action authenticates using Azure credentials stored as secrets. Option A is wrong because 'azure/webapps-deploy' is a deployment action, not authentication. Option C is wrong because the GitHub token is for GitHub API, not Azure.

Option D is wrong because 'actions/setup-node' is for Node.js, not authentication.

282
MCQhard

Your release pipeline uses a 'Run Azure CLI' task to execute a script. The script authenticates using a service principal. However, the deployment fails with 'insufficient privileges to complete the operation'. What is the most likely cause?

A.The Azure CLI task is not logged in.
B.The service principal secret has expired.
C.The service principal lacks the necessary RBAC role on the target resource.
D.The service principal does not have a secret.
AnswerC

Insufficient privileges indicate missing RBAC assignment.

Why this answer

Option C is correct because the service principal likely lacks the required RBAC role. Option A is wrong because the CLI task can use service principal authentication. Option B is wrong because service principal secret expiration would cause a different error.

Option D is wrong because the error is about privileges, not token expiry.

283
MCQeasy

You are designing a release pipeline in Azure Pipelines that deploys a web app to multiple environments (dev, test, prod). You want to ensure that the same build artifact is deployed to each environment without rebuilding. Which trigger type should you use?

A.Pull request trigger
B.Continuous deployment trigger on the release pipeline
C.Schedule trigger
D.Build completion trigger
AnswerB

Continuous deployment trigger automatically starts a release when a new build artifact is available, using that same artifact for all stages.

Why this answer

Option A is correct because a release pipeline uses a build artifact trigger to start deployment after a build completes. Option B is wrong because continuous deployment trigger happens after a build artifact is available. Option C is wrong because schedule triggers are time-based.

Option D is wrong because pull request triggers are for builds, not releases.

284
MCQhard

Your company uses Azure DevOps for CI/CD. You have a YAML build pipeline that builds a .NET Core application and publishes artifacts. The build runs on a Microsoft-hosted agent. Recently, the build started failing with the error 'The process cannot access the file because it is being used by another process.' This occurs intermittently during the 'dotnet build' step. The pipeline uses multiple jobs that run in parallel. You suspect that one job is interfering with another because they share the same workspace on the agent. You need to ensure that each job runs in its own isolated workspace. What should you do?

A.Add a 'demands' section to the job to ensure each job runs on a different agent.
B.Set 'workspace: clean' in the pipeline root.
C.Use a 'multi-job' configuration with a matrix to run each job in separate folders.
D.Set 'clean: all' on the checkout step in each job.
AnswerD

Cleaning the workspace ensures no leftover files from previous jobs.

Why this answer

Option B is correct because setting 'clean: all' on the checkout step ensures that the workspace is cleaned before the job runs, preventing file conflicts. Option A is wrong because 'demands' are for selecting agents, not for workspace isolation. Option C is wrong because 'multi-job config' is for matrix strategies, not for isolation.

Option D is wrong because 'workspace' is not a valid pipeline setting.

285
Multi-Selectmedium

Which TWO are valid strategies to reduce build times in Azure Pipelines? (Choose 2)

Select 2 answers
A.Use the Cache task to cache NuGet packages or npm modules.
B.Use 'dotnet build --no-restore' to skip restore.
C.Enable incremental builds by using the 'clean: false' option.
D.Use a larger agent pool with more parallel jobs.
E.Increase the build job timeout.
AnswersA, C

Caching avoids downloading dependencies each time.

Why this answer

Options A and D are correct. A: Incremental builds only compile changed files, reducing build time. D: Using the Cache task for package dependencies avoids re-downloading.

Option B is wrong because more agents increase parallelism but not per-build time. Option C is wrong because the 'dotnet build' command with '--no-restore' skips restore but doesn't reduce build time if restore is already cached; however, it saves time if restore is already done. But the question asks for strategies to reduce build times; incremental builds and caching are direct strategies.

Option E is wrong because increasing timeout doesn't reduce build time.

286
MCQhard

Your organization uses Azure DevOps Server (on-premises) and plans to migrate to Azure DevOps Services. You have hundreds of classic build and release pipelines. You need to design a migration strategy that minimizes downtime and allows for a gradual transition. The team wants to use the new YAML-based pipelines after migration. What should you do?

A.Export the classic pipeline definitions as JSON, and manually recreate them as YAML pipelines in Azure DevOps Services.
B.Recreate all pipelines from scratch using YAML in the new organization.
C.Use the Azure DevOps Migration Tools to automatically convert classic pipelines to YAML.
D.Migrate all pipelines as-is (classic) and then plan a separate project to convert them to YAML.
AnswerA

This allows gradual migration while maintaining existing pipelines.

Why this answer

Option B is correct: Exporting pipeline definitions and converting them to YAML manually allows gradual migration. Option A is incorrect because the migration tool does not convert classic pipelines to YAML. Option C is incorrect because using classic pipelines after migration is not leveraging YAML.

Option D is incorrect because recreating from scratch is inefficient and error-prone.

287
Multi-Selectmedium

Which TWO features can you use to enforce quality gates before a production deployment in Azure Pipelines?

Select 2 answers
A.Scheduled triggers
B.Branch policies on repositories
C.Pipeline decorators
D.Approval checks on environments
E.Deployment gates evaluating health metrics
AnswersD, E

Requires manual approval.

Why this answer

Approval checks and deployment gates are both quality gates. Option B (branch policies) applies to source control. Option D (pipeline decorators) adds steps but not gates.

Option E (scheduled triggers) is for timing.

288
Multi-Selecteasy

Which THREE are true about using deployment groups in Azure Pipelines? (Choose 3)

Select 3 answers
A.Each machine in a deployment group must have the Azure Pipelines agent installed.
B.Deployment groups can only be used with Windows-based machines.
C.Deployment groups allow you to deploy an application to multiple machines in a rolling fashion.
D.Deployment groups can be used in classic release pipelines.
E.Deployment groups are tied to a specific environment.
AnswersA, C, D

Agent is required to receive tasks.

Why this answer

Options A, C, and D are correct. A: Deployment groups are used to target multiple machines for rolling deployments. C: Each machine in a deployment group runs an agent that listens for jobs.

D: Deployment groups can be used in release pipelines with the 'Deployment group' phase. Option B is wrong because deployment groups are not limited to Windows; they support Linux, macOS, etc. Option E is wrong because deployment groups are not environment-specific; environments are a separate concept.

289
MCQmedium

You are responsible for managing build pipelines in Azure DevOps for a large .NET solution that consists of multiple projects. The build takes approximately 45 minutes, which is too long. The solution has unit tests and integration tests. The integration tests require a database that is provisioned during the build. You need to reduce the build time while maintaining code quality. What should you do?

A.Enable incremental build by using the 'Build' task's 'Clean' option set to false, and separate unit and integration tests into different stages.
B.Remove integration tests from the build pipeline and run them only in the release pipeline.
C.Increase the number of parallel jobs and use a multi-agent job to build projects in parallel.
D.Disable the 'Test' step in the build pipeline and rely on a separate test pipeline.
AnswerA

Incremental builds reduce build time, and separating tests allows quicker feedback from unit tests.

Why this answer

Option D is correct: Using incremental builds restores and builds only changed projects, and separating unit and integration tests allows faster feedback. Option A is incorrect because removing integration tests reduces quality. Option B is incorrect because using more agents does not reduce the build time of a single build.

Option C is incorrect because disabling tests altogether is not acceptable.

290
MCQmedium

Your team uses Azure Pipelines to build a .NET application. You notice that the build takes 15 minutes because of dependency restoration. You want to cache the NuGet packages to speed up subsequent builds. Which task should you add to your pipeline?

A.DownloadBuildArtifacts task
B.NuGet restore task with the 'noCache' option set to false
C.DotNetCoreCLI task with the 'restore' command
D.Cache task with a key based on the package lock file
AnswerD

The Cache task can cache NuGet packages based on the lock file hash, speeding up subsequent restores.

Why this answer

Option A is correct because the 'Cache' task is used to cache dependencies including NuGet packages. Option B is wrong because 'NuGet restore' does not cache across builds. Option C is wrong because 'DownloadBuildArtifacts' is for downloading artifacts, not caching.

Option D is wrong because 'DotNetCoreCLI' with 'restore' does not provide caching across builds.

291
MCQmedium

Your team is migrating from Jenkins to Azure Pipelines. You have a Jenkins pipeline that builds a Java application, runs unit tests, performs static code analysis with SonarQube, packages the application as a WAR file, and deploys to a Tomcat server. You need to replicate this pipeline in Azure Pipelines using YAML. The build and deployment must be triggered by commits to the main branch. You also need to ensure that the SonarQube analysis results are published to the SonarQube server and that the pipeline breaks if the quality gate fails. The Tomcat server is on-premises and requires a service connection. Which YAML pipeline structure should you use?

A.Use the Maven task to build and test, and use the Azure Web App task to deploy to Azure App Service.
B.Use the Maven task with SonarQube goals (sonar:sonar) for analysis, then use the Copy Files task and Windows Machine File Copy task to deploy to the on-premises Tomcat server.
C.Use the Maven task to build, then use PowerShell to copy the WAR file to the Tomcat server via Invoke-Command.
D.Use the Maven task to build and test, and use SSH tasks to copy the WAR file to the Tomcat server and restart the service.
AnswerB

Correct: Maven handles build/test/SonarQube, and Windows Machine File Copy deploys to on-premises.

Why this answer

Option C is correct because it uses Maven for build/test, SonarQubePrepare/Analyze tasks (or Maven with SonarQube goals), and a CopyFiles/WindowsMachineFileCopy task for on-premises deployment. Option A is wrong because SSH tasks may not work for Tomcat deployment directly. Option B is wrong because Azure App Service is not on-premises.

Option D is wrong because it uses PowerShell to copy files, which is less maintainable and doesn't leverage Azure Pipelines tasks.

292
MCQhard

Refer to the exhibit. The pipeline is configured as shown. A developer pushes a change to the `main` branch that modifies a file under `src/Controllers/HomeController.cs` and also adds a new file under `docs/readme.md`. Which of the following best describes what happens?

A.The pipeline does not trigger because the `docs/` path is excluded and includes a change.
B.The pipeline triggers because the change to `src/Controllers/HomeController.cs` is not in an excluded path.
C.The pipeline triggers only if the change is on a branch matching `release/*`.
D.The pipeline triggers but runs only tests because the build is skipped due to excluded paths.
AnswerB

The trigger includes main branch and excludes docs/* and tests/*. The src change is not excluded, so the pipeline runs.

Why this answer

Option B is correct because the pipeline's trigger configuration uses path filters that exclude `docs/*` but include `src/*`. Since the developer's push includes a change to `src/Controllers/HomeController.cs`, which is not in an excluded path, the pipeline triggers. The addition of `docs/readme.md` does not prevent triggering because the trigger evaluates the union of all changed files; as long as at least one changed file matches an included path (or is not excluded), the pipeline runs.

Exam trap

The trap here is that candidates mistakenly think a change in an excluded path will block the entire pipeline trigger, when in reality Azure Pipelines triggers if any changed file is not in an excluded path.

How to eliminate wrong answers

Option A is wrong because the pipeline triggers when any changed file is not in an excluded path; the presence of a change in an excluded path (`docs/`) does not suppress the trigger if another change (to `src/`) is outside the excluded paths. Option C is wrong because the exhibit shows no branch filter; the trigger is based on path filters, not branch patterns like `release/*`. Option D is wrong because path filters control whether the pipeline triggers at all, not which stages or jobs run; if the pipeline triggers, all configured stages (including build) execute unless separate conditional logic is added.

293
MCQmedium

Refer to the exhibit. The YAML pipeline triggers on commits to main and develop branches, and pull requests targeting develop. A developer pushes a commit directly to main. What will happen?

A.The pipeline does not run because the PR trigger requires a pull request.
B.The pipeline runs once for the CI trigger.
C.The pipeline runs twice: once for the CI trigger and once for the PR trigger.
D.The pipeline runs once for the PR trigger only.
AnswerB

The CI trigger includes main, so a push triggers one build.

Why this answer

The trigger includes main, so a push to main triggers a build. The PR trigger includes develop, but since it's a push to main, not a PR, only the CI trigger applies. Option A is wrong because PR trigger only applies to PRs.

Option C is wrong because the pipeline will run once for the CI trigger. Option D is wrong because the PR trigger does not cover pushes to main.

294
MCQmedium

You are designing a multi-stage YAML pipeline that builds a Docker image and deploys it to Azure Kubernetes Service (AKS). You want to reuse the Docker build steps across multiple stages. What is the best approach?

A.Use a stage template.
B.Define the steps as variables and reference them.
C.Create a YAML template and reference it from each stage.
D.Create a separate job and call it from each stage.
AnswerC

Templates allow reusing steps or jobs across pipelines.

Why this answer

Option C is correct because YAML templates in Azure Pipelines allow you to define reusable step, job, or stage definitions in a separate file and reference them using the `template` keyword. This approach promotes DRY (Don't Repeat Yourself) principles, simplifies maintenance, and ensures consistency when the same Docker build steps are needed across multiple stages in a multi-stage pipeline.

Exam trap

The trap here is that candidates often confuse stage templates with step templates, thinking that reusing an entire stage is the same as reusing steps within a stage, but the question specifically asks for reusing 'Docker build steps' across stages, not entire stages.

How to eliminate wrong answers

Option A is wrong because stage templates reuse entire stages, not just the Docker build steps; using a stage template would force you to duplicate the entire stage structure, which is overkill and less flexible when you only need to reuse steps within different stages. Option B is wrong because variables in Azure Pipelines are key-value pairs used for parameterization, not for encapsulating executable logic; you cannot define steps as variables and reference them to execute build commands. Option D is wrong because creating a separate job and calling it from each stage would introduce unnecessary job-level overhead and complexity; jobs are independent execution units that cannot be directly 'called' from within a stage without using deployment job patterns or template references, making this approach less straightforward and not the best practice for reusing steps.

295
Multi-Selectmedium

Your team uses Azure Pipelines to deploy a microservices application to Azure Kubernetes Service (AKS). You need to implement a strategy that minimizes downtime during updates. Which TWO options should you use?

Select 2 answers
A.Set the deployment replica count to zero before updating.
B.Use a canary deployment with a service mesh.
C.Configure a rolling update strategy in the Kubernetes manifest.
D.Use a recreate deployment strategy.
E.Implement a blue-green deployment pattern using separate namespaces.
AnswersC, E

Rolling updates replace pods incrementally.

Why this answer

Option C is correct because a rolling update strategy in Kubernetes gradually replaces old pods with new ones, ensuring that a minimum number of pods remain available throughout the update. This minimizes downtime by only terminating old pods after new ones are healthy, controlled by parameters like `maxSurge` and `maxUnavailable` in the Deployment manifest.

Exam trap

The trap here is that candidates may confuse a canary deployment (which is a valid zero-downtime strategy) with a blue-green deployment, but the question specifically asks for two options, and the correct pair is rolling update and blue-green, not canary.

296
MCQmedium

Your team uses GitHub Actions for CI/CD. You need to enforce that all pull requests to the main branch pass a required status check that runs a security scan. The security scan is a GitHub Action that runs on pull_request events. However, the status check is not appearing as required in the branch protection rules. What should you do?

A.Add 'types: [opened, synchronize]' to the pull_request trigger.
B.Change the trigger from 'pull_request' to 'pull_request_target'.
C.Use a GitHub App instead of the default GITHUB_TOKEN for the action.
D.Ensure the workflow has a name that matches the status check name in the branch protection rule.
AnswerD

The status check name is based on the workflow name and job name. If the workflow name is different, the check won't match.

Why this answer

Option C is correct because the workflow must have a name that matches the status check name used in branch protection rules. Often the workflow name is different from the job name or the check suite name. Option A is incorrect because the event type is correct.

Option B is incorrect because the YAML is valid for pull_request events. Option D is incorrect because the action is not a third-party problem.

297
MCQhard

You have a multi-stage YAML pipeline that deploys to multiple environments. You want to enforce that a manual approval is required before deploying to the production environment, but not for other environments. How should you configure the pipeline?

A.Create an environment named 'Production', add an approval check, and reference the environment in the deployment job.
B.Set a pipeline-level approval check that applies to all stages.
C.Add an approval gate on the 'Production' stage in the pipeline settings.
D.Configure branch policy on the main branch to require approval for all changes.
AnswerA

Environment approvals allow manual checks before deployment.

Why this answer

Option B is correct because environment approvals are configured on the 'Production' environment, and the deployment job references that environment. Option A is wrong because stages don't have approval gates. Option C is wrong because branch policies are for PRs, not pipeline approvals.

Option D is wrong because pipeline-level approvals apply to all runs.

298
Multi-Selectmedium

Which TWO actions should you take to implement a gated deployment strategy in Azure Pipelines?

Select 2 answers
A.Use deployment gates to evaluate metrics like error rate before allowing the next stage.
B.Configure a dashboard to monitor application health.
C.Use a multi-stage YAML pipeline.
D.Configure a rollback strategy if deployment fails.
E.Add manual approval checks before deployment to production.
AnswersA, E

Metrics-based gates are a key part of gated deployment.

Why this answer

Options B and D are correct. Approval gates and deployment gates with health evaluation are key components of gated deployment. Option A is not specific to gated deployment.

Option C is about monitoring, not gating. Option E is about rollback, not gating.

299
MCQeasy

You need to ensure that a release pipeline in Azure Pipelines automatically deploys to production only if the deployment to staging succeeds and all manual intervention checks pass. What is the best way to configure this?

A.Add a pre-deployment approval gate on the production stage
B.Configure a branch policy on the main branch
C.Assign a deployment group to the production stage
D.Add a post-deployment approval gate on the staging stage
AnswerD

A post-deployment approval ensures manual sign-off after staging succeeds before proceeding to production.

Why this answer

Option A is correct because a post-deployment approval gate can require manual sign-off after staging deployment. Option B is wrong because a pre-deployment approval is before staging. Option C is wrong because a branch policy is for repositories.

Option D is wrong because a deployment group is for targets.

300
MCQhard

You are designing a release pipeline for a critical application. The pipeline must automatically roll back to the previous version if the deployment to staging fails health checks. Which deployment strategy should you implement?

A.Canary deployment with manual promotion.
B.Blue-green deployment with manual swap.
C.Recreate deployment by redeploying the same version.
D.Rolling update with health checks and automatic rollback.
AnswerD

Health checks trigger automatic rollback on failure.

Why this answer

Option C is correct because rolling updates can be configured with health probes and automatic rollback on failure. Option A is wrong because blue-green requires manual switch. Option B is wrong because canary routes traffic gradually but does not auto-rollback.

Option D is wrong because redeploying the same version doesn't fix the issue.

← PreviousPage 4 of 7 · 461 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Build Release Pipelines questions.