AZ-400 · topic practice

Develop a security and compliance plan practice questions

Practise Microsoft Azure DevOps Engineer Expert AZ-400 Develop a security and compliance plan practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Develop a security and compliance plan

What the exam tests

What to know about Develop a security and compliance plan

Develop a security and compliance plan questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Develop a security and compliance plan exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Develop a security and compliance plan questions

20 questions · select your answer, then reveal the explanation

A company uses Azure DevOps for CI/CD. The security team requires that all pipeline runs must use a specific service connection (ServiceConnection-Prod) that has been approved for production deployments. However, developers are accidentally using unapproved connections. You need to enforce that only the approved service connection can be used in any pipeline that deploys to the production environment. What should you do?

Your organization uses Azure DevOps and Azure Key Vault to manage secrets. You have a pipeline that deploys a web app to Azure App Service. The pipeline uses a variable group linked to Key Vault to retrieve the database connection string. Recently, the build started failing with the error: 'Access to Key Vault is denied. Please ensure the service connection has Get and List permissions on secrets.' The service connection uses a service principal. You have verified that the service principal has the correct Key Vault access policy with Get and List permissions. What is the most likely cause of the failure?

A company uses Azure DevOps and needs to ensure that all pipelines use approved YAML templates from a central repository. The security team wants to prevent developers from referencing unapproved templates. What is the best way to enforce this?

You are designing a compliance strategy for Azure DevOps pipelines that deploy to production. The company policy requires that all production deployments must be reviewed by a security lead. Additionally, the deployment must use a specific release pipeline that has been pre-approved. How should you implement this?

A financial services company uses Azure DevOps and requires that all secrets (e.g., API keys, connection strings) be stored in Azure Key Vault. They have a pipeline that runs automated tests and deploys to staging. The pipeline uses a variable group linked to Key Vault to retrieve secrets. Recently, the pipeline failed with the error: 'Secret 'DbPassword' not found in Key Vault 'kv-prod'. Ensure the secret exists and the service principal has List permission.' The secret exists in the vault. What is the most likely cause?

Your organization uses Azure DevOps and Azure Policy to enforce compliance. You need to ensure that all Azure resources deployed by Azure DevOps pipelines have specific tags (e.g., CostCenter and Environment) applied. Which TWO approaches can achieve this? (Choose TWO.)

A company uses Azure DevOps and requires that all pipeline runs are audited and that sensitive information (e.g., passwords, keys) is never exposed in logs. Which THREE actions should you take? (Choose THREE.)

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

You are a DevOps engineer at a healthcare company that must comply with HIPAA. The company uses Azure DevOps with YAML pipelines to deploy a multi-tier application to Azure Kubernetes Service (AKS). The application stores sensitive patient data. The security team requires that all secrets (e.g., database passwords, API keys) must be stored in Azure Key Vault and never hardcoded in the pipeline. The pipeline currently uses a service principal (SP1) for AKS deployments. The pipeline has a variable group 'VG-Prod' linked to Key Vault 'KV-Prod' with secrets: 'DbPassword', 'ApiKey'. The pipeline runs successfully in non-production environments. However, when you run the pipeline for production, it fails at the stage that deploys to AKS with the error: 'Error: failed to get secret 'DbPassword' from Key Vault: Forbidden'. You have verified that the secret exists and the variable group is correctly linked. The service principal SP1 has the 'Get' and 'List' permissions on KV-Prod secrets. The AKS cluster is in a different subscription than the Key Vault. What is the most likely cause and how should you fix it?

A financial services company uses Azure DevOps to manage CI/CD pipelines for a critical application. The security team requires that all production deployments be approved by two different managers, and that the build artifacts are immutable and signed. Currently, the pipeline uses a manual approval gate with one approver and stores artifacts in Azure Artifacts. What should the DevOps engineer implement to meet the security requirements?

A company uses Azure DevOps and has a security policy that all pipeline runs must use a specific service connection scoped to a resource group. A developer reports that a pipeline fails with the error: 'The service connection does not have permission to access the resource.' What is the most likely cause?

A company is adopting Azure DevOps and needs to ensure that all pipelines comply with regulatory standards. The security team wants to enforce that every build includes a security scan and that deployment to production requires approval from a compliance officer. Which TWO actions should the DevOps engineer take?

You are reviewing an Azure Policy assignment in a DevOps environment. The exhibit shows the policy assignment JSON. The policy set includes the built-in policy 'Allowed Locations' with effect Deny. During a pipeline deployment, a resource creation fails with a policy violation error. The resource being deployed is a storage account in the 'centralus' region. What is the most likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "policyDefinitions": [
      {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfd4f8c3-4b5d-4a7d-8c9a-1e2f3a4b5c6d",
        "parameters": {
          "effect": {
            "value": "Deny"
          },
          "allowedLocations": {
            "value": ["eastus", "westus"]
          }
        }
      }
    ],
    "policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/0a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d"
  },
  "id": "/subscriptions/sub123/resourceGroups/rg-devops/providers/Microsoft.Authorization/policyAssignments/assignment-dev",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "assignment-dev",
  "location": "eastus"
}

Your organization uses Azure DevOps for a multi-tier web application. The application consists of a React frontend, a Node.js API, and a SQL database. The security team has mandated the following: (1) All code changes must be scanned for secrets before merging to the main branch. (2) Infrastructure-as-code templates (ARM) must be validated for security compliance before deployment. (3) Production deployments must use a service connection with a managed identity that has only the required permissions. You have set up a CI/CD pipeline with two stages: Build and Release. The Build stage runs on pull requests and the Release stage deploys to a production environment. Recently, a developer accidentally committed a secret (API key) to a configuration file. The secret was not caught by the pipeline, and the code was merged to main. You need to prevent this in the future. What should you do?

A company's Azure DevOps project uses a custom agent pool with self-hosted agents. The security team discovers that pipeline runs can access secrets stored in Azure Key Vault, but the team wants to ensure that secrets are only accessible to approved pipelines. Which configuration should the team implement?

Which TWO actions should a DevOps engineer take to ensure that Azure DevOps pipelines comply with the principle of least privilege for service connections?

The exhibit shows a draft Azure Monitor alert rule for Key Vault secret expiry. However, the query fails to return results for secrets that have already expired. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "alertRule": {
    "displayName": "Key Vault Secret Near Expiry",
    "query": "// Azure Resource Graph query
    resources
    | where type == 'microsoft.keyvault/vaults/secrets'
    | extend DaysToExpiry = datetime_diff('day', now(), properties.attributes.expiresOn)
    | where DaysToExpiry < 30 and DaysToExpiry > 0
    | project name, vaultName = resourceGroup, expiresOn = properties.attributes.expiresOn, DaysToExpiry
    | limit 10"
  }
}
```

You are a DevOps engineer for a financial services company with strict regulatory compliance requirements (e.g., PCI-DSS, SOX). The company uses Azure DevOps for CI/CD and manages multiple projects. Each project has its own set of service connections, variable groups, and agent pools. The security team recently audited the environment and found that several service connections have been granted Contributor rights at the subscription level, and some variable groups are accessible by all pipelines across all projects. Additionally, audit logs show that a former employee's service principal still has active service connections in two projects. You need to implement a security and compliance plan to address these issues. Which approach should you take?

Your team is implementing a security and compliance plan for Azure DevOps. Which TWO actions should you take to meet regulatory requirements for audit logging and access control?

Your company, Contoso Ltd., is a financial services firm that must comply with PCI DSS. You manage a Azure DevOps organization with over 200 projects. Each project uses a service principal to deploy to Azure using service connections stored in library variable groups. Recently, an auditor flagged that a developer used a service principal with Contributor rights on a production subscription to accidentally delete a storage account. The developer had been granted access to the variable group containing that service principal's credentials. You are tasked with implementing a security and compliance plan to prevent this from recurring. The solution must minimize administrative overhead and follow the principle of least privilege. Current environment: All service principals are created in Azure AD and assigned to variable groups. Developers are granted 'User' access level in Azure DevOps and are members of various teams. You have the ability to create Azure AD groups and custom roles. Which course of action should you take?

Drag and drop the steps to perform a blue-green deployment in Azure using App Service slots into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Develop a security and compliance plan sessions

Start a Develop a security and compliance plan only practice session

Every question in these sessions is drawn from the Develop a security and compliance plan domain — nothing else.

Related practice questions

Related AZ-400 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-400 exam test about Develop a security and compliance plan?
Develop a security and compliance plan questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Develop a security and compliance plan questions in a focused session?
Yes — the session launcher on this page draws every question from the Develop a security and compliance plan domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-400 topics?
Use the topic links above to move to related areas, or go back to the AZ-400 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-400 exam covers. They are not copied from any real exam or dump site.