Microsoft DevOps Engineer Expert · Difficulty

Hard AZ-400 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 20 hard questions available — no sign-up, always free.

Question 1 of 20

Your team runs a high-traffic ASP.NET Core API instrumented with Application Insights. Finance flags that ingestion costs have spiked, and you want to reduce telemetry volume. However, the on-call engineers report that during incident investigations, related request, dependency, and exception records for the same operation are sometimes missing, making distributed traces incomplete. You need to cut ingestion volume while preserving statistically accurate metrics and keeping correlated telemetry items together for a given operation. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 2 of 20

Your team uses GitHub for source control and Azure Boards for planning. Developers follow GitHub Flow, creating short-lived feature branches merged via pull requests. The product owner complains that when a work item is marked 'Done' in Azure Boards, there is no visibility into whether the code implementing that work item has actually reached production. You need to design a feedback cycle that surfaces the real deployment state of each work item back to the board with minimal custom development. Which approach best achieves this?

Reviewed for accuracy · Report an issue
Question 3 of 20

Your operations team wants a dashboard that reports Mean Time To Detect (MTTD) alongside MTTR for production incidents. Incidents are tracked as Azure Boards work items of type 'Incident', which capture the timestamp an outage actually began (a custom field 'Impact Start') and the timestamp the incident work item was created. MTTR is already calculated from resolved date minus created date. Which approach correctly produces MTTD for the dashboard?

Reviewed for accuracy · Report an issue
Question 4 of 20

Your team runs a containerized application on Azure Kubernetes Service (AKS) that must read connection strings from Azure Key Vault. You have enabled workload identity on the cluster and assigned a user-assigned managed identity to the workload. Security policy requires that permissions be auditable through Azure role assignments and that individual secret access be granted with the narrowest possible scope. The Key Vault currently uses the vault access policy permission model. What should you do to meet the requirements with the least ongoing administrative effort?

Reviewed for accuracy · Report an issue
Question 5 of 20

Your team deploys a multi-tier Azure environment using a main ARM template that references three linked templates (network, compute, and data). During an Azure Pipelines deployment, the main template deploys successfully, but the resource group deployment fails with an error indicating the linked templates cannot be found. The linked templates are stored in an Azure Storage account container that is not publicly accessible. Which action correctly enables the deployment to resolve the linked templates?

Reviewed for accuracy · Report an issue
Question 6 of 20

Your team deploys a web application to a production environment using an Azure Pipelines multi-stage YAML pipeline. You must implement a deployment that reroutes traffic to a newly deployed version only after health probes pass, and if the health checks fail you need to automatically restore the previous version. You want to use the built-in strategy that provides explicit lifecycle hooks (preDeploy, deploy, routeTraffic, postRouteTraffic, and on: failure/success) for this rerouting and validation logic. Which deployment job strategy should you configure?

Reviewed for accuracy · Report an issue
Question 7 of 20

Your organization requires that every production deployment pipeline runs a mandatory security-scanning step and a credential-detection step that development teams cannot remove or bypass. Teams author their own YAML pipelines in separate repositories, but all pipelines must inherit the enforced steps. You want to guarantee compliance while still letting teams add their own build and test stages. Which approach should you implement?

Reviewed for accuracy · Report an issue
Question 8 of 20

Your team runs an Azure Pipelines multi-stage YAML pipeline. The test stage executes a large integration test suite that currently takes 40 minutes on a single Microsoft-hosted agent, creating a bottleneck for releases. The tests are independent and can be split into groups that each report results to the same run. You want to reduce wall-clock time by running the test groups simultaneously across multiple agents without duplicating the job definition manually. Which approach should you use?

Reviewed for accuracy · Report an issue
Question 9 of 20

Your team's Azure Pipelines YAML uses templates to generate stages dynamically. A senior engineer wants to conditionally include an entire deployment stage based on a value that a user selects when manually queuing the pipeline, and the stage inclusion logic uses an ${{ if }} expression at the top of the template. The value currently comes from a variable defined in a variable group, but the stage is never generated even when the value matches. What change correctly makes the conditional stage generation work?

Reviewed for accuracy · Report an issue
Question 10 of 20

Your multi-stage Azure Pipeline YAML has three stages: Build, then two parallel stages DeployWestUS and DeployEastUS that both depend on Build, and finally a RunSmokeTests stage. Business rules require RunSmokeTests to execute only if Build succeeded and at least one of the two regional deployment stages succeeded (even if the other regional deployment failed). How should you configure the RunSmokeTests stage?

Reviewed for accuracy · Report an issue
Question 11 of 20

Your team uses an Azure Pipelines YAML pipeline stored in a repository hosted in Azure Repos Git. You want the pipeline to run automatically whenever a pull request targets the 'main' or 'release/*' branches, but the pipeline currently only runs on direct pushes. You add a 'pr' section to the YAML file specifying the branch filters, commit it, but the pipeline still does not trigger when developers open pull requests. What is the most likely cause?

Reviewed for accuracy · Report an issue
Question 12 of 20

Your team's Azure DevOps YAML pipeline defines a variable 'imageTag' whose value depends on the branch that triggered the run. You need to reference this value in a template expression that conditionally includes an entire stage during pipeline compilation, before any job runs. The variable is set inside a script step using a logging command (##vso[task.setvariable]). During testing, the conditional stage never appears even when the branch condition should match. What is the root cause?

Reviewed for accuracy · Report an issue
Question 13 of 20

Your team maintains 12 microservice repositories that each use an Azure DevOps YAML pipeline. Every pipeline duplicates the same 60 lines of build, test, and container-push logic. You want to centralize this logic so a single change updates all pipelines, while allowing each repo to pass its own service name and target registry. You also need to prevent a consuming pipeline from injecting arbitrary shell commands into the shared logic through the values it passes. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 14 of 20

Your organization has onboarded all Azure DevOps repositories to Microsoft Defender for Cloud DevOps security using the Azure DevOps connector. A security recommendation reports that a repository contains an exposed Azure Storage account key committed in a configuration file six months ago. You must remediate the finding so that the credential can no longer be used, while ensuring future commits are blocked from introducing the same type of secret before they reach the default branch. Which combination of actions should you take?

Reviewed for accuracy · Report an issue
Question 15 of 20

A team's Azure Repos Git repository has grown to several gigabytes because designers have committed large .psd and .png files directly into history for the past two years. Cloning now takes over 20 minutes. The team wants to move these existing binary files (including all historical versions) into Git LFS so future clones only download the LFS pointers and current blobs. Which approach correctly converts the existing history to use Git LFS?

Reviewed for accuracy · Report an issue
Question 16 of 20

Your organization maintains 15 microservice repositories on GitHub. Each repository currently duplicates the same 200-line CI job that builds a container, runs unit tests, scans for vulnerabilities, and pushes to a registry. You want to centralize this logic so that a change made once applies to all repositories, and you need the ability to pass secrets, run the shared logic as its own job with its own runner, and enforce required approvals on the shared deployment environment. Which approach should you implement?

Reviewed for accuracy · Report an issue
Question 17 of 20

Your team maintains a public repository on GitHub that accepts contributions from external forks via pull requests. The CI workflow needs to run integration tests that reference a deployment secret stored in the repository's Actions secrets. A security reviewer warns that a malicious contributor could open a pull request that exfiltrates the secret. You must ensure that secrets are never exposed to workflows triggered by pull requests from forks, while still allowing trusted maintainers to run the full pipeline. What should you do?

Reviewed for accuracy · Report an issue
Question 18 of 20

Your team runs CI builds on GitHub Actions using a pool of persistent self-hosted runners hosted on Azure VMs. You notice that build reliability is degrading: leftover files, cached dependencies, and environment variables from previous jobs occasionally corrupt subsequent builds. Security also flags that a compromised job could persist malware on a runner for later jobs. You want a solution that gives each job a clean environment and auto-scales with demand, while minimizing manual VM maintenance. What should you implement?

Reviewed for accuracy · Report an issue
Question 19 of 20

Your team has enabled GitHub Advanced Security code scanning with the default CodeQL configuration on a large C# repository. Security engineers report that the scans catch common vulnerabilities but miss several injection patterns unique to your internal data-access framework. You need the CI code-scanning runs to detect these custom patterns while continuing to run the standard security queries, with the least ongoing maintenance. What should you do?

Reviewed for accuracy · Report an issue
Question 20 of 20

Your operations team wants a dashboard in Azure DevOps that surfaces Mean Time To Recovery (MTTR) for production incidents. Incidents are tracked as work items of type 'Incident' with a custom 'Detected On' date field and the standard 'Closed Date' field. Leadership wants to see the average duration between detection and resolution over the last 90 days, refreshed automatically. Which approach best delivers this metric on an Azure DevOps dashboard?

Reviewed for accuracy · Report an issue