Design and implement build and release pipelines
Drill 20 practice questions focused entirely on Design and implement build and release pipelines for the Microsoft AZ-400 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Your team uses Azure App Configuration to manage feature flags for a web application deployed through Azure Pipelines. The product owner wants to enable a new checkout experience only for internal beta testers (identified by a specific Azure AD group) while keeping it disabled for all other users, without redeploying the application. Which App Configuration feature flag capability should you use?
Your team publishes an internal .NET library to an Azure Artifacts feed. Leadership requires that every package version encode the release date so consumers can immediately identify the age of a dependency, and the versioning scheme must not require manual increment of a major/minor number for each release. The library is released on an unpredictable cadence, sometimes multiple times per day. Which versioning approach should you implement in the Azure Pipelines build that produces the NuGet package?
Your organization uses an Azure Artifacts feed named 'Shared-Libs' to distribute internal NuGet packages. A new team of developers needs to restore packages from this feed in their local builds and in a pipeline, but they must not be able to publish new package versions or delete existing ones. The feed currently grants the 'Project Collection Build Service' the Contributor role. What is the most appropriate way to grant the new team the access they require while following least-privilege principles?
Your team publishes NuGet packages to an Azure Artifacts feed. Developers continuously push prerelease packages during active development, but downstream consumer teams must only be able to restore packages that have passed QA validation. You want to promote validated packages so consumers can reference a stable set without changing their feed source URL to a different feed. Which approach should you implement?
Your team publishes internal NuGet packages to an Azure Artifacts feed. Developers consuming these packages report that when they step into library code during debugging in Visual Studio, they cannot see the original source or line-level breakpoints. You want to enable full source-level debugging of the published packages without manually distributing PDB files. What should you configure in the build pipeline that produces the packages?
Your team maintains an Azure Artifacts feed named 'Contoso-NuGet' for internal .NET packages. Developers currently restore both your internal packages and public packages from nuget.org, but you want a single feed URL in the NuGet.config that resolves internal packages while also caching and vetting public packages so the same versions are always available even if nuget.org is unavailable. You also need to promote only tested internal package versions to a 'Release' view consumed by production build pipelines. Which combination of Azure Artifacts capabilities should you configure?
Your platform team wants developers to self-provision ephemeral test environments in Azure on demand, but the environments must only use pre-approved infrastructure templates, be deployed into specific subscriptions per project, and be automatically tracked for cleanup. Developers should request environments through a catalog without having direct rights to write ARM/Bicep at will. Which Azure service and configuration best meets these requirements?
Your organization has a single self-hosted agent pool named 'Build' containing 12 agents. Four of these agents have the .NET 8 SDK and a licensed code-signing tool installed; the remaining eight only have the .NET 8 SDK. A YAML pipeline job must run only on the agents that can perform code signing, without creating a separate agent pool. What is the correct approach?
Your team runs a self-hosted agent pool in Azure Pipelines. Over the past two weeks, several YAML pipeline runs have failed intermittently with the error 'No agent found in pool that satisfies the specified demands.' The pipelines require a demand for a custom capability named 'msbuild17'. You need to diagnose which agents can service these jobs and reduce the number of stalled runs before they eventually time out. What should you do FIRST?
Your team uses a multi-stage YAML pipeline in Azure Pipelines. The production stage targets an Environment that has a manual approval check configured. You set the approval to time out after 24 hours. During a weekend release, no approver responds within the 24-hour window. Compliance requires that any un-actioned production deployment must NOT proceed and must not silently linger indefinitely. Which timeout behavior and configuration ensures the deployment is stopped when the approval expires?
Your team maintains an Azure resource group that should contain ONLY the resources defined in a Bicep template. During a release stage, an ARM/Bicep deployment task provisions a storage account, a Key Vault, and an App Service plan. A previous manual deployment left an orphaned public IP address and an unused network security group in the same resource group. The release pipeline must remove any resources that are not declared in the template on every deployment, while keeping the pipeline declarative. Which deployment configuration should you use?
Your team deploys a multi-tier Azure environment using a main ARM template that references three linked templates (network, compute, and data). During an Azure Pipelines deployment, the main template deploys successfully, but the resource group deployment fails with an error indicating the linked templates cannot be found. The linked templates are stored in an Azure Storage account container that is not publicly accessible. Which action correctly enables the deployment to resolve the linked templates?
You maintain a multi-stage YAML pipeline in Azure Pipelines. The 'Build' stage compiles the application and publishes the output. A later 'Deploy' stage runs on a separate agent and must consume exactly the artifact produced by the 'Build' stage of the same pipeline run. You want the artifact to be retrieved automatically without adding an explicit download task, using the recommended modern pipeline artifact approach. Which configuration achieves this?
Your team runs a production ASP.NET Core web app on Azure App Service (Standard tier). Business requires zero-downtime releases with the ability to instantly roll back if post-deployment smoke tests fail. You are designing the release stage in a multi-stage Azure Pipelines YAML file. Which approach best meets these requirements?
Your team deploys a customer-facing API to a single Azure App Service. Leadership wants to reduce blast radius by routing only 10% of production traffic to a new revision for 30 minutes while monitoring Application Insights failure rate, then automatically shift the remaining 90% if metrics stay healthy. You must implement this in a multi-stage Azure Pipeline using a deployment job. Which strategy keyword should you configure on the deployment job to achieve incremental traffic-based rollout with pre/post traffic-routing hooks?
Your team deploys to a production environment defined in Azure Pipelines. Before any deployment stage targeting this environment runs, compliance requires that an external change-management system (accessible via HTTPS) confirms an approved change ticket exists. The confirmation must be fully automated — no human clicks — and must block the stage until the external system responds successfully. Which environment check should you configure?
Your team uses Azure Pipelines with a multi-stage YAML pipeline that runs unit tests and publishes results using the PublishCodeCoverageResults task. Leadership mandates that no pull request may be completed unless the changed code meets an 80% line coverage threshold, and the check must automatically block the PR if coverage falls below that level. What should you implement to enforce this requirement?
Your team maintains an Azure Pipelines YAML pipeline that builds a Docker image and pushes it to a private Azure Container Registry (ACR), then deploys it to Azure Kubernetes Service (AKS). Currently the pipeline stores the ACR admin username and password as pipeline secret variables. Security has flagged that the ACR admin account is enabled and long-lived credentials are being used. You must eliminate stored registry credentials while allowing the pipeline to push images to ACR, following least-privilege and Microsoft-recommended practices. What should you do?
Your team runs an Azure Pipelines YAML pipeline on a Microsoft-hosted ubuntu-latest agent. The build job requires a very specific version of Node.js (18.14.2) plus several native build tools that are not present on the hosted image, and you want to avoid spending several minutes each run installing them with a script step. You already publish a prebuilt Docker image containing exactly the required toolchain to your Azure Container Registry. What is the most efficient way to have the build steps execute inside that toolchain image on the hosted agent?
Your team deploys a .NET web application together with its SQL Server database using a multi-stage Azure Pipeline. The database schema is managed with Entity Framework Core migrations. During production releases, the pipeline occasionally fails when the same migration is re-run after a partial deployment, and DBAs require that any schema change be reviewed before it touches the production database. You must redesign the release stage so schema changes are safe to re-run and reviewable before execution. Which approach best meets these requirements?
More AZ-400 practice
Keep going with the other Microsoft DevOps Engineer Expert domains, or take a full timed mock exam.
← Back to AZ-400 overview