AZ-400 has two types of candidates: developers who know CI/CD but don't know Azure, and Azure administrators who know the infrastructure but don't know DevOps tooling. Both groups fail AZ-400 for the same reason — the exam requires fluency in both areas simultaneously.
The fix isn't studying both areas equally. It's identifying which side you're weak on, studying that gap specifically, and using what you already know to contextualize the new material.
What Makes AZ-400 an Expert-Level Exam
AZ-400 is designated "Expert" alongside AZ-305 and certifications that require professional-level prerequisites. Unlike other expert certifications, AZ-400 accepts either AZ-104 or AZ-204 as a prerequisite — recognizing that both administrator and developer backgrounds are valid entry paths.
| Domain | Weight |
|---|---|
| Configure processes and communications | 10-15% |
| Design and implement source control | 15-20% |
| Design and implement build and release pipelines | 40-45% |
| Develop a security and compliance plan | 10-15% |
| Implement an instrumentation strategy | 10-15% |
The pipeline domain at 40-45% is the clearest signal about what this exam is. AZ-400 is primarily an exam about Azure Pipelines configuration, supplemented by source control strategy, security practices, and monitoring.
Who AZ-400 Serves (And Who Should Consider Alternatives)
The right candidate: developers or infrastructure engineers working in DevOps roles who design and operate CI/CD pipelines, manage source control strategy, implement deployment practices, and own the tooling that gets code from repository to production.
The wrong candidate: architects who want a DevOps credential to complement AZ-305. AZ-400 doesn't add significant architectural value — it adds pipeline configuration depth. If you're building cloud architectures and want DevOps credibility, the combination of AZ-305 plus actual pipeline experience communicates more than AZ-400 alone.
The alternatives path: for developers who primarily use GitHub Actions rather than Azure Pipelines, the GitHub Actions certification (GitHub Certified — Actions) may be more directly relevant to daily work. AZ-400 tests Azure DevOps/Azure Pipelines heavily; if your organization uses GitHub instead, evaluate whether the exam content maps to your actual environment.
Domain 3: Design and Implement Build and Release Pipelines (40-45%)
This is where the exam is won or lost. Candidates who are weak here fail regardless of performance on other domains.
YAML vs Classic Pipelines
Azure Pipelines supports two authoring experiences: classic (GUI-based) and YAML (code-based). The exam heavily favors YAML.
Why the shift to YAML matters for exam prep: classic pipeline knowledge doesn't transfer well to YAML pipeline questions. If you've only used Azure Pipelines through the GUI, you need YAML-specific study.
A YAML pipeline structure:
trigger:
branches:
include:
- main
- release/*
pool:
vmImage: 'ubuntu-latest'
variables:
buildConfiguration: 'Release'
stages:
- stage: Build
jobs:
- job: BuildJob
steps:
- task: DotNetCoreCLI@2
inputs:
command: 'build'
configuration: '$(buildConfiguration)'
The exam tests pipeline structure: trigger conditions, stage/job/step hierarchy, variable groups, templates, and conditions.
Pipeline templates: the exam tests pipeline templates as a reuse mechanism. A template defines reusable pipeline components. Teams can extend central templates rather than duplicating YAML across repositories.
# Template definition (build-template.yml)
parameters:
buildConfiguration: 'Release'
steps:
- task: DotNetCoreCLI@2
inputs:
command: 'build'
configuration: ${{ parameters.buildConfiguration }}
Templates enforce consistency and allow security policies to be embedded in the template rather than each pipeline.
Deployment Strategies
The exam tests deployment strategies at both the concept and Azure Pipelines implementation level:
| Strategy | Downtime | Rollback speed | Resource cost |
|---|---|---|---|
| In-place (recreate) | Yes | Redeploy | Low |
| Rolling | Minimal | Moderate | Low |
| Blue/green | None | Immediate (switch back) | 2× resources |
| Canary | None | Remove canary traffic | Minimal increase |
| Feature flags | None | Toggle off | None (code-based) |
Blue/green in Azure Pipelines: App Service deployment slots implement blue/green deployments. Pipelines deploy to staging slot, run smoke tests, then use the AzureAppServiceManage@0 task to swap slots. The swap is immediate from the user's perspective.
Canary releases: implement by routing a percentage of traffic to the new version. Azure Traffic Manager or Azure Front Door weighted routing achieves this at the DNS/load balancing level. The pipeline manages deploying to the canary endpoint and incrementally increasing traffic percentage.
"The deployment strategy question pattern on AZ-400 almost always has a constraint that eliminates most options. 'Zero downtime and instant rollback capability with production data' eliminates everything except blue/green. 'Gradual risk exposure with automatic promotion based on error rates' describes canary. Learn those constraint-to-strategy mappings." — Gregor Suttie, Azure MVP and DevOps instructor
Pipeline Security
Service connections: Azure Pipelines uses service connections to authenticate to external services (Azure subscriptions, container registries, GitHub, etc.). The exam tests service connection security:
Scope: service connections should be scoped to the minimum necessary permissions (specific resource group, not whole subscription)
Approval gates: service connections can require approval before pipelines can use them, preventing unauthorized deployments
Secret scanning: prevent credentials from appearing in pipeline logs
Pipeline permissions: who can edit pipelines matters for security. YAML pipelines stored in repositories are controlled by repository permissions. Classic pipelines have separate permission configuration. The exam tests the difference.
Artifact security: packages and container images stored in Azure Artifacts and Azure Container Registry should be scanned for vulnerabilities before deployment. Microsoft Defender for Container Registries provides this scanning.
Domain 2: Design and Implement Source Control (15-20%)
Branching Strategies
AZ-400 tests branching strategy selection for different team and release scenarios.
Git Flow: long-lived branches (main, develop, feature/*, release/*, hotfix/*). Complex but structured. Good for products with scheduled release cycles.
GitHub Flow: simple. Only main and short-lived feature branches merged via pull requests. Good for teams deploying frequently (continuous deployment).
Trunk-based development: everyone commits to a single trunk (main) using feature flags to hide incomplete work. Requires strong automated testing and monitoring. Best for teams with mature DevOps practices and CI/CD pipelines that can deploy multiple times per day.
The exam scenario determines the right answer: "A team releases software once per quarter with a formal testing phase." Git Flow — structured branches for release management. "A team deploys to production 10 times per day." Trunk-based development — feature branches introduce integration delay that conflicts with high-frequency deployment.
Pull Request Policies
Branch policies in Azure DevOps enforce code review requirements:
Minimum reviewer count
Work item linking requirement (every PR must reference a work item)
Merge strategy (squash, merge commit, or rebase)
Build validation (pipeline must pass before PR can merge)
Comment resolution (all PR comments must be resolved before merge)
The exam tests which policies satisfy a given governance requirement. "A company requires that every code change is reviewed by at least one other developer and has passed automated tests." Reviewer policy (minimum 1 reviewer, not the author) and build validation policy.
Domain 4: Develop a Security and Compliance Plan (10-15%)
Software Composition Analysis (SCA)
Dependencies are a security surface. The exam tests how to identify and manage vulnerable dependencies:
OWASP Dependency Check: scans project dependencies against known vulnerability databases. Can be integrated into Azure Pipelines as a task.
WhiteSource/Mend: commercial SCA tool with Azure Pipelines integration. Provides license compliance scanning alongside vulnerability detection.
GitHub Advanced Security / Azure DevOps Advanced Security: Microsoft's integrated security scanning for code (SAST), secrets, and dependencies. Available for Azure Repos repositories.
Secrets Management in Pipelines
The exam tests how to prevent secrets from appearing in pipelines and logs:
Variable groups: store shared variables across pipelines. Variable groups linked to Azure Key Vault automatically pull secrets as pipeline variables. The secret value is masked in logs.
Secret variables: pipeline variables marked as secret are masked in log output. However, masking is imperfect — secrets that appear in log messages through application code are not automatically detected.
Best practice the exam tests: no credentials in YAML pipeline files checked into source control. Use service connections for Azure authentication, variable groups linked to Key Vault for secrets, and environment variables for runtime configuration.
Domain 5: Implement an Instrumentation Strategy (10-15%)
AZ-400 instrumentation questions focus on developer-relevant monitoring: application performance, deployment tracking, and feedback loops.
Application Insights integration: instrument applications during pipeline builds. The exam tests adding Application Insights to applications through NuGet package configuration, connection strings through environment variables (not hardcoded), and configuration of sampling rates for production traffic.
Release annotations: Application Insights release annotations mark deployments on metric charts. When a new version deploys and response times spike, the annotation shows exactly when the deployment occurred. Configured in Azure Pipelines using the release-annotation task.
Dashboard and work item integration: Azure DevOps dashboards display pipeline status, test results, and code coverage. The exam tests which widgets show which information and how they're configured.
The Dual-Path Study Approach
The exam has two core skill areas. Before studying, self-assess honestly:
Rate your current knowledge (1-5):
Azure Pipelines YAML configuration: ___
Deployment strategies (blue/green, canary, rolling): ___
Git branching strategies: ___
Azure services (App Service, Container Registry, AKS): ___
Security scanning and secret management: ___
Application Insights and monitoring: ___
Path A (Developer background, weak on Azure):
Complete AZ-104 core concepts: virtual networks, App Service, Azure Container Registry
Study Azure Pipelines YAML deeply — this is likely your strongest area, validate it
Focus extra time on Azure service-specific deployment tasks and service connections
Path B (Azure administrator background, weak on DevOps):
Learn Git branching strategies and pull request workflows (GitHub Learning Lab is free)
Complete the Azure Pipelines documentation — build a real pipeline from scratch
Understand CI/CD pipeline stages, testing integration, and artifact management
Both paths: hands-on labs are not optional. AZ-400 has a low pass rate among candidates who studied only documentation. Building and breaking pipelines is how you learn the failure modes and edge cases the exam tests.
Target score before exam: 75% on Whizlabs practice exams. AZ-400 is graded 700/1000.
AZ-400 Domain Breakdown: What Each Tests Specifically
The five AZ-400 domains are not equally weighted or equally difficult. Understanding what each tests at a granular level eliminates wasted study time:
| Domain | Weight | Core topics | Difficulty for admin background | Difficulty for dev background |
|---|---|---|---|---|
| Configure processes and communications | 10-15% | Azure Boards, work item tracking, team process (Agile, Scrum, Kanban), release management communication | Moderate | Low |
| Design and implement source control | 15-20% | Git branching strategies (Git Flow, trunk-based), Azure DevOps repos, branch policies, code review requirements | High — git workflows are unfamiliar | Low |
| Design and implement build and release pipelines | 40-45% | YAML pipelines, deployment strategies, service connections, environment approvals, artifact management | High — YAML syntax requires practice | Moderate — Azure service integration gaps |
| Develop a security and compliance plan | 10-15% | Secret management (Key Vault integration), SCA, SAST, DAST, dependency scanning, compliance policies | Moderate | Moderate |
| Implement an instrumentation strategy | 10-15% | Application Insights, Azure Monitor, release annotations, dashboards, feedback loops | Moderate | Moderate |
The pipeline domain's 40-45% weight means a candidate who scores 90% on the other four domains can still fail if they score below 60% on pipelines. Conversely, mastery of pipelines alone won't pass the exam — the other domains collectively represent 55-60% of questions.
What "configure processes and communications" actually tests: Azure Boards work item types (Epic, Feature, User Story, Task, Bug), Sprint planning concepts, team capacity, velocity tracking, release gates and approvals (release pipeline pre- and post-deployment gates), and how Azure Boards integrates with GitHub. Candidates with Agile project management experience find this domain straightforward. Candidates from pure infrastructure backgrounds need to learn Agile work management vocabulary before this domain makes sense.
AZ-104 vs AZ-204 Prerequisites: What You'll Need to Study Extra
AZ-400 accepts either AZ-104 (Administrator) or AZ-204 (Developer) as a prerequisite. The choice of prerequisite creates distinct study gaps:
If you passed AZ-104 (Administrator background):
Topics you'll need to fill in specifically for AZ-400:
Git version control fundamentals — branching, merging, rebasing, conflict resolution
YAML syntax — the Azure Pipelines YAML schema requires comfort with YAML structure; administrators who haven't written configuration-as-code struggle here
Application testing concepts — unit testing, integration testing, test-driven development as concepts (not implementation), test coverage metrics
Package management — Azure Artifacts, NuGet, npm, pip in a pipeline context
Container concepts — Docker images, Azure Container Registry, AKS deployment from a pipeline perspective
If you passed AZ-204 (Developer background):
Topics you'll need to fill in specifically for AZ-400:
Azure Container Registry (ACR) security and integration — service principals, managed identities, image scanning
App Service deployment slot behavior — slot swapping mechanics, traffic routing percentages, slot-specific app settings
Azure Load Balancer vs Application Gateway selection for pipeline deployment scenarios
Service connection scoping and least-privilege patterns
Managed identity configuration for pipeline authentication to Azure resources
The genuinely harder path: developers who lack AZ-104 background struggle more on AZ-400 than administrators who lack AZ-204 background, because the infrastructure content in AZ-400 is more extensive than the developer-specific content. The exam spends more time on "how does the pipeline authenticate to deploy to this resource" (infrastructure concern) than on "how does the application code use this SDK" (developer concern).
Azure DevOps Services Tested in Depth
Azure Pipelines YAML Syntax
The exam tests specific YAML elements beyond the basic structure:
Variable groups and Key Vault integration:
variables:
- group: my-variable-group # references Azure DevOps variable group
- name: buildConfiguration
value: 'Release'
Variable groups can link to Azure Key Vault, automatically pulling secrets as pipeline variables with values masked in logs. The exam tests this integration pattern specifically — how to link a variable group to Key Vault and what permission the service connection needs (Key Vault Secrets User role minimum).
Environment protection rules: pipeline environments can have approval requirements and deployment gates. The exam tests configuring required approvals before deployment to a protected environment (typically production):
Manual approval: specific users or groups must approve before pipeline continues
Query Azure Monitor alerts: pipeline pauses and checks if active alerts exist in the target environment
Business hours gate: deployment only proceeds during defined time windows
Pipeline conditions: the exam tests conditional execution syntax:
- task: SomeTask@1
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
Understanding condition functions (succeeded(), failed(), always(), eq(), ne()) is necessary for answering questions about when steps execute.
Azure Artifacts
Azure Artifacts provides package feeds for NuGet, npm, Maven, Python, and Universal Packages. AZ-400 tests it as a DevOps tool, not just a storage service:
Upstream sources: Azure Artifacts feeds can proxy public package registries (npmjs.com, nuget.org). This allows organizations to control which external packages pipelines can use — all packages must flow through the organizational feed, enabling security scanning and version pinning. The exam tests this as a supply chain security control.
Package promotion: packages move between feed views (pre-release → release) as they pass quality gates. Pipelines produce packages to the pre-release view; promotion to release requires passing additional validation stages.
Feed permissions: who can publish vs consume packages from a feed is controlled through feed permissions. Pipelines publishing packages need "Contributor" permissions on the feed. This appears in troubleshooting scenarios ("a pipeline fails to publish to an artifact feed — what permission is required?").
Azure Boards for Release Management
AZ-400 tests Azure Boards beyond basic work item tracking — specifically its role in release management:
Work item linking: branches and commits can be linked to work items. Pull request policies can require work item linking — enforcing that every code change has an associated task or bug.
Release gates using work item queries: a deployment can be gated on a query condition — for example, "no open critical bugs in this sprint" as a gate before production deployment. This connects Azure Boards to the release pipeline as a quality gate mechanism.
Queries for dashboard widgets: Azure DevOps dashboards used in AZ-400 monitoring scenarios pull data from Azure Boards queries. Understanding how queries filter work items by state, iteration, or tag is necessary to answer dashboard configuration questions.
GitHub Actions on AZ-400
GitHub Actions received significant emphasis in AZ-400 exam updates in 2023. Candidates studying from pre-2023 materials are missing an increasingly important exam section.
What GitHub Actions tests on AZ-400:
-
Workflow YAML structure: GitHub Actions workflows use .github/workflows/*.yml files with on: triggers (push, pull_request, workflow_dispatch), jobs:, steps:, and uses: for reusable actions
- Comparison with Azure Pipelines: the exam asks when to choose GitHub Actions vs Azure Pipelines — GitHub Actions is preferred for GitHub-hosted code; Azure Pipelines is preferred for complex enterprise scenarios requiring Azure DevOps integration, environment approvals, and Azure Artifacts
- GitHub Actions secrets: repository and organization-level secrets provide the equivalent of Azure Pipelines variable groups. Environment secrets add environment-specific overrides.
- OIDC authentication: GitHub Actions can authenticate to Azure using OpenID Connect (OIDC) instead of service principals. This eliminates long-lived credentials stored as GitHub secrets. The exam tests this as the preferred authentication pattern for GitHub Actions to Azure deployments.
- Reusable workflows: GitHub Actions equivalent of Azure Pipelines templates — centrally defined workflows that individual repositories call. Tests the same "enforce consistency across teams" scenario that template questions test in the Azure Pipelines section.
Preparation Timeline by Background
A realistic timeline estimate based on prerequisite background:
| Background | Estimated study time to exam-ready |
|---|---|
| AZ-104 + active DevOps/CI-CD experience | 6-8 weeks |
| AZ-104 only (no pipeline experience) | 10-14 weeks |
| AZ-204 + active Azure experience | 8-10 weeks |
| AZ-204 only (limited Azure infrastructure) | 12-16 weeks |
| Both AZ-104 and AZ-204 (rare) | 5-7 weeks |
The lab hours requirement: more than almost any other Azure exam, AZ-400 requires hands-on practice. Building a complete CI/CD pipeline from scratch — source repository, build stage, test stage, artifact publishing, deployment to two environments (staging and production) with an approval gate — takes 8-12 hours for a first implementation. Candidates who cannot do this on their own before the exam are not ready.
Recommended hands-on projects before exam:
Create an Azure DevOps project, connect a GitHub repository, and build a multi-stage YAML pipeline that deploys an app to App Service with blue/green slot swap
Configure a variable group linked to Azure Key Vault and use its secrets in a pipeline
Implement a branching strategy with PR policies, including build validation
Add Application Insights to an application and verify release annotations appear after deployment
Scan a repository with Microsoft Defender for DevOps and interpret the findings
See also: AZ-204 Azure Developer Associate: what the exam actually tests, Microsoft Azure certifications roadmap: which order makes sense
References
Microsoft. Exam AZ-400: Designing and Implementing Microsoft DevOps Solutions — Skills Measured. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/certifications/exams/az-400/
Microsoft. Azure Pipelines YAML Schema Reference. Azure DevOps Documentation, 2024. https://learn.microsoft.com/en-us/azure/devops/pipelines/yaml-schema/
Suttie, Gregor, and Richard Hooper. Exam Ref AZ-400 Designing and Implementing Microsoft DevOps Solutions. Microsoft Press, 2021. ISBN: 978-0136810384.
Microsoft. Azure DevOps Learning Path. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/training/paths/az-400-get-started-devops-transformation-journey/
Savill, John. AZ-400 Azure DevOps Engineer Expert Study Cram. YouTube/NTFAQGuy, 2024. (Microsoft MVP; video review of AZ-400 content)
Whizlabs. AZ-400 Designing and Implementing Microsoft DevOps Solutions Practice Tests. Whizlabs, 2024. https://www.whizlabs.com
Frequently Asked Questions
Do I need both AZ-104 and AZ-204 before taking AZ-400?
Microsoft requires either AZ-104 or AZ-204 — not both. However, AZ-400 has substantial content from both paths: infrastructure deployment (closer to AZ-104) and application CI/CD tooling (closer to AZ-204). Candidates with only one prerequisite typically need supplementary study in the other area.
Does AZ-400 focus on YAML or classic pipelines?
AZ-400 heavily favors YAML pipelines. Classic (GUI-based) pipeline knowledge doesn't transfer well to YAML questions. If you've only used Azure Pipelines through the classic interface, you need specific YAML pipeline study — stages, jobs, steps, templates, variables, and conditions.
What branching strategy is tested on AZ-400?
All major strategies: Git Flow (long-lived branches, scheduled releases), GitHub Flow (feature branches merged via PR, continuous deployment), and trunk-based development (frequent commits to main with feature flags). The exam presents scenarios and asks which strategy fits the release cadence and team model.
How is security tested on AZ-400?
Software composition analysis (SCA) for vulnerable dependencies, secret management in pipelines (variable groups linked to Key Vault, secret variable masking), service connection scoping, and pipeline permission models. The exam tests preventing credentials from appearing in pipeline YAML or logs.
What deployment strategy concepts appear most on AZ-400?
Blue/green (App Service deployment slot swapping), canary (weighted routing via Traffic Manager or Front Door), rolling (gradual instance replacement), and the constraints that determine which strategy applies — zero downtime, instant rollback, resource cost, traffic control granularity.