What prerequisites are required for AZ-400?
To earn the Microsoft Certified: DevOps Engineer Expert credential, you must first pass either the AZ-104 (Azure Administrator) or AZ-204 (Azure Developer) certification exam. The AZ-400 exam itself tests DevOps practices across Azure DevOps, GitHub, CI/CD pipelines, security integration, and monitoring. Most candidates need 2-4 months of preparation with hands-on pipeline experience.
The AZ-400 Designing and Implementing Microsoft DevOps Solutions exam is the pathway to the Microsoft Certified: DevOps Engineer Expert credential. It validates skills in designing and implementing DevOps practices using Microsoft Azure, Azure DevOps, and GitHub -- the most widely used DevOps platform combination in enterprise environments.
DevOps Engineer roles with Azure expertise command some of the highest salaries in IT, with median compensation of $120,000-$160,000 in the United States. The certification is recognized by organizations that have standardized on Microsoft development and deployment tooling. The exam costs $165 USD and requires a passing score of 700 out of 1000.
Exam Overview
| Detail | Information |
|---|---|
| Exam Code | AZ-400 |
| Full Name | Designing and Implementing Microsoft DevOps Solutions |
| Number of Questions | 40-60 |
| Time Limit | 150 minutes |
| Passing Score | 700/1000 |
| Cost | $165 USD |
| Prerequisites | AZ-104 or AZ-204 certification required |
| Expert Credential | Microsoft Certified: DevOps Engineer Expert |
The exam covers five domains:
- Configure processes and communications (10-15%)
- Design and implement source control (15-20%)
- Design and implement build and release pipelines (40-45%)
- Develop a security and compliance plan (10-15%)
- Implement an instrumentation strategy (10-15%)
"The AZ-400 exam strongly favors candidates who have actually built pipelines. Questions describe specific pipeline requirements -- like deploying to multiple environments with approval gates, or integrating automated security scanning -- and you need to know the exact YAML syntax and service configuration to answer correctly." -- Azure DevOps community, Microsoft Q&A
Domain 1: Configure Processes and Communications (10-15%)
Azure Boards and Agile Practices
Azure Boards provides work item tracking, backlog management, and sprint planning. Key concepts:
- Work item types: Epics (strategic initiatives), Features (functional capabilities), User Stories (end-user requirements), Tasks (implementation work), Bugs
- Kanban vs. Scrum: Kanban uses a continuous flow board; Scrum uses sprint-based iterations with velocity tracking
- Queries and dashboards: Custom queries for tracking specific work items; dashboards for team visibility
GitHub Features for DevOps
GitHub has become deeply integrated with Azure DevOps workflows:
- GitHub Issues and Projects: Lightweight work item tracking
- GitHub Discussions: Team communication and documentation
- GitHub Actions: CI/CD pipelines integrated with the repository
- GitHub Advanced Security: Code scanning, secret scanning, and dependency review
Domain 2: Design and Implement Source Control (15-20%)
Git Branching Strategies
AZ-400 tests knowledge of branching strategies and their trade-offs:
Trunk-based development: All developers commit frequently to a single main branch. Feature flags control unfinished feature exposure. Requires strong automated testing to prevent broken main.
GitFlow: Long-lived feature branches merged to develop, then release, then main. Provides clear release staging but creates large, difficult merges and delays integration.
GitHub Flow: Short-lived feature branches merged directly to main via pull request. Simpler than GitFlow, suitable for continuous delivery.
Branch Policies and Pull Requests
Azure DevOps and GitHub both support branch protection:
- Requiring a minimum number of reviewers before merging
- Requiring all conversations to be resolved
- Requiring status checks (CI pipeline) to pass before merging
- Requiring commits to be signed
Domain 3: Build and Release Pipelines (40-45%)
This is the heaviest domain and requires hands-on YAML pipeline experience.
Azure Pipelines YAML Structure
trigger:
branches:
include:
- main
pool:
vmImage: ubuntu-latest
stages:
- stage: Build
jobs:
- job: BuildJob
steps:
- task: DotNetCoreCLI@2
inputs:
command: build
projects: '**/*.csproj'
Key YAML concepts tested:
- Stages, jobs, steps: Hierarchical pipeline structure
- Triggers: CI triggers, scheduled triggers, PR triggers
- Environments: Deployment targets with approval gates and deployment history
- Templates: Reusable YAML fragments for DRY pipeline code
- Variable groups: Shared variables linked to Azure Key Vault for secrets
Deployment Strategies
| Strategy | Description | Use Case |
|---|---|---|
| Rolling | Replace instances incrementally | Minimize downtime during deployment |
| Blue-green | Maintain two identical environments, switch traffic | Zero-downtime deployment with instant rollback |
| Canary | Route small percentage of traffic to new version | Gradual rollout with production validation |
| Feature flags | Deploy code without activating features | Decouple deployment from release |
Release Gates and Approvals
Environments in Azure Pipelines can enforce:
- Manual approval from specified users or groups before deployment
- Automated gate checks (query Azure Monitor for zero errors, check work item completion)
- Exclusive lock (only one deployment to an environment at a time)
GitHub Actions Integration
GitHub Actions uses YAML workflows stored in .github/workflows/. Key similarities and differences with Azure Pipelines:
- GitHub Actions uses
workflow_dispatch,push,pull_requesttriggers - Jobs run on
runs-on: ubuntu-latest(GitHub-hosted runners) or self-hosted runners - Secrets stored in GitHub Settings > Secrets and accessed as
${{ secrets.SECRET_NAME }} - Azure login action uses service principal credentials for Azure resource access
Domain 4: Security and Compliance (10-15%)
DevSecOps Integration
Shift-left security means integrating security earlier in the development lifecycle:
- Static Application Security Testing (SAST): Analyzing source code for vulnerabilities without executing it. Tools: GitHub CodeQL, SonarQube, Checkmarx
- Software Composition Analysis (SCA): Scanning dependencies for known vulnerabilities. Tools: GitHub Dependabot, OWASP Dependency-Check, Snyk
- Secret scanning: Detecting credentials accidentally committed to repositories. GitHub Advanced Security provides this natively.
- Container image scanning: Scanning Docker images for OS and application vulnerabilities before deployment
Compliance and Audit
- Azure Policy for DevOps: Enforcing that deployed infrastructure meets policy requirements
- Audit logs: Azure DevOps provides comprehensive audit logs of all organization-level events
- Traceability: Linking work items, commits, pull requests, and deployments for full change traceability
Domain 5: Implement Instrumentation (10-15%)
Application Insights
Application Insights provides application performance monitoring (APM) for web applications:
- Request rates, response times, and failure rates
- Dependency tracking (database calls, external HTTP calls)
- Custom events and metrics from application code
- User behavior analytics (page views, user flows)
- Live Metrics Stream: Real-time monitoring during deployments
Monitoring in Pipelines
Best practices for pipeline observability:
- Adding test result publishing tasks to surface test failures in pipeline runs
- Configuring release gates that query Azure Monitor for error rates before proceeding
- Using Application Insights availability tests to validate deployments
"Candidates who understand how to configure Application Insights instrumentation, interpret distributed traces, and use those insights to create deployment gates are well-prepared for the AZ-400 monitoring domain. The exam goes beyond just knowing that Application Insights exists -- it tests whether you can use it effectively." -- Microsoft Certified Trainer guidance
Frequently Asked Questions
How long does AZ-400 preparation take? Most candidates need 2-4 months of dedicated preparation, assuming they already hold AZ-104 or AZ-204. The preparation requires significant hands-on time building Azure Pipelines and GitHub Actions workflows. Candidates who attempt to study conceptually without building actual pipelines typically fail the scenario-heavy questions.
What is the hardest domain in AZ-400? The build and release pipelines domain (Domain 3) is both the heaviest (40-45% of exam weight) and the most difficult because it requires practical YAML pipeline knowledge. Questions often describe a specific deployment requirement and ask which YAML configuration, deployment strategy, or approval gate setup would satisfy it.
Should I focus on Azure DevOps or GitHub for AZ-400? The exam covers both platforms. Azure DevOps is tested more heavily because it has more features to configure (Boards, Repos, Pipelines, Test Plans, Artifacts), but GitHub Actions and GitHub Advanced Security are tested meaningfully. Spend approximately 60% of your pipeline practice time in Azure DevOps and 40% in GitHub Actions.
References
- Microsoft. (2025). Exam AZ-400: Designing and Implementing Microsoft DevOps Solutions. https://learn.microsoft.com/en-us/credentials/certifications/exams/az-400/
- Microsoft. (2025). Azure Pipelines Documentation. https://learn.microsoft.com/en-us/azure/devops/pipelines/
- Microsoft. (2025). GitHub Actions Documentation. https://docs.github.com/en/actions
- Humble, J., & Farley, D. (2010). Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Addison-Wesley.
- Kim, G., Behr, K., & Spafford, G. (2018). The Phoenix Project. IT Revolution Press.
- OWASP Foundation. (2025). DevSecOps Guideline. https://owasp.org/www-project-devsecops-guideline/