Microsoft · AZ-400
Expert-level exam that measures your ability to design and implement processes, source control strategies, build and release pipelines, security and compliance plans, and instrumentation strategies for DevOps solutions.
Questions
622
Duration
150 minutes
Passing Score
700/1000
Difficulty
ExpertLast Updated
Jun 2026
This AZ-400 practice exam prepares you for Designing and Implementing Microsoft DevOps Solutions, the exam behind the DevOps Engineer Expert certification. It is built around the way Microsoft weights the real exam, where designing and implementing build and release pipelines alone makes up 50 to 55 percent of your score, so the questions give you heavy, repeated exposure to CI/CD across Azure DevOps and GitHub.
Beyond pipelines, you will practice source control strategy, process and communication design, security and compliance planning, and instrumentation. Remember that passing AZ-400 only grants the Expert title once you also hold AZ-104 or AZ-204, so plan your certification path accordingly. The explanations connect each answer back to the tooling and tradeoffs you face when running production DevOps.
Use the free preview to benchmark yourself, then work through the full bank until you can consistently clear 700 out of 1000. The certification is valid for one year and renews free online, so treat this practice as the start of an ongoing DevOps learning routine.
The AZ-400 exam validates expert-level proficiency in designing and implementing DevOps solutions on Microsoft Azure, covering the full software delivery lifecycle from source control and CI/CD pipelines to security, compliance, and observability. The exam was last updated on July 26, 2024, and spans five major domains: processes and communications, source control strategy, build and release pipelines (the heaviest domain at 50–55%), security and compliance, and instrumentation. Candidates are assessed on both Azure DevOps and GitHub as delivery platforms, with a strong emphasis on YAML-based pipeline authoring, infrastructure as code using Bicep and Azure Resource Manager, and integration with Microsoft security tooling such as GitHub Advanced Security and Microsoft Defender for Cloud.
The certification leads to the Microsoft Certified: DevOps Engineer Expert credential, one of Microsoft's highest-tier role-based certifications. It reflects the breadth of skills required to bridge development and operations teams, automate software delivery pipelines, implement scalable IaC strategies, and embed security and monitoring throughout the development lifecycle. The exam content spans multiple Azure services including Azure Pipelines, Azure Repos, Azure Artifacts, Azure Boards, Azure Key Vault, Azure Monitor, Application Insights, and Azure App Configuration, making it one of the broadest Azure expert-level exams available.
This exam is aimed at experienced developers and infrastructure administrators who operate at the intersection of software engineering and cloud operations. Ideal candidates hold hands-on experience with both Azure DevOps and GitHub, have already earned either the Azure Administrator Associate (AZ-104) or Azure Developer Associate (AZ-204) certification, and work—or aspire to work—on cross-functional teams alongside developers, site reliability engineers, Azure administrators, and security engineers.
Typical job roles that benefit from this certification include DevOps Engineer, Release Engineer, Platform Engineer, Cloud Infrastructure Engineer, and Site Reliability Engineer. Candidates should be comfortable designing branching strategies, authoring multi-stage YAML pipelines, managing secrets and service connections, configuring deployment patterns such as blue-green and canary releases, and integrating security scanning tools into pipelines. A background in scripting, cloud-native tooling, and agile delivery methodologies is strongly recommended.
Microsoft does not impose formal prerequisites to register for the AZ-400 exam, but earning the resulting Microsoft Certified: DevOps Engineer Expert certification requires holding either the Microsoft Certified: Azure Administrator Associate (AZ-104) or Microsoft Certified: Azure Developer Associate (AZ-204) credential. These associate certifications ensure candidates have foundational competence in either Azure infrastructure management or Azure application development before attempting the expert-level exam.
Beyond formal certification requirements, candidates are strongly advised to have practical, hands-on experience implementing both Azure DevOps and GitHub solutions in production or near-production environments. Microsoft recommends proficiency in at least one of the two core disciplines (administration or development) along with experience designing CI/CD pipelines, managing Git repositories at scale, working with Azure Key Vault, and implementing Infrastructure as Code using Bicep or Azure Resource Manager templates. Familiarity with Kusto Query Language (KQL) for log analysis and with GitHub Advanced Security features is also beneficial given the breadth of the exam's security and instrumentation domains.
The AZ-400 exam is administered by Pearson VUE and can be taken via online proctoring or at an authorized testing center. The time limit is 150 minutes, and a passing score of 700 on a 1–1000 scale is required. The exam is available in ten languages: English, Japanese, Chinese (Simplified), Chinese (Traditional), Korean, German, French, Spanish, Portuguese (Brazil), and Italian; candidates taking a non-English version may request 30 additional minutes. Pricing varies by country and region.
The exam uses a variety of question formats typical of Microsoft expert-level exams, including multiple choice, multiple select, drag-and-drop, case studies, and lab-based or scenario-driven questions. Microsoft does not publish an exact question count, but the exam is structured around the five scored domains listed in the official study guide. A free Practice Assessment is available on Microsoft Learn (Assessment ID 56) that closely mirrors the style and difficulty of actual exam questions. The certification renews annually via a free online assessment on Microsoft Learn.
Earning the Microsoft Certified: DevOps Engineer Expert via AZ-400 positions professionals for senior-level roles including DevOps Engineer, Platform Engineer, Site Reliability Engineer, and Cloud Automation Architect. In the United States, certified Azure DevOps engineers typically command annual salaries ranging from $100,000 to $160,000 depending on experience, geography, and industry vertical. The certification serves as a strong differentiator in organizations that have standardized on the Microsoft Azure and GitHub ecosystem, which includes a large share of enterprise environments undergoing cloud-native transformation.
The DevOps Engineer Expert is one of Microsoft's most comprehensive expert-level credentials and is frequently cited by hiring managers as evidence of end-to-end delivery competence rather than narrow tool expertise. Unlike associate-level certifications, AZ-400 demonstrates proficiency that spans security engineering, infrastructure automation, release management, and observability—making certified professionals valuable contributors to platform, infrastructure, and application teams alike. The certification must be renewed annually via a free online assessment on Microsoft Learn, ensuring certified individuals stay current with the platform's evolving capabilities.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 622 questions.
Preview — answers shown1. A branch policy on the main branch of an Azure Repo requires all pull requests to have a successful build before they can be merged. A specific user, the release manager, must be able to merge a hotfix urgently, even if the build fails. To grant this permission while adhering to the principle of least privilege, where should this override be configured?
Explanation
The most precise and least-privileged way to grant this permission is in the Security settings for the specific branch (main). Within the branch's security configuration, you can find the 'Bypass policies on pull requests' permission. Granting 'Allow' for this permission to the release manager's user account will let them override the build policy, but only on that specific branch and only for pull requests. This is much more targeted than granting broad administrative or repository-wide permissions.
2. A release pipeline needs to generate release notes automatically. The notes must contain a list of all 'Feature' and 'Bug' work items associated with the release. Which three components are needed to build this automation?
Explanation
The three necessary components are: First, a Personal Access Token (PAT) with permissions to read work items. This will be used to securely authenticate to the Azure DevOps REST API. Second, a saved Work Item Query that is configured to find all 'Feature' and 'Bug' work items linked to the current build. Third, a PowerShell (or Bash) task in the release pipeline. This script will use the PAT to call the REST API, execute the saved query, parse the JSON results, and format them into a markdown file for the release notes.
3. A team needs to send a daily summary of application exceptions to a Microsoft Teams channel. The exceptions are automatically captured in Application Insights. Which two Azure services should be used together to create this automated reporting workflow with minimal code?
Explanation
The best combination is Azure Logic Apps and Azure Application Insights. You can create a Logic App with a 'Recurrence' trigger to run once a day. This Logic App can then use the 'Run Analytics query' action to query the exceptions table in Application Insights for the last 24 hours. Finally, it can use the built-in 'Post a message' connector for Microsoft Teams to format and send the summary. This entire workflow can be built in a low-code, visual designer.
4. A release pipeline for an Azure App Service has an approval process where a team lead must sign off before deploying to production. The company policy allows for an eight-hour approval window. However, the pipeline is currently configured with a two-hour timeout, causing deployments to fail if the approval is delayed. Where should a DevOps engineer adjust the settings to extend this approval timeout to the required eight hours?
Explanation
The correct place to change this setting is in the Pre-deployment conditions. The approval happens before the deployment to a stage begins. Within the pre-deployment conditions, there is a specific Timeout setting for manual approvals that dictates how long the pipeline will wait for a person to approve or reject the release before it automatically fails. This needs to be set to 8 hours. The Time between re-evaluation of gates is incorrect because it applies to automated checks (gates), not manual human approvals. Post-deployment conditions are incorrect because they apply after a stage has completed, not before. The agent job timeout is incorrect as it limits how long the agent can run tasks, not how long it waits for an approval.
5. A team needs to deploy an application using Helm to an RBAC-enabled Azure Kubernetes Service (AKS) cluster. The pipeline needs an identity to authenticate to the cluster. What is the correct sequence of actions to set this up securely?
Explanation
The standard, secure procedure is: First, create a dedicated identity for the pipeline by creating a service principal in Azure AD. You then grant this service principal an appropriate role (like 'Azure Kubernetes Service Cluster User Role') on the AKS cluster resource in Azure. Second, you create an 'Azure Resource Manager' service connection in your Azure DevOps project, configuring it to use the service principal you just created. Finally, in your pipeline's Helm task, you select this service connection, which allows the pipeline to securely authenticate to the cluster and perform the deployment.
To earn the DevOps Engineer Expert certification you must also hold either AZ-104 (Azure Administrator Associate) or AZ-204 (Azure Developer Associate). You can sit AZ-400 in any order, but the title is only granted once you hold a qualifying associate certification.
AZ-400 costs USD $165 in the United States, with the price varying by country or region.
You need 700 out of 1000. It is a scaled score, not a raw percentage.
It is an expert-level exam covering a broad DevOps toolchain across Azure DevOps and GitHub. The build and release pipelines domain alone is 50 to 55 percent of the exam, so deep CI/CD experience matters.
Designing and implementing processes and communications (10-15%), source control (10-15%), build and release pipelines (50-55%), security and compliance (10-15%), and instrumentation (5-10%).
Yes. The DevOps Engineer Expert certification is valid for one year and is renewed free through an online, open-book assessment on Microsoft Learn within the six months before it expires.
Candidates with hands-on Azure and DevOps experience commonly spend roughly 6 to 10 weeks. This is a community estimate, not an official Microsoft figure.
For DevOps and cloud engineers in the Microsoft ecosystem it is a recognized expert credential validating CI/CD, infrastructure as code, DevSecOps, and source control across Azure DevOps and GitHub.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam