TechWithUtsav
advancedAZ-4008-10 weeks prep6 min read

AZ-400: Azure DevOps Engineer Expert — Study Guide

Complete study guide for the AZ-400 Azure DevOps Engineer Expert exam. Covers CI/CD pipelines, source control, IaC, testing, security, monitoring, and release strategies.

azureaz-400devopsazure-pipelinesiacmonitoringrelease-managementsecurityadvanced

Domains

8

Key concepts

13

Study time

8-10 weeks

Exam Overview

DetailInfo
Exam codeAZ-400
Duration120 minutes
Questions40–60 (scenario-based)
Passing score700 / 1000
Cost~$165 USD
ValidityRenew annually
PrerequisiteMust hold AZ-104 OR AZ-204 to earn the Expert badge

Domain Weightings

DomainWeight
Configure processes and communications10–15%
Design and implement source control15–20%
Design and implement build and release pipelines40–45%
Develop a security and compliance plan10–15%
Implement an instrumentation strategy10–15%

Domain 1: Processes and Communications (10–15%)

Agile and work tracking

  • Azure Boards — work items, backlogs, sprints, Kanban boards.
  • Process templates — Agile, Scrum, CMMI. Choose at project creation (immutable).
  • Traceability — link commits/PRs to work items; link builds to releases; full audit trail.

Metrics and reporting

  • DORA metrics — Deployment Frequency, Lead Time for Changes, Change Failure Rate, MTTR. AZ-400 tests your ability to instrument these.
  • Azure DevOps Analytics — Power BI integration; built-in dashboards for sprint velocity, pipeline success rate.

Domain 2: Source Control (15–20%)

Git branching strategies

StrategyDescriptionUse case
Trunk-basedAll devs commit to main; feature flags for incomplete workHigh-velocity teams, CI-heavy
Feature branchBranch per feature; PR back to mainMost common; good isolation
Gitflowmain + develop + feature/release/hotfix branchesScheduled release cycles
GitHub FlowFeature branches + PRs to main; deploy on mergeContinuous deployment

AZ-400 recommendation: Trunk-based development + feature flags is preferred for reducing merge conflicts and enabling CI.

Branch policies (Azure Repos)

  • Require PR reviewers (minimum count, specific reviewers).
  • Require linked work items.
  • Require successful build before merge.
  • Comment resolution required.
  • Restrict direct pushes to protected branches.

Large file and monorepo strategies

  • Git LFS — store large binary files outside the repo; Git tracks pointers.
  • Sparse checkout — check out only a subtree of a large monorepo.
  • TFVC vs Git — TFVC is centralised (legacy); Git is distributed (preferred).

Domain 3: Build and Release Pipelines (40–45%)

Azure Pipelines structure

# Multi-stage pipeline example
trigger:
  branches:
    include: [main]

stages:
  - stage: Build
    jobs:
      - job: BuildApp
        steps:
          - task: DotNetCoreCLI@2
            inputs:
              command: build
          - task: PublishPipelineArtifact@1

  - stage: Test
    dependsOn: Build
    jobs:
      - job: RunTests
        steps:
          - task: DotNetCoreCLI@2
            inputs:
              command: test

  - stage: DeployStaging
    dependsOn: Test
    environment: staging
    jobs:
      - deployment: DeployToStaging
        strategy:
          runOnce:
            deploy:
              steps:
                - task: AzureWebApp@1

  - stage: DeployProd
    dependsOn: DeployStaging
    environment: production   # has approval gate
    jobs:
      - deployment: DeployToProd
        strategy:
          canary:
            increments: [10, 20, 100]
            deploy:
              steps:
                - task: AzureWebApp@1

Release strategies

StrategyDescriptionRollback
Blue-GreenTwo identical environments; swap routingInstant (switch back)
CanaryRoute % of traffic to new version; increase graduallyReduce % to 0
RollingReplace instances in batchesRe-deploy previous version
Feature flagsNew code deployed but behind a flagToggle flag off

Deployment environments and approvals

  • Environments — logical deployment targets (staging, production); track deployments.
  • Approval gates — require human sign-off before a stage runs.
  • Automated gates — query Azure Monitor, Datadog, REST API for go/no-go signal.
environment:
  name: production
  resourceType: Kubernetes

Container and Kubernetes deployments

  • Azure Container Registry (ACR) — build + push images; vulnerability scanning.
  • Helm — package Kubernetes apps; helm upgrade --install in pipelines.
  • Rolling updates / blue-green in AKS — Kubernetes Deployment rollout strategies.
  • ArgoCD / Flux — GitOps operators; AZ-400 increasingly tests these.

Infrastructure as Code in pipelines

  • Bicep / ARMAzureResourceManagerTemplateDeployment@3 task.
  • TerraformTerraformTaskV4@4 task; remote state in Azure Storage.
  • Ansible — configuration management; post-deploy configuration drift correction.
  • Immutable infrastructure — rebuild rather than patch; use Azure Image Builder.

Domain 4: Security and Compliance (10–15%)

Shift-left security (DevSecOps)

Integrate security into every pipeline stage — not just at the end.

StageSecurity task
CodeSAST (static analysis) — SonarQube, Checkmarx, GitHub CodeQL
BuildDependency scanning — Mend (WhiteSource), Snyk, OWASP Dependency-Check
ContainerImage scanning — Trivy, ACR vulnerability scanning
DeployDAST (dynamic analysis) — OWASP ZAP, Burp Suite against staging
RuntimeRASP, WAF, Defender for DevOps

Secret management in pipelines

  • Azure Key Vault taskAzureKeyVault@2 — fetch secrets at runtime; never hardcode.
  • Pipeline variable groups — link to Key Vault; variables resolved at run time.
  • Secret scanning — enable GitHub Advanced Security / Azure DevOps advanced security to detect leaked secrets in commits.

Compliance and auditing

  • Azure Policy as Code — store policies in Git; deploy via pipeline.
  • Compliance gates — query Security Center / Defender for Cloud score before releasing to prod.
  • SBOM (Software Bill of Materials) — generate and publish component inventory.

Domain 5: Instrumentation Strategy (10–15%)

Monitoring for DevOps

  • Application Insights — distributed tracing, dependency maps, failure analysis, live metrics.
  • Azure Monitor Workbooks — custom dashboards combining metrics, logs, and maps.
  • Log Analytics — centralise pipeline agent logs, app logs, infra logs; query with KQL.

Feedback loops

  • Release annotations — mark deployments in Application Insights; correlate releases to errors.
  • Availability tests — synthetic monitors that ping your app from multiple Azure regions.
  • Smart Detection — ML-based anomaly alerts; no threshold configuration required.

Telemetry in pipelines

# Azure Monitor alert based on deployment health
- task: AzureMonitor@0
  inputs:
    connectedServiceName: AzureSubscription
    resourceGroupName: prod-rg
    filterType: resource
    # Gate: block deployment if active alerts exist

Study Plan (8–10 Weeks)

WeeksFocus
1–2Azure Pipelines — YAML pipelines, stages, jobs, steps, templates
3Source control — branching strategies, PR policies, Git workflows
4Container deployments — Docker, ACR, Helm, AKS pipelines
5IaC in pipelines — Bicep, Terraform, ARM deployments
6Release strategies — Blue-green, canary, feature flags, approval gates
7Security — SAST, DAST, dependency scanning, Key Vault integration
8Monitoring — Application Insights, Monitor alerts, feedback loops
9–10Full practice exams + build real pipelines in your own project

Key Resources

ResourceNotes
Microsoft Learn AZ-400Free official learning path
Ned Bellavance (Pluralsight)Strong pipeline-focused course
Pixel Robots (YouTube)Free hands-on AZ-400 content
Azure DevOps LabsFree guided hands-on labs at azuredevopslabs.com
Tutorials DojoPractice exams