AZ-400 Designing and Implementing Microsoft DevOps Solutions - Practice Test 1

The Scrum process template uses Product Backlog Items (PBIs), Tasks, Bugs, Features, and Epics. It is specifically designed for teams following Scrum methodology with sprints, a product backlog, and the Scrum framework. The Agile template uses User Stories instead of PBIs. CMMI is for formal change management. Basic is a simplified template with Issues and Tasks only. See more: Configure Processes and Communications

"Require a minimum number of reviewers" enforces that PRs have the specified number of approvals (set to 2). "Build validation" triggers a pipeline on the PR and requires it to succeed before the PR can be completed. Together, these two policies satisfy both requirements. Linked work items and comment resolution are useful but don't address the stated requirements. Automatically include reviewers adds reviewers but doesn't enforce a minimum count. See more: Design and Implement Source Control

GitHub Flow uses only one permanent branch (main). Developers create feature branches, open pull requests for review, and merge back to main. It is designed for continuous delivery. Git Flow uses two permanent branches (main and develop) plus feature, release, and hotfix branches. Trunk-Based Development also uses main but developers often commit directly or use very short-lived branches. Release Flow uses release branches cut from main. See more: Design and Implement Source Control

A self-hosted agent is the best choice because: (1) you can install the specific licensed tool, (2) the tool installation persists between runs (unlike Microsoft-hosted agents which start fresh each time), and (3) frequently used dependencies are cached, making builds faster. Microsoft-hosted agents don't support custom VM images. Container jobs on Microsoft-hosted agents still can't use locally licensed software. ACI agents would not retain the tool installation. See more: Design and Implement Build Pipelines

The correct YAML pipeline hierarchy is Pipeline > Stages > Jobs > Steps. A pipeline contains one or more stages (e.g., Build, Test, Deploy). Each stage contains one or more jobs that run on agents. Each job contains steps which are the actual tasks or scripts that execute. Steps are the smallest unit of work in a pipeline. See more: Design and Implement Build Pipelines

In multi-stage YAML pipelines, approvals are configured on Environments in Azure DevOps. You create an environment (e.g., "Production"), add an approval check with required approvers, and reference that environment in your deployment job. The pipeline automatically pauses before the production stage until the designated approvers approve. Manual triggers, REST API gates, and PowerShell pauses don't provide the structured approval workflow needed. See more: Design and Implement Release Pipelines

Deployment groups are designed for deploying to multiple target machines (including on-premises servers). Each server has the Azure Pipelines agent installed and registered to the deployment group. Rolling deployment strategy allows you to update machines in batches (set batch size to 5) and validate each batch before proceeding. AKS is for containerized workloads, not on-premises servers. App Service slots are for web apps, not on-premises. ACI is for serverless containers. See more: Design and Implement Release Pipelines

In Complete mode, ARM deletes resources in the resource group that are not defined in the template. Since the Redis cache is not in the template, it will be deleted. This is why Complete mode should be used cautiously. Incremental mode (the default) would leave the Redis cache unchanged. Always use the what-if operation to preview changes before deploying in Complete mode. See more: Design and Implement Infrastructure as Code

Terraform by HashiCorp is a multi-cloud IaC tool that supports Azure (AzureRM provider), AWS, GCP, and many other providers using a unified HCL syntax. ARM templates and Bicep are Azure-only. PowerShell DSC is for configuration management of machines, not cloud resource provisioning. See more: Design and Implement Infrastructure as Code

Azure Storage backend supports state locking through blob leases. When one user runs terraform apply, a lease is acquired on the state blob, preventing other users from modifying it simultaneously. This prevents state corruption from concurrent operations. Storing state in Git is not recommended. Separate state files would mean each person manages different infrastructure. Workspaces are for managing multiple environments, not concurrency control. See more: Design and Implement Infrastructure as Code

Blue-green deployment provides zero-downtime deployment with instant rollback. You maintain two identical environments (blue and green), deploy the new version to the inactive one, validate it, then switch traffic. If issues occur, you switch traffic back instantly. Rolling deployments have a period of mixed versions. Canary gradually shifts traffic but rollback is slower. In-place deployment causes downtime. See more: Deployments, Packages and Test Plans

The recommended approach is to create a variable group linked to Azure Key Vault. At pipeline runtime, secrets are fetched from Key Vault and mapped to pipeline variables automatically. This centralizes secret management, enables rotation without pipeline changes, and provides audit logging. Hardcoding secrets is insecure. Git-tracked .env files expose secrets in source control. PowerShell scripts work but are not the recommended pattern. See more: Develop a Security and Compliance Plan

GitHub Advanced Security for Azure DevOps (GHAzDO) includes dependency scanning that identifies vulnerable third-party dependencies in your code. When combined with branch policies, it can block PRs that introduce vulnerable dependencies. Azure Policy applies to Azure resources, not code repositories. Azure Monitor doesn't scan code. Branch policy merge type restrictions control how code is merged (squash, rebase), not what code is merged. See more: Develop a Security and Compliance Plan

Dynamic threshold metric alerts use machine learning to learn the historical behavior of a metric and automatically set alert thresholds based on detected patterns. This eliminates the need to manually determine thresholds. Static thresholds require manually set values. Log alerts are based on KQL queries. Activity log alerts trigger on Azure control plane events. See more: Implement an Instrumentation Strategy

Application Insights Application Map provides a visual topology of your distributed application showing all components, their dependencies, and health indicators including response times and failure rates. Service Map shows server-level dependencies (VM connections), not application-level. Network Watcher monitors network connectivity. Azure Advisor provides best practice recommendations, not application topology. See more: Implement an Instrumentation Strategy

Delivery Plans provide a cross-team calendar view showing work items plotted against iterations. Each row represents a team, and columns represent sprints. Delivery Plans support dependency tracking with visual lines between linked work items, making it easy to identify scheduling conflicts. Dashboards show individual team metrics. Backlogs view is team-scoped. Queries return flat lists or trees but don't show cross-team timeline views. See more: Configure Processes and Communications

Git is a distributed version control system where every developer has a full copy of the repository. Developers make changes locally and merge them, so exclusive file locking is not applicable. Conflicts are resolved during merge or rebase. TFVC is centralized and supports exclusive checkout locks. Git does support lock files for binary files (via Git LFS lock) but not the same exclusive checkout model as TFVC. See more: Design and Implement Source Control

Container jobs in YAML pipelines run pipeline steps inside a specified Docker container image. You specify the container image in the YAML file, and the steps execute within that container, ensuring a consistent environment. This ensures specific tool versions and eliminates agent configuration drift. Deployment groups are for multi-server deployment. Self-hosted agents in Docker are different from container jobs. Docker Compose is for multi-container applications. See more: Design and Implement Release Pipelines

terraform plan creates an execution plan showing what resources would be created, modified, or destroyed without actually making changes. It is the preview step. terraform validate checks configuration syntax but doesn't check against actual state. terraform apply makes actual changes (there is no --dry-run flag). terraform init initializes the working directory and downloads providers. See more: Design and Implement Infrastructure as Code

Azure Artifacts provides private NuGet feeds that support versioned package storage and sharing across projects. Organization-scoped feeds are accessible across all projects. Azure Artifacts supports retention policies, upstream sources, and integrates with Azure Pipelines for publishing and restoring packages. Git submodules are harder to manage for binary dependencies. Blob Storage lacks versioning semantics. NuGet.org is public even with unlisted packages. See more: Deployments, Packages and Test Plans

Pre-deployment gates with the "Query Azure Monitor alerts" built-in gate automatically check for active alerts and can block deployment if critical alerts exist. Gates run periodically until they pass or timeout, providing continuous validation without manual intervention. Approvals are manual. Scheduled triggers don't verify system health. A PowerShell script runs once; gates re-evaluate periodically and provide structured pass/fail results. See more: Design and Implement Release Pipelines

Multi-stage builds use multiple FROM statements in a Dockerfile. The first stage builds the application (with all build tools and dev dependencies), and the final stage copies only the production artifacts into a clean, minimal base image. This produces smaller, more secure production images. .dockerignore prevents files from being sent to the build context but doesn't remove them from the image. Setting NODE_ENV helps but doesn't remove build tools from the image. See more: Design and Implement Release Pipelines

Azure Test Plans supports manual testing, scripted test cases, and exploratory testing sessions. The Test and Feedback browser extension enables screenshot capture, screen recording, annotations, and direct bug filing from testing sessions. Azure Boards tracks work items. Azure Pipelines handles CI/CD. Azure Repos manages source code. See more: Deployments, Packages and Test Plans

Service connections in Azure DevOps support pipeline permissions that restrict which pipelines can use them. By default, a service connection is available to all pipelines. You can restrict this to specific pipelines in the security settings. Creating duplicate connections is wasteful and harder to manage. Separate tenants is excessive. Pipeline conditions can be bypassed. See more: Develop a Security and Compliance Plan

The four DORA metrics are: Deployment Frequency (how often code is deployed to production), Lead Time for Changes (time from commit to production), Mean Time to Recovery (MTTR, time to restore service after failure), and Change Failure Rate (percentage of deployments causing failures). These are industry-standard metrics for measuring DevOps team performance and software delivery capability. See more: Implement an Instrumentation Strategy

git cherry-pick applies a specific commit from one branch to another, creating a new commit with the same changes. This is ideal for selectively applying a hotfix without merging all other changes from the release branch. git merge --squash combines all commits but merges the entire branch. git rebase replays all commits from a branch. git stash is for temporarily saving uncommitted changes. See more: Design and Implement Source Control

Flaky test detection in Azure Pipelines identifies tests that have inconsistent results (sometimes pass, sometimes fail without code changes). When enabled, the system tracks test results across runs and flags unreliable tests so teams can prioritize fixing them. Code coverage measures code exercised by tests. Test impact analysis identifies which tests to run based on code changes. Pipeline caching reduces build times. See more: Design and Implement Build Pipelines

SonarCloud (or SonarQube for self-hosted) integrates with Azure Pipelines to perform static code analysis, detecting bugs, code smells, security vulnerabilities, and security hotspots. It supports quality gates that can fail the build if quality thresholds are not met. Azure Monitor and Application Insights are for runtime monitoring. Azure Advisor provides cloud optimization recommendations. See more: Design and Implement Build Pipelines

The swap operation exchanges the routing between two deployment slots. It is an atomic operation that instantly switches production traffic to the staging slot's code. The swap also pre-warms the new version before switching, preventing cold-start issues. If problems are detected after the swap, you can swap again to roll back. Redeploying takes time and causes downtime. Deleting and renaming is not a standard operation. Traffic Manager adds DNS-level complexity. See more: Deployments, Packages and Test Plans

Azure Container Registry (ACR) is a managed Docker registry service for storing and managing Docker container images and OCI artifacts. ACR supports geo-replication, automated image builds (ACR Tasks), and integrates with AKS, Azure Pipelines, and other container services. AKS is a Kubernetes orchestrator. ACI runs containers serverlessly. App Service hosts web applications. See more: Design and Implement Release Pipelines

Secure Files in Azure DevOps stores files that are needed during pipeline execution but should not be in source control. Files are encrypted at rest and can only be consumed by authorized pipelines using the DownloadSecureFile task. This is perfect for signing certificates, provisioning profiles, and SSH keys. Public blob storage is insecure. Base64-encoding a certificate in a variable group is fragile. Git submodules still put the file in a repository. See more: Develop a Security and Compliance Plan

Service hooks in Azure DevOps enable integration with external services by triggering actions when events occur. Slack is a supported service hook target. You configure a service hook subscription for pipeline completion events that posts messages to a Slack channel. This is the recommended approach. Email integration is indirect. Logic Apps add unnecessary complexity. Custom Functions require development and maintenance. See more: Configure Processes and Communications

Code Wiki publishes Markdown files from a code repository as wiki pages. This keeps documentation versioned alongside the code it describes. Project Wiki is managed directly in the Azure DevOps portal (backed by an auto-created Git repo). "Team Wiki" and "Shared Wiki" are not specific Azure DevOps wiki types. See more: Configure Processes and Communications

The Azure Boards app for GitHub enables linking GitHub commits and PRs to Azure Boards work items by including AB#<work-item-id> in commit messages or PR descriptions. For example, "Fixed login bug AB#1234" automatically links the commit to work item 1234. This requires installing the Azure Boards app from the GitHub Marketplace. Webhooks don't provide this bi-directional linking. Manual linking is not scalable. Git tags don't integrate with Azure Boards. See more: Design and Implement Source Control

Azure Automation State Configuration uses PowerShell DSC to define desired states and automatically remediate drift. Nodes check in periodically with the DSC pull server and reapply the configuration if it has drifted. Custom Script Extension runs once during provisioning, not continuously. ARM template redeployment manages Azure resources, not VM internal configuration. Azure Policy can enforce some settings but is not designed for comprehensive CM configuration management. See more: Design and Implement Infrastructure as Code

The Cache task stores and restores files (like NuGet packages) between pipeline runs. The cache key is based on a hash of lock files (e.g., packages.lock.json), so packages are restored from cache when dependencies haven't changed, dramatically reducing restore time. Pipeline artifacts are for sharing build outputs between stages. Template parameters are for pipeline configuration. Parallel jobs run multiple jobs simultaneously but don't reduce individual task time. See more: Design and Implement Build Pipelines

Workload Identity Federation is the recommended authentication method for Azure Pipelines service connections. It eliminates the need to manage secrets (no client secret or certificate rotation required) by using federation between Azure DevOps and Azure AD. Username/password is insecure and not supported. PATs are for API access, not service connections. Managed Identity is for Azure resources, not Azure DevOps pipelines. See more: Develop a Security and Compliance Plan

Azure Traffic Manager with weighted routing distributes traffic across endpoints based on assigned weights. Setting the current version to weight 90 and the new version to weight 10 achieves the 10/90 canary split across regions. Traffic Manager works at the DNS level across regions. Application Gateway and Load Balancer work within a single region. Azure Front Door could work but Traffic Manager with weighted routing is the most direct solution for cross-region traffic splitting. See more: Deployments, Packages and Test Plans

A metric alert with a static threshold is ideal for monitoring specific metric values against fixed thresholds (CPU > 95% for 5 minutes). Metric alerts evaluate at regular intervals with low latency. Log alerts are for querying log data, not real-time metric thresholds. Activity log alerts trigger on administrative events. Smart detection is an Application Insights feature for anomaly detection. See more: Implement an Instrumentation Strategy

Upstream sources in Azure Artifacts allow a feed to proxy packages from public registries like npmjs.com. When a package is requested, the feed checks locally first, then fetches from upstream sources if not found, and caches a copy. This provides a single feed URL for developers. Feed views are for package promotion. Multiple .npmrc sources can cause reliability issues. Pipeline tasks don't help at development time. See more: Deployments, Packages and Test Plans

Bicep is a domain-specific language that compiles (transpiles) to ARM JSON templates. The compiled JSON is then deployed through the standard ARM API. Bicep offers a cleaner, more concise syntax with features like type safety, modules, and automatic dependency management. It is not a separate engine, not a Terraform wrapper, and supports all Azure resource types. See more: Design and Implement Infrastructure as Code

Pipeline triggers (defined under resources: pipelines in YAML) run a pipeline when a specified upstream pipeline completes. This enables creating pipeline chains where a build pipeline triggers a deployment pipeline. CI triggers fire on code push. Scheduled triggers run on a cron schedule. PR triggers run when a pull request is created or updated. See more: Design and Implement Build Pipelines

GitHub Advanced Security for Azure DevOps (GHAzDO) includes secret scanning that automatically detects committed secrets like API keys, passwords, tokens, and connection strings. It scans push events and historical commits. Azure Policy is for Azure resource compliance. Build validation runs builds but doesn't specifically scan for secrets. SonarCloud detects code quality issues but is not specifically designed for secret detection. See more: Develop a Security and Compliance Plan

Rolling update is the default Kubernetes deployment strategy. It gradually replaces old pods with new ones, ensuring availability throughout the update. If new pods fail readiness/liveness probes, the rollout pauses and can be rolled back with kubectl rollout undo. Recreate takes all pods down before starting new ones (causes downtime). Blue-green requires manual service configuration. Canary with manual routing adds complexity. See more: Design and Implement Release Pipelines

Test impact analysis identifies which tests are affected by code changes and runs only those tests, significantly reducing test execution time. It works by tracking the mapping between code changes and test methods. Pipeline caching reduces package restore time, not test time. Parallel jobs split tests across agents but still run all tests. Flaky test detection identifies unreliable tests but doesn't reduce the number of tests run. See more: Design and Implement Build Pipelines

Azure Compute Gallery (formerly Shared Image Gallery) is designed for creating, versioning, and sharing VM images across subscriptions and regions. It supports image versioning, replication to multiple regions, and can be referenced by VM Scale Sets. Custom Script Extension runs scripts at provisioning time but doesn't create reusable images. ACR is for container images. Blob Storage doesn't provide image management capabilities. See more: Design and Implement Infrastructure as Code

Slot-sticky settings (also called deployment slot settings) remain with the slot during a swap. This means the production slot keeps its production connection string and the staging slot keeps its staging connection string, even though the code swaps between them. This prevents staging code from accidentally using production databases before the swap, and ensures production always uses production connections. See more: Deployments, Packages and Test Plans

The recommended pattern is: (1) Run terraform plan in the PR pipeline so reviewers can see the planned changes, (2) Save the plan file as a pipeline artifact, (3) After PR merge, the CI pipeline runs terraform apply using the saved plan with an approval gate. This ensures all changes are reviewed (plan visible in PR) and approved before application. Running apply in a PR is dangerous. Nightly schedules delay deployments. Manual deployment is not automated. See more: Design and Implement Infrastructure as Code

Tree of work items query returns work items in a parent-child hierarchical structure, showing the relationship between epics, features, user stories, and tasks. Flat list returns a simple list without hierarchy. Direct links shows work items with their direct link relationships (not necessarily parent-child). Cross-project is not a distinct query type in Azure Boards. See more: Configure Processes and Communications

Microsoft recommends YAML pipelines for all new Azure Pipelines. YAML pipelines are defined as code, version-controlled, support templates and reuse, and provide multi-stage build and release in a single file. Classic pipelines (both build and release) use a visual designer but lack version control and are considered legacy. There is no JSON pipeline format in Azure DevOps. See more: Design and Implement Build Pipelines