AZ-400 Designing and Implementing Microsoft DevOps Solutions - Practice Test 3

The "Check for linked work items" branch policy requires that pull requests have one or more associated work items before they can be completed. This ensures traceability between code changes and requirements. Reviewers require human approval. Build validation triggers CI. Comment resolution requires all PR comments to be resolved. See more: Design and Implement Source Control

"git init" creates a new Git repository in the current directory by creating a .git subdirectory with the repository structure. "git clone" copies an existing remote repository. "git start" and "git new" are not valid Git commands. See more: Design and Implement Source Control

The "and()" function combines multiple conditions that must all be true. Here, both the source branch must be 'refs/heads/main' AND the build reason must be 'IndividualCI'. The first option only checks the branch. The "or()" function requires only one condition to be true. "always()" runs regardless of conditions. See more: Design and Implement Build Pipelines

Azure Pipelines allows you to rerun only the failed jobs in a multi-stage pipeline without rerunning successful stages. This saves time and resources when a transient failure occurs. Triggers start pipelines automatically. Caching stores dependencies. Templates provide reusable pipeline definitions. See more: Design and Implement Build Pipelines

A schedule linked to a runbook in Azure Automation triggers the runbook at specified intervals (e.g., weekly). The runbook contains the PowerShell script logic. A runbook alone is the script definition without scheduling. Webhooks trigger runbooks via HTTP. DSC configurations manage desired state, not scheduled scripts. See more: Design and Implement Infrastructure as Code

The Kanban board in Azure Boards displays work items in columns that represent workflow stages. Teams can customize columns, set WIP limits, and drag items between stages. Sprint backlog shows items assigned to a sprint. Queries return filtered work item lists. Delivery Plans show timeline views across teams. See more: Configure Processes and Communications

The Terraform azurerm backend uses Azure Blob Storage lease-based locking. When a Terraform operation begins, it acquires a lease on the state blob, preventing other operations from modifying it simultaneously. This prevents state corruption from concurrent access. Table Storage locks, pipeline restrictions, and ARM resource locks are not used for this purpose. See more: Design and Implement Infrastructure as Code

The Build history chart widget displays the pass/fail rate of builds over a configurable time period. It shows trends in build health and success rates. Query tile shows work item counts. Burndown chart tracks remaining work in a sprint. Velocity chart shows completed work per sprint over time. See more: Configure Processes and Communications

Auto-swap in Azure App Service automatically swaps a deployment slot to production after the slot finishes warming up. You enable it on the staging slot and deploy there; once warm-up completes, Azure swaps it to production. Manual swap requires human action. Traffic routing sends a percentage of traffic. Swap with preview requires confirmation before completing. See more: Deployments, Packages and Test Plans

Azure DevOps provides official Teams apps (Azure Boards, Azure Pipelines, Azure Repos) that integrate directly with Microsoft Teams channels. These apps send notifications for builds, releases, work item updates, and pull requests. Webhooks require custom integration. REST API requires custom code. Monitor alerts are for infrastructure. See more: Configure Processes and Communications

In YAML pipelines, you add a "container" property to a job definition specifying the Docker image. All steps within that job then run inside the container. The syntax is: container: image: ubuntu:20.04. Docker@2 is for building/pushing images. KubernetesManifest deploys to AKS. Self-hosted agents aren't specifically container jobs. See more: Design and Implement Release Pipelines

Service connections in Azure DevOps have pipeline permissions that control which pipelines can use them. You can restrict access to specific pipelines from the service connection's security settings. RBAC controls Azure resource access, not pipeline access. Separate tenants or organizations are unnecessary for this requirement. See more: Develop a Security and Compliance Plan

The PublishCodeCoverageResults task publishes code coverage data (Cobertura, JaCoCo formats) to the pipeline build summary. This produces coverage reports visible in the Azure DevOps UI. PublishTestResults publishes test results, not coverage. PublishBuildArtifacts and PublishPipelineArtifact store build outputs. See more: Design and Implement Build Pipelines

ARM template parameter files support Key Vault references that retrieve secrets at deployment time without exposing them. The syntax references the Key Vault resource ID and secret name. The secret value is never stored in the template or parameter file. Variables are static. Nested templates are for modularity. Outputs return deployment results. See more: Design and Implement Infrastructure as Code

Azure Load Balancer distributes incoming network traffic across multiple backend servers to ensure high availability and reliability during deployments. It supports rolling deployments by removing/adding instances from the backend pool. It doesn't store artifacts, manage DNS, or encrypt traffic (that's the role of other services). See more: Deployments, Packages and Test Plans

Application Insights is an application performance management (APM) service that collects telemetry data from web applications, including request rates, response times, failure rates, dependency calls, and exceptions. Log Analytics queries log data. Service Health tracks Azure platform status. Advisor provides optimization recommendations. See more: Implement an Instrumentation Strategy

OWASP ZAP (Zed Attack Proxy) performs dynamic application security testing (DAST) by scanning running applications for vulnerabilities. OWASP Dependency Check scans project dependencies for known vulnerabilities (CVEs). Both can be integrated as pipeline tasks. Azure Policy checks resource compliance, not application security. NSGs are network-level controls. See more: Develop a Security and Compliance Plan

Dependabot security updates automatically create pull requests to update vulnerable dependencies to the minimum secure version. It monitors dependency files and the GitHub Advisory Database. GitHub Actions runs workflows. Code Scanning finds code vulnerabilities. Secret Scanning detects committed secrets. See more: Develop a Security and Compliance Plan

CI stands for Continuous Integration, the practice of frequently merging code changes into a shared repository and automatically building and testing the code. This helps detect integration issues early. It is a fundamental DevOps practice paired with Continuous Delivery/Deployment (CD). See more: Design and Implement Build Pipelines

Service containers in Azure Pipelines spin up a Docker container (e.g., SQL Server image) alongside the job, providing an isolated database for each pipeline run. The container is destroyed after the job completes. Shared databases have concurrency issues. LocalDB may not be available on all agents. Azure SQL with availability is overkill for testing. See more: Design and Implement Build Pipelines

The Custom Script Extension added to the VMSS model definition runs automatically on every new instance when it is provisioned. This is part of the scale set's instance template. Automation runbooks require separate trigger setup. Policy remediation addresses compliance. Event Grid handles event routing, not configuration. See more: Design and Implement Infrastructure as Code

A no-fast-forward merge (--no-ff) always creates a new merge commit, preserving the branch history and showing where the branch was merged. Fast-forward simply moves the branch pointer without a merge commit. Squash combines all branch commits into one. Rebase replays commits on top of the target branch. See more: Design and Implement Source Control

Pre-deployment gates can include Azure Monitor alert queries that are evaluated repeatedly over a sampling interval. You configure a minimum duration (10 minutes) and the gate must pass consistently for that period. Approvals require manual action. Scheduled triggers are time-based. Post-deployment conditions run after deployment, not before the next. See more: Design and Implement Release Pipelines

Azure Artifacts provides npm feeds for publishing and consuming npm packages within your organization. Feeds support scoping, upstream sources (proxying npmjs.com), and retention policies. Blob Storage doesn't provide npm registry features. GitHub Packages is a GitHub-specific registry. Public npmjs.com exposes packages to everyone. See more: Deployments, Packages and Test Plans

Dynamic threshold alerts use machine learning to analyze historical metric data and automatically determine what constitutes normal vs. anomalous behavior. They adapt to seasonal patterns, reducing false positives compared to static thresholds. Static thresholds require manual values. Log search alerts query log data. Smart detection is specifically for Application Insights anomalies. See more: Implement an Instrumentation Strategy

A system-assigned managed identity on the self-hosted agent VM eliminates the need to store any credentials. Azure manages the identity lifecycle and token issuance. The pipeline tasks use the managed identity to authenticate to Azure resources. Service principals require stored secrets or certificates. PATs are user-scoped tokens. See more: Develop a Security and Compliance Plan

TFVC stands for Team Foundation Version Control, a centralized version control system in Azure DevOps. Unlike Git (distributed), TFVC uses a single server repository with check-in/check-out semantics. It supports workspace mappings and exclusive file locks. Git is now the recommended option for new projects. See more: Design and Implement Source Control

Deploying to a staging slot first allows you to run functional tests against the new version without affecting production. Once tests pass, you swap the staging slot to production. Direct production deployment risks user impact. Feature flags don't address deployment validation. A separate App Service plan is unnecessary overhead. See more: Deployments, Packages and Test Plans

The Terraform AzureRM provider uses the environment variables ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_SUBSCRIPTION_ID, and ARM_TENANT_ID for service principal authentication. These map to the Azure service connection credentials. TF_VAR_ prefix is for Terraform variables, not provider auth. The AZURE_ prefixed variables are for the Azure SDK, not Terraform. See more: Design and Implement Infrastructure as Code

Notification subscriptions are configured under Project settings > Notifications (or personal notifications in user settings). You can create team-level subscriptions that trigger emails based on events like work item assignment. Organization security manages permissions. Pipeline triggers start builds. Board columns manage workflow stages. See more: Configure Processes and Communications

Azure DevOps supports Jenkins service connections that enable Azure Pipelines to trigger Jenkins jobs, download Jenkins artifacts, and integrate Jenkins build results. This provides seamless integration between the two platforms. An agent on Jenkins doesn't help. Webhooks require custom setup. Azure Functions add unnecessary complexity. See more: Design and Implement Build Pipelines

Azure Boards Queries allow you to create flat, tree, or direct-links queries using clauses (field, operator, value) to find work items matching specific criteria. Queries can be shared across the team and used in dashboard widgets. Sprints show iteration work. Backlogs show prioritized lists. Dashboards display widgets. See more: Configure Processes and Communications

Azure Kubernetes Service (AKS) is a managed Kubernetes platform that provides built-in service discovery (DNS-based), load balancing (via Services), rolling updates, self-healing, and horizontal scaling. ACI is for single container groups without orchestration. ACR stores images. App Service for Containers runs single containers. See more: Design and Implement Release Pipelines

A pre-commit hook runs before a commit is created, allowing you to scan staged files for secrets and reject the commit if found. Tools like git-secrets or gitleaks use pre-commit hooks. Post-commit runs after the commit (too late to prevent it). Post-receive runs on the server after push. Pre-rebase runs before rebasing. See more: Develop a Security and Compliance Plan

Application Insights Application Map provides a visual, real-time diagram of your application's components and their dependencies, showing communication patterns, response times, and failure rates between components. Metrics shows time-series data. Alerts notify on conditions. Network Watcher monitors network connectivity. See more: Implement an Instrumentation Strategy

Enabling branch policies on the main branch automatically requires that changes go through pull requests. When any branch policy is enabled, direct pushes are blocked. Denying "Contribute" would prevent all changes including PRs. Organization policies are broader-scoped. Git hooks run locally and can be bypassed. See more: Design and Implement Source Control

The PR trigger (pull request trigger) in Azure Pipelines automatically builds when a pull request is created or updated, including from forked repositories. CI triggers run on push events, not PRs. Scheduled triggers run at specific times. Pipeline resource triggers run when upstream pipelines complete. See more: Design and Implement Build Pipelines

"terraform init" initializes the Terraform working directory by downloading required providers, modules, and configuring the backend for state storage. It must be run before any other Terraform command. "terraform apply" applies changes. "terraform plan" shows the execution plan. "terraform destroy" removes infrastructure. See more: Design and Implement Infrastructure as Code

Using multiple stages (one per region), each deploying to a separate environment with approval checks, provides region-by-region deployment with approval gates. Stage dependencies ensure sequential execution. A single stage can't have mid-job approvals. Deployment groups deploy to machines, not regions. Parallel strategy deploys simultaneously. See more: Design and Implement Release Pipelines

Upstream sources in Azure Artifacts proxy requests to public registries (npmjs.com, nuget.org, etc.) and cache packages as they are consumed. This provides a single feed URL for both internal and public packages. It doesn't mirror the entire registry, block access, or publish to public registries. See more: Deployments, Packages and Test Plans

The Capacity tab within a sprint view allows you to set each team member's capacity in hours per day, their days off, and activity types. This data powers the burndown chart and over/under allocation indicators. Backlogs show prioritized items. Team settings configure team membership. Velocity shows historical completed work. See more: Configure Processes and Communications

Self-hosted agents on VMs within your corporate network can resolve private DNS names because they use the network's DNS servers. Microsoft-hosted agents run in Microsoft's infrastructure without access to private DNS. Deployment groups deploy to servers, they don't run builds. Proxy configurations handle HTTP traffic, not DNS resolution. See more: Design and Implement Build Pipelines

Flux and Argo CD are GitOps operators that run inside the Kubernetes cluster, continuously synchronizing the cluster state with the desired state defined in a Git repository. Azure Pipelines is a CI/CD platform (push-based). Helm is a package manager for Kubernetes. Jenkins is a general CI/CD server. See more: Design and Implement Release Pipelines

Universal Packages in Azure Artifacts are a general-purpose package type that can contain any files or folders, regardless of language or framework. NuGet is specifically designed for .NET packages with dependency resolution. Universal Packages don't require Docker and have no framework restrictions. See more: Deployments, Packages and Test Plans

An action group can contain multiple action types. In this case, you need 2 actions: an SMS notification action and an ITSM connector action. Action groups support combining email, SMS, voice, push, webhook, Logic App, Azure Function, Automation runbook, and ITSM actions. Email is not required. See more: Implement an Instrumentation Strategy

GitHub Secret Scanning automatically detects tokens, API keys, and other secrets that have been committed to the repository. It alerts repository administrators and can block pushes containing secrets with push protection. Dependabot checks dependencies. Code scanning finds code vulnerabilities. Branch protection enforces PR rules. See more: Develop a Security and Compliance Plan

Creating a test directory with a minimal root configuration that calls the module with test inputs is the standard approach for testing Terraform modules in isolation. You can run plan/apply and verify outputs. Validate only checks syntax. Manual review is error-prone. Console tests individual expressions, not full modules. See more: Design and Implement Infrastructure as Code

Azure DevOps supports multiple teams within a single project, each with their own area path, backlog, board, and sprint views. This allows teams to work independently while sharing repos, pipelines, and other project resources. Separate projects or organizations create unnecessary isolation. Tags don't provide separate backlogs. See more: Configure Processes and Communications

The HelmDeploy task (Helm@0 or HelmDeploy@0) in Azure Pipelines installs, upgrades, or rolls back Helm charts on Kubernetes clusters. It handles chart repositories, values files, and release management. KubernetesManifest deploys raw manifests. Docker@2 builds images. AzureCLI runs Azure CLI commands. See more: Design and Implement Release Pipelines

Adaptive sampling in Application Insights automatically adjusts the sampling rate based on telemetry volume. During high traffic, it increases sampling (reduces data sent) to control costs while maintaining statistical accuracy. Fixed-rate uses a constant percentage. Ingestion sampling occurs at the server. Data collection rules configure Log Analytics ingestion. See more: Implement an Instrumentation Strategy