AZ-400: how to pass Microsoft's only DevOps Engineer Expert exam

AZ-400 is Microsoft's Designing and Implementing Microsoft DevOps Solutions exam. $165 USD, 40–60 questions, 150 minutes, two case studies plus standard items, scaled passing 700/1000. It's the only path to the DevOps Engineer Expert credential, and you can't sit it without first holding either AZ-104 (Administrator) or AZ-204 (Developer).

The "expert" tier is what makes AZ-400 different from the role-based associates. The case studies are real. The content spans CI/CD, infrastructure as code, source control strategy, security, and observability across both Azure DevOps and GitHub. Eight weeks at 8–10 hours a week is the realistic target if your AZ-104 or AZ-204 is fresh.

What's on the exam

The current exam guide breaks into five domains:

Domain	Weight
Design and implement processes and communications	10–15%
Design and implement a source control strategy	10–15%
Design and implement build and release pipelines	50–55%
Develop a security and compliance plan	10–15%
Implement an instrumentation strategy	5–10%

Build and release pipelines is half the exam. That's where you have to be sharp. Everything else is supporting.

What "build and release pipelines" actually means in 2026:

• Azure DevOps Pipelines in YAML form (the classic visual editor still exists but is essentially deprecated for new work).
• GitHub Actions, which Microsoft now positions as roughly co-equal — the exam will give you scenarios where the right answer is "use GitHub Actions" and the wrong answers are Azure DevOps, and vice versa. Read the scenario carefully.
• Self-hosted vs. Microsoft-hosted runners / agents, including pool sizing, demand caching, and cost.
• Approvals, environments, deployment gates, and pre/post-deployment conditions.
• Multi-stage pipelines, blue-green and canary patterns, ring deployments.
• Artifact management: Azure Artifacts, GitHub Packages, generic feeds.
• Secrets handling: Key Vault tasks, GitHub Encrypted Secrets, OpenID Connect (OIDC) federation between GitHub and Azure (this has been heavily emphasized in 2025-2026 questions — service principals with secrets are increasingly the wrong answer).

Plus IaC. Bicep is the Microsoft-native answer, Terraform is the second-class but still-tested answer. ARM templates show up in older question pools but newer items lean on Bicep. Expect both az deployment group create and terraform plan/apply syntax in scenario questions.

Prerequisite — pick AZ-104 or AZ-204

Microsoft requires one of them as a co-requisite for the expert credential. Pick based on what you actually do:

• AZ-104 if your background is operations, infrastructure, sysadmin, or platform engineering. Your AZ-400 prep will be heavier on the developer-side topics (artifacts, branching, code-quality tooling).
• AZ-204 if your background is software development. Your AZ-400 prep will be heavier on the ops-side topics (Azure Monitor, App Insights, agent pools, IaC).

Don't take both before AZ-400. The extra cert doesn't help on the AZ-400 itself, and you can backfill whichever one matters for your job later if you actually need it.

Week-by-week plan

Week 1: source control and branching

The smallest domain by weight, but the entry point. Read up on Git workflow patterns: GitHub Flow, GitFlow (still asked despite being out of fashion), trunk-based development, release branches, hotfix branches. Learn the difference between a pull-request merge, squash merge, and rebase merge.

In Azure DevOps Repos and GitHub: branch policies, required reviewers, build validation, status checks. Practice setting these up by hand in both products. Microsoft loves the "configure a branch policy that requires X" question pattern, and the menu is in a slightly different place in each product.

Week 2: Azure DevOps Pipelines deep dive

Spend the week in YAML pipelines. Build at least three:

1. A simple build-and-test pipeline for a sample app.
2. A multi-stage pipeline with dev, staging, prod environments and approvals on staging and prod.
3. A pipeline that consumes a self-hosted agent pool and another that uses a Microsoft-hosted pool.

Get fluent with templates and template parameters. Microsoft tests the template-extension and template-include patterns directly. Know extends vs template syntax.

Week 3: GitHub Actions

Mirror week 2 but in GitHub Actions. Build the same three pipelines. Pay close attention to:

• The permissions block on a job — least privilege matters here and it's an exam pattern.
• Reusable workflows (workflow_call) and composite actions — know which is which.
• Environments and required reviewers, which mirror the Azure DevOps concept but with their own UI.
• OIDC federation: configure a federated credential on a Microsoft Entra ID app registration and authenticate from a GitHub Actions workflow without any client secret. This single exercise teaches you what's likely to be on three exam questions.

Week 4: IaC

Bicep first. Author a Bicep file that deploys an App Service plan, an App Service, and an Application Insights resource. Deploy it with az deployment group create. Refactor it into modules. Add a what-if step. Add it to a pipeline.

Then Terraform. Deploy the same shape with the AzureRM provider. Configure a remote backend in Azure Storage. Note the differences in state management — this is where Bicep and ARM differ from Terraform fundamentally, and the exam expects you to know.

ARM templates: read enough of one to recognize syntax. You won't have to write one but you'll see them in case studies.

Week 5: security and compliance

Key Vault integration in pipelines: variable groups linked to Key Vault, the Azure Key Vault task, GitHub's azure/get-keyvault-secrets action.

Defender for DevOps and Microsoft Defender for Cloud's DevOps security recommendations. The 2024-2025 exam refresh added more of this — know what Defender for DevOps connects to (GitHub, Azure DevOps, GitLab, Bitbucket) and what it surfaces (secret scanning, IaC scanning, code scanning, dependency scanning).

GitHub Advanced Security: code scanning with CodeQL, secret scanning, dependency review. Know which features are GHAS (paid) and which are free.

Compliance scanning in pipelines: WhiteSource Bolt is gone — Mend Bolt is the renamed version, and Microsoft's first-party answer is now Defender for DevOps plus GHAS. Old study materials will get this wrong.

Week 6: monitoring and feedback

Application Insights wiring into a pipeline (release annotations, deployment markers). Azure Monitor alerts that gate deployments. The integration between alerts and Azure Boards / GitHub Issues for automatic ticket creation.

Feature flags via Azure App Configuration and the Microsoft.FeatureManagement library. Microsoft tests the design-pattern answer — know when a feature flag is the right call vs. a deployment ring vs. a canary.

Week 7: case-study practice

Take a full-length practice exam under timed conditions, with the case studies. Two case studies will eat 35–45 minutes of your 150 — budget accordingly. The mistake most candidates make is trying to read the entire case study on first pass; instead, skim it once, jump to the questions, and re-read only the case-study sections relevant to each question.

After the practice exam, identify weak domains. For most candidates that's IaC syntax (Bicep modules vs. Terraform modules), security tooling (which Defender does what), or the OIDC federation flow.

Week 8: drill, gap-fill, exam

Practice exams every other day. Read every wrong answer's explanation. Microsoft Learn's official AZ-400 path is the source of truth for any disagreement between sources — vendor study guides have lagged on the 2024-2025 exam refresh.

Schedule the exam. Pearson VUE or online proctored. The case studies feel different online — you can't easily flip between sections — so if you're not confident with the format, take it at a testing center.

Style of the exam

Two things throw off otherwise-prepared candidates:

1. The case studies. They're long, prose-heavy, and the questions inside them require you to hold a lot of context at once. Practice them.
2. The "best answer" framing. Multiple options are technically correct; the exam wants the cleanest, most aligned-with-Microsoft-best-practices answer. When a question lists Azure DevOps Pipelines and GitHub Actions as alternatives and the scenario doesn't strongly favor one, the answer is usually whichever one the rest of the case study has already standardized on.

Career fit

AZ-400 is a useful credential if you're a working DevOps / platform engineer at a Microsoft shop and want the expert tier on your résumé. It's not the right cert for someone trying to break into DevOps from outside — get hands-on experience first, then come back. Total comp for senior DevOps engineers in the US in 2026 lands $150k–$220k base depending on metro, with FAANG-adjacent roles pushing higher; AZ-400 is a clean filter into that band but won't conjure the experience.

When you're ready to grind questions, the AZ-400 question bank on CertLabPro covers the case-study format. Treat the case studies as their own discipline — they're the part of AZ-400 that hands-on experience alone doesn't fully prepare you for.