Microsoft Azure DevOps Engineer Expert
225 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
AZ-400 is Microsoft's expert-level DevOps credential β paired with either AZ-104 or AZ-204 to confer the Microsoft Certified: DevOps Engineer Expert title. It validates the ability to design and implement DevOps practices at scale: build and release pipelines (Azure DevOps and GitHub Actions), source-control strategy, security and compliance integration (DevSecOps, Microsoft Defender for DevOps), instrumentation, and team / process design. The audience is senior platform engineers, SREs, and lead developers responsible for delivery pipelines across multiple teams. Expect 40β60 questions in 120 minutes including drag-and-drop, hot-area, multiple-response, and at least one case study with scenario-driven items.
Largest domain by far at 52%. Azure Pipelines and GitHub Actions (YAML, templates, agent pools, environments, approvals), package management, IaC (Bicep / Terraform / ARM), database deployments, secret management, and progressive-delivery patterns (blue-green, canary, feature flags).
About 12%. Agile / Scrum implementation in Azure Boards / GitHub Projects, work-item flow, value-stream mapping, and stakeholder communication patterns.
About 12%. Git branching strategies (trunk-based, GitHub flow, GitFlow), repo structure (monorepo vs. multi-repo), pull-request policies, code-owner requirements, and large-file / submodule handling.
About 12%. DevSecOps integration: Microsoft Defender for DevOps, GitHub Advanced Security (CodeQL, secret scanning, dependency review), SBOMs, supply-chain security, and policy-as-code.
About 12%. Application Insights, Azure Monitor, Log Analytics, distributed tracing, dashboards, alerts, and SRE-style SLO / error-budget design.
Services you'll encounter on the exam and why each one matters.
Hosted DevOps suite bundling Pipelines, Repos, Boards, Artifacts, and Test Plans into project-scoped collaboration with org-level identity.
Why it's on the exam: Domain 1 (Build and Release Pipelines) and Domain 2 (Processes and Communications) treat Azure DevOps as the integrated platform β service connections, agent pools, and project structure surface throughout.
Hosted CI/CD service running multi-stage YAML pipelines on Microsoft-hosted or self-hosted agents, with environments, approvals, and gates for promotion.
Why it's on the exam: Domain 1 (52% of the exam) is dominated by Pipelines β stage templates, parallel jobs, deployment strategies, manual approvals, and cross-org pipeline runs.
Hosted Git (and TFVC) repositories with branch policies, required reviewers, build validation, status checks, and PR-driven workflows.
Why it's on the exam: Domain 3 (Source Control Strategy) tests branch policies, trunk-based vs. GitFlow, and PR-driven gating as the source-control discipline AZ-400 expects.
Work-item tracking across Agile, Scrum, and CMMI templates with backlogs, sprints, queries, dashboards, and Git/Pipelines deep links.
Why it's on the exam: Domain 2 (Processes and Communications) names Boards as the planning and traceability surface β linking commits and builds back to work items.
Universal package feed for NuGet, npm, Maven, Python, and Cargo, plus upstream sources, retention policies, and views for promotion (e.g. @prerelease β @release).
Why it's on the exam: Domain 1 expects Artifacts as the AZ-400 answer for internal package distribution, versioned promotion across environments, and upstream-source caching.
YAML-based CI/CD running on GitHub-hosted or self-hosted runners with reusable workflows, environments, OIDC federation to Azure, and matrix builds.
Why it's on the exam: Domain 1 covers GitHub Actions alongside Azure Pipelines β exam questions test workflow choice, OIDC-to-Azure auth, and Actions-vs-Pipelines tradeoffs.
Manual and exploratory testing with test cases, suites, runs, and integration to Pipelines for automated-test result publishing and coverage.
Why it's on the exam: Domain 1 names Test Plans for the manual-test gates that complement automated suites in regulated release pipelines.
Code, secret, and dependency scanning (CodeQL, Dependabot, secret scanning, custom patterns) integrated into PR checks for both GitHub and Azure Repos.
Why it's on the exam: Domain 4 (Security and Compliance Plan) tests shift-left security β GHAS is the named Microsoft-stack answer for SAST/SCA gating in pipelines.
Declarative infrastructure-as-code over Azure Resource Manager β Bicep DSL transpiles to ARM JSON, with modules, what-if previews, and deployment stacks.
Why it's on the exam: Domain 1 + Domain 4 lean on Bicep/ARM for reproducible environment provisioning, what-if change preview, and IaC scanning in CI.
HashiCorp Terraform with the AzureRM and AzAPI providers, state in Azure Storage with blob locking, and Terraform tasks for Azure Pipelines.
Why it's on the exam: Domain 1 (IaC choice) tests Terraform vs. Bicep tradeoffs and the canonical remote-state pattern using Azure Storage with blob lease locks.
Control-plane API beneath every Azure deployment β resource groups, providers, role assignments, locks, tags, and deployment scope (subscription/management group).
Why it's on the exam: Domain 1 + Domain 4 expect ARM scope awareness for tenant/management-group/subscription deployments and the locks/tags that gate destructive automation.
PaaS web hosting with deployment slots for staging, swap-with-preview, traffic routing for canary releases, and slot-level app settings.
Why it's on the exam: Domain 1 (deployment strategy) names slot-swap and traffic routing as the PaaS-native blue/green and canary mechanism on App Service.
Managed Kubernetes with managed node pools, GitOps via Flux, AKS Automatic, workload identity, and Azure Monitor container insights.
Why it's on the exam: Domain 1 + Domain 5 (Instrumentation) test AKS deployment patterns β GitOps reconciliation, blue/green via Helm/Argo CD, and container observability.
Managed Docker/OCI registry with geo-replication, content trust, ACR Tasks for build automation, and Defender for Cloud image scanning.
Why it's on the exam: Domain 1 + Domain 4 expect ACR as the AZ-400 image registry, with Tasks-driven base-image-update rebuilds and signed-image promotion gates.
Cloud-hosted VS Code dev environments backed by a devcontainer.json spec, with pre-builds, secrets, and parity to local Docker-based dev containers.
Why it's on the exam: Domain 2 (Processes and Communications) tests Codespaces / Dev Containers for "works on my machine" parity and onboarding-time reduction.
APM service capturing request rates, dependencies, exceptions, distributed traces, and Live Metrics, with smart-detection anomaly alerts on releases.
Why it's on the exam: Domain 5 (Instrumentation Strategy) is built on App Insights β release-annotated dashboards, smart detection during canary, and OpenTelemetry ingestion.
Identity platform with service principals, managed identities, workload identity federation (OIDC), and Conditional Access for human and CI/CD actors.
Why it's on the exam: Domain 4 tests passwordless OIDC federation from GitHub Actions / Pipelines to Azure, plus managed-identity-only deployments β Entra is the named identity.
Managed store for secrets, certificates, and keys with RBAC/access-policy modes, versioning, soft-delete, purge protection, and HSM-backed Managed HSM.
Why it's on the exam: Domain 4 names Key Vault for CI/CD secret injection (Pipelines Key Vault task, Actions OIDC + Key Vault read) and as the canonical alternative to plaintext variables.
Unified metrics + logs platform with Kusto Query Language (KQL), action groups, alert rules, workbooks, and release annotations from Pipelines.
Why it's on the exam: Domain 5 (Instrumentation) expects Azure Monitor + Log Analytics for KQL-based release-health dashboards and Pipelines-driven alert-rule deployment.
Unified posture management across Azure DevOps and GitHub β exposing IaC misconfigurations, exposed secrets, and code-scanning findings in Defender for Cloud.
Why it's on the exam: Domain 4 (Security and Compliance Plan) names Defender for DevOps as the cross-repo posture surface for centralized DevSecOps governance.
$130kβ$175kβ$240k USD annual
AZ-400 is one of the highest-paying Microsoft certs in the market. Range covers US-based senior DevOps engineers; FAANG / fintech / Microsoft-partner principal SREs and platform engineers often clear $300k TC. Cert is a screening signal; demonstrated production DevOps and SRE leadership drive the high end.
Source: levels.fyi 2025 DevOps / SRE / platform-engineer roles, U.S. BLS OEWS May 2024 (15-1252 software developers, 15-1244 network and computer systems administrators), Glassdoor 2025. Figures are approximate; actual compensation depends on role, region, and experience.
AZ-400 is the canonical DevOps credential for Azure-aligned platform organizations and one of the most-requested expert-level Microsoft certs in senior engineering JDs. Recruiters at financial services, healthcare, government, and Microsoft-partner consultancies use it as evidence that a candidate can credibly design pipelines, source-control strategy, and security integration across multiple teams. It pairs naturally with AZ-104 (most common pairing) or AZ-204 (developer-track pairing) to confer the DevOps Engineer Expert title. Many candidates add AZ-500 for security-leaning DevSecOps roles or AZ-305 to broaden into architecture work.
AZ-400 is the only Microsoft expert-level cert that requires a co-cert: candidates must hold either AZ-104 (Administrator Associate) or AZ-204 (Developer Associate) to be awarded the Microsoft Certified: DevOps Engineer Expert title. The exam itself can be taken in any order, but the Expert title is only granted once both are held.
Microsoft recommends three to five years of professional development or operations experience, including significant time with Azure DevOps Services, GitHub Actions, and at least one IaC tool (Bicep, Terraform, ARM). The official Microsoft Learn path covers all five domains in roughly 40β50 hours. Hands-on lab time across both Azure DevOps Services and GitHub is essentially required β Microsoft has aggressively expanded GitHub Actions coverage in recent refreshes, so candidates whose only experience is Azure Pipelines should plan extra time on GitHub-specific scenarios.
AZ-400 sits in the Expert tier β Microsoft's top difficulty band, alongside AZ-305 and SC-100. Plan on 100β140 hours of study over 10β14 weeks with senior DevOps experience and prior Azure exposure; substantially longer without that background. The exam runs about 120 minutes with 40β60 questions in multiple-choice, multiple-response, drag-and-drop, hot-area, and case-study formats. Case studies are timed separately and cannot be revisited once you move past them.
The most common stumbling block is keeping Azure DevOps and GitHub Actions distinctions straight β Microsoft's recent refreshes have rebalanced toward GitHub Actions and the unified GitHub Advanced Security toolchain, so candidates with deep ADO experience but light GitHub exposure (or vice versa) often need to backfill. The build-and-release domain at 52% means pipeline-design fluency is the single highest-leverage area to study.
Most recent skills-measured update. Expanded GitHub Actions coverage, added Microsoft Defender for DevOps and GitHub Advanced Security, modernized supply-chain-security framing. Microsoft refreshes AZ-400 approximately every 12β18 months without changing the exam code.
Restructured into the current five-domain layout, rebalanced the build-and-release pipelines domain to 52% weight, and integrated GitHub-first content alongside Azure DevOps.
Initial GA, replacing the retired AZ-400 (legacy code) and the AZ-401 transition exam. Original outline focused on Azure DevOps Services and on-premises TFS / Azure DevOps Server.
AZ-400 (Microsoft Azure DevOps Engineer Expert) is a a challenging, scenario-heavy exam that requires deep hands-on experience and the ability to make architectural trade-off decisions Expert-level exam. Most candidates need 150β300 hours of study spread over 3β6 months for professional and expert-level exams. These exams typically expect prior associate-level proficiency. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 150β300 hours of study spread over 3β6 months for professional and expert-level exams. These exams typically expect prior associate-level proficiency. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
AZ-400 is a recognized credential in the Azure ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with Azure day-to-day or want to move into roles that do.
The passing score for AZ-400 is 700 / 1000. The exam contains 50 questions and lasts 2 hr.
The AZ-400 exam fee is $165 USD. Fees are set by Azure and may vary by region; always confirm the current price on the official Azure certification page before booking.
Microsoft role-based certifications expire after 1 year but can be renewed for free via an unproctored online assessment on Microsoft Learn, starting 6 months before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for AZ-400. The exam-simulation mode mirrors the real exam: 50 questions in 2 hr, with the same passing threshold of 700 / 1000. Browse mode lets you read every Q&A statically.