In 2023, a mid-level Azure developer spent three weeks preparing for AZ-400 by focusing exclusively on Azure Pipelines YAML. He'd built CI/CD pipelines daily for two years, could write multi-stage YAML from memory, and felt confident going in. He failed with a score of 660. The domains that sank him: GitHub Actions OIDC authentication, Azure Artifacts feed governance, and Azure Policy integration with pipelines — all content his developer background had never demanded. His story is the most common AZ-400 failure pattern. The exam is specifically designed to expose whichever half of the DevOps stack your background hasn't covered.
Microsoft requires you to hold either AZ-104 (Azure Administrator Associate) or AZ-204 (Azure Developer Associate) before you can earn AZ-400 (Azure DevOps Engineer Expert). This isn't arbitrary gatekeeping — it reflects that DevOps work genuinely sits at the intersection of infrastructure administration and application development. The prerequisite you hold shapes which domains will require heavy study and which you can work through quickly.
Most failing AZ-400 candidates share one profile: they treated it as an Azure Pipelines configuration exam and ignored the 15-20% of content that requires deep understanding of either cloud infrastructure (if they came from a developer background) or application deployment patterns (if they came from an operations background). The dual-path nature of the prerequisite is the exam's design telling you what knowledge gaps to fill.
The Two Paths and What Each Means
AZ-104 path — the administrator coming to DevOps: you understand Azure infrastructure, networking, identity, and governance deeply. You're comfortable with ARM templates and Azure Policy. Your gap is on the development side: you may not fully understand artifact management strategies, branching models in Git, or continuous testing integration patterns.
AZ-204 path — the developer coming to DevOps: you understand Azure application services, SDK patterns, and deployment from a developer perspective. Your gap is governance, security policy enforcement at scale, and infrastructure management patterns.
| Prerequisite | Strong Areas on AZ-400 | Study-Heavy Areas |
|---|---|---|
| AZ-104 (Admin) | IaC, governance, security compliance | Branching strategies, artifact management, test integration |
| AZ-204 (Developer) | Azure Pipelines YAML, app deployment | Azure Policy, governance integration, container registry security |
Both paths arrive at the same exam. The difference is where you spend your preparation time, not whether the exam is achievable. Most candidates with the right prerequisite and 8-12 weeks of structured study pass on their first attempt.
AZ-400 Exam Structure
Exam format: 40-60 questions, 120 minutes. Passing score: 700/1000. Cost: $165. Validity: 1 year with free annual renewal via Microsoft Learn.
The eight domains and approximate weights:
| Domain | Weight | Key Focus |
|---|---|---|
| Configure processes and communications | 10% | Azure Boards, process customization |
| Design and implement source control | 15% | Git branching strategies, GitHub vs Azure Repos |
| Design and implement build and release pipelines | 40% | Azure Pipelines YAML, GitHub Actions, release gates |
| Develop a security and compliance plan | 10% | OWASP integration, dependency scanning, secrets management |
| Implement an instrumentation strategy | 10% | Azure Monitor, Application Insights, dashboards |
| Design and implement a dependency management strategy | 15% | Azure Artifacts, feed governance, upstream sources |
Build and release pipelines at 40% is the dominant domain. This single domain determines whether you pass or fail. Within it: multi-stage YAML pipelines, environment approvals, variable groups with Azure Key Vault integration, deployment strategies (blue/green, canary, rolling), and agent pools.
Understanding the weighting correctly shapes your preparation ratio. Candidates who spend equal time on all domains misallocate their study hours. The Pipelines domain should receive roughly 40% of your active practice time — not just reading, but writing and running YAML pipelines in a real Azure DevOps project.
Azure Pipelines YAML: What the Exam Actually Tests
Azure Pipelines YAML — the declarative pipeline-as-code format where CI/CD workflows are defined in .yml files committed to source control alongside application code.
Most candidates understand basic pipeline stages. AZ-400 tests the complexity layers.
Variable Groups and Key Vault Integration
Variable groups — reusable sets of variables shared across multiple pipelines. When linked to Azure Key Vault — Microsoft's secrets management service — variable groups automatically pull secrets at pipeline run time without exposing them in YAML.
The exam specifically tests:
- How to link a variable group to an Azure Key Vault
- The permission model: the service principal running the pipeline needs
getandlistaccess on the Key Vault - The difference between regular variables (stored in Azure DevOps) and Key Vault-linked variables (fetched at runtime)
- What happens when a Key Vault secret rotates — does the pipeline pick up the new value automatically?
The answer is yes — because the variable group fetches the current secret at each pipeline run. This is a recurring exam scenario type. Candidates who haven't linked variable groups to Key Vault in practice often get this wrong because they assume the pipeline stores a cached copy of the secret.
Environment Protection Rules and Approvals
Environments — logical deployment targets (staging, production) where you can define protection rules: required approvals, branch filters, and business hour restrictions.
The exam tests configuring a production environment to require approval from a specific Azure DevOps group before deployment. It also tests gates — automated pre-deployment and post-deployment checks like Service Now ticket status, Azure Monitor alert health, or external REST API validation — and how they differ from manual approvals.
Gates evaluate a condition automatically on a schedule and block deployment until the condition is met. Approvals require a human to explicitly approve. The exam presents scenarios where one or the other is the correct tool, and the distinction turns on whether the check is automated or human-driven.
Multi-Stage Pipeline Structure
AZ-400 questions present YAML snippets and ask which change is needed to require approval before deploying to production. The answer: configure the production environment with a required approver. The YAML pipeline structure itself doesn't change — environment configuration controls the approval requirement, not the YAML file.
This distinction trips up many candidates who look for a pipeline-level syntax change when the solution is an environment-level UI configuration.
A numbered list of the YAML concepts the exam tests most frequently:
dependsOn— declaring stage and job dependencies to control execution ordercondition— conditional execution of stages, jobs, or steps based on prior resultsresources— referencing container images, repositories, pipelines, and feedstemplate— reusing YAML structure across pipelines with parameter passingenvironment— defining deployment targets with protection rulesstrategy— declaring rolling, canary, or blue/green deployment behavior
GitHub Actions on AZ-400
The 2023 AZ-400 update significantly expanded GitHub Actions content. Candidates who studied pre-2023 materials consistently report being unprepared for the GitHub-specific questions.
GitHub Actions — GitHub's native CI/CD automation system that uses YAML workflow files stored in .github/workflows/.
OIDC Authentication to Azure
OIDC — OpenID Connect, a protocol that allows GitHub Actions workflows to authenticate to Azure without storing long-lived credentials as GitHub Secrets.
Instead of storing a service principal's client secret in GitHub, OIDC creates a trust relationship where GitHub Actions presents a short-lived token that Azure validates. The exam tests:
- Why OIDC is preferred over client secrets: no credential rotation required, tokens expire automatically, reduced blast radius if the GitHub repository is compromised
- The Azure configuration required: a federated identity credential on the managed identity or service principal, specifying the GitHub organization, repository, and branch or environment
- The GitHub Actions workflow permissions block required:
permissions:
id-token: write
contents: read
Without id-token: write, the workflow cannot request the OIDC token. This missing permission is a common exam trap.
Reusable Workflows
Reusable workflows — GitHub Actions workflows callable from other workflows, enabling DRY (Don't Repeat Yourself) pipeline patterns across repositories.
The exam tests when to use reusable workflows (same deployment logic deployed across many services in different repositories) versus composite actions (shared step groups within a single workflow). The key distinction: reusable workflows operate at the workflow level and can contain jobs; composite actions operate at the step level.
A common exam question format presents a scenario where multiple teams need to use the same deployment logic across 15 different microservice repositories. The correct answer is reusable workflows, not composite actions and not duplicating the YAML in each repository.
Azure Artifacts: Dependency Management
Azure Artifacts — Azure DevOps's package management service, supporting NuGet, npm, Maven, Python, and Universal Packages.
Feed Governance
The exam tests several feed governance patterns:
Upstream sources — configuring a feed to proxy packages from public registries (npmjs.com, nuget.org, PyPI) through the organizational feed, enabling security scanning and caching. Teams using upstream sources ensure all packages flow through a controlled point where vulnerability scanning runs.
Feed views — @local, @prerelease, @release views that expose different maturity levels of packages to different consumers. A library team can publish a package to @prerelease for internal testing before promoting it to @release for broader consumption.
Exam scenario: "A team wants to ensure all npm packages come from the internal Azure Artifacts feed and not directly from npmjs.com. What must be configured?" Answer: upstream sources on the feed pointing to npmjs.com, plus .npmrc configuration in developer environments pointing to the organizational feed's npm endpoint.
Retention policies are also tested — configuring Azure Artifacts to automatically delete old package versions after a set number of days or when a newer version is published. This reduces storage costs and prevents stale packages from being consumed accidentally.
Preparation Strategy by Background
"The candidates who fail AZ-400 most often are Azure Pipelines experts who ignored GitHub Actions, and GitHub Actions experts who ignored Azure Artifacts and governance. The exam requires breadth across the DevOps toolchain, not depth in just the one tool you use daily at work." — John Savill, Microsoft Azure MVP and creator of the most-watched AZ-400 YouTube content
For AZ-104 Holders
John Savill's AZ-400 YouTube content — Savill specifically addresses the admin-to-DevOps transition, with emphasis on deployment pipeline patterns that infrastructure engineers haven't typically encountered in their work.
Build a complete multi-stage pipeline — create an Azure DevOps project, write a YAML pipeline with multiple stages, variable groups linked to Key Vault, and environment approval gates configured in the Azure DevOps UI. This hands-on work fills the practical gap that video-only study leaves.
Study GitHub Actions OIDC specifically — use Microsoft's documentation on federated identity credentials and the
azure/loginGitHub Action. The GitHub Actions content is non-optional since the 2023 exam update.Practice Git branching strategies — AZ-400 tests Gitflow, trunk-based development, and GitHub Flow at a decision-making level. Understand which strategy suits which project type and team size, and be able to identify which strategy a described workflow represents.
For AZ-204 Holders
Scott Duffy's AZ-400 course (Udemy) — strong on governance and policy integration, which developers typically haven't worked with deeply. The Azure Policy integration with DevOps pipelines section addresses the most common gap for this profile.
Study Azure Policy compliance gates — specifically how policy compliance results can block pipeline deployments when resources don't meet organizational standards. This requires understanding both Azure Policy configuration (usually an operations topic) and how pipelines query compliance status.
Practice ARM template and Bicep deployment in pipelines — developers from application code backgrounds often haven't written infrastructure-as-code definitions. AZ-400 tests IaC deployment in pipelines at a depth that requires writing, not just reading, templates.
Study container registry security — Azure Container Registry tasks, image scanning with Defender for Containers, and access control patterns are tested from a governance perspective that developers often encounter only at the application level.
Practice Exam Resources and Timing
MeasureUp AZ-400 practice exams: the CompTIA-endorsed provider also covers Microsoft certifications. MeasureUp questions are authorized by Microsoft and closely match real exam formatting.
Whizlabs AZ-400: cheaper than MeasureUp, good question volume, slightly lower accuracy but useful for breadth coverage across all domains.
Scott Duffy's Udemy practice tests: included with the course, scenario-based questions that mirror the exam's situational format.
Readiness threshold: score consistently at 75%+ on practice exams before scheduling. AZ-400 uses scenario-based questions where multiple answers are plausible and the correct choice requires understanding the specific constraint specified in the scenario. Candidates scoring 70-75% on practice exams fail at higher rates because the scenario nuance that distinguishes correct from plausible-but-wrong answers isn't yet intuitive.
Two named examples illustrate this threshold's importance. Rachel, a senior Azure DevOps engineer at a consulting firm, scheduled her exam after scoring 72% on her first practice test run, telling herself the real exam would be similar enough. She scored 685 — just below passing. She spent two more weeks on GitHub Actions and Artifacts, pushed her practice score to 80%, and passed with 735 on her second attempt. James, a DevOps architect who took 10 weeks of structured preparation including hands-on labs, passed with 790 on his first attempt having never scored below 78% in practice.
| Study Phase | Activity | Duration |
|---|---|---|
| Week 1-2 | Read exam skills outline, take baseline practice exam | Establish weaknesses |
| Week 3-6 | Video course + hands-on labs for each domain | Core content acquisition |
| Week 7-8 | Practice exams by domain, targeted review | Fill identified gaps |
| Week 9-10 | Full timed practice exams, review all wrong answers | Readiness validation |
See also: AWS DevOps Engineer Professional: the CI/CD and infrastructure domains, AZ-104 Azure Administrator: domains with highest question density
References
- Microsoft. AZ-400: Designing and Implementing Microsoft DevOps Solutions — Exam Skills Outline. Microsoft, 2024. https://learn.microsoft.com/en-us/credentials/certifications/devops-engineer/
- Microsoft. Azure Pipelines YAML Schema Reference. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/azure/devops/pipelines/yaml-schema/
- Savill, John. AZ-400 Study Cram and Full Course. YouTube/NTFAQGuy, 2024. https://www.youtube.com/c/NTFAQGuy (Microsoft Azure MVP, most-viewed AZ-400 free content)
- Microsoft. GitHub Actions OIDC Authentication to Azure. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure
- Duffy, Scott. AZ-400 Designing and Implementing DevOps Solutions. Udemy, 2024. (Primary third-party paid course for AZ-400)
- Microsoft. Azure Artifacts — Feed Management and Upstream Sources. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/azure/devops/artifacts/
Frequently Asked Questions
What prerequisites are required for AZ-400?
AZ-400 requires either AZ-104 (Azure Administrator Associate) or AZ-204 (Azure Developer Associate) as an active prerequisite. Both paths lead to the DevOps Engineer Expert designation but create different knowledge gaps. AZ-104 holders typically lack pipeline and developer tooling experience. AZ-204 holders typically lack Azure governance and monitoring depth.
What percentage of AZ-400 covers Azure Pipelines?
The Build and Release Pipelines domain represents 40-45% of the AZ-400 exam, making it by far the largest domain. This domain covers Azure Pipelines YAML syntax including stages, jobs, steps, conditions, templates, and variable groups, as well as deployment strategies, environment configuration, and pipeline security.
Does AZ-400 test GitHub Actions?
Yes, significantly. The 2022-2023 AZ-400 exam refresh substantially increased GitHub Actions coverage. The exam tests workflow syntax, OIDC-based authentication to Azure (federated credentials), GitHub Environments for deployment approvals, and integrating GitHub Actions with Azure services. Candidates must be familiar with both Azure Pipelines and GitHub Actions YAML.
Is AZ-400 harder than AZ-104?
Yes. AZ-400 is an Expert-level certification while AZ-104 is Associate-level. AZ-400 tests both administrative and development perspectives on Azure DevOps, requiring knowledge of CI/CD pipelines, IaC, monitoring, security, and testing strategies. The pipeline domain alone is deeper than most of AZ-104's content.
What is the best study resource for AZ-400?
John Savill's AZ-400 study guide on YouTube (free) is widely considered the most comprehensive free resource. Microsoft Learn's official AZ-400 learning paths are the authoritative content source. For practice exams, Whizlabs and Tutorials Dojo provide AZ-400 specific question banks. Building personal pipelines in a free Azure DevOps organization is essential hands-on practice.