Everyone studies Azure Pipelines for the AZ-400. Everyone drills YAML syntax. Everyone memorizes the difference between classic and multi-stage pipelines.
And then they fail.
Because there's a domain on the AZ-400 that accounts for roughly 30% of the exam weight, and almost nobody gives it the attention it deserves: Develop a Security and Compliance Plan.
The Domain Nobody Prepares For
Microsoft updated the AZ-400 exam skills outline in late 2025, and the security/compliance domain now covers:
- Authentication and authorization strategies — Service connections, managed identities, workload identity federation. You need to know when to use each one and why.
- Sensitive information management — Azure Key Vault integration with pipelines, secret scanning, credential rotation patterns.
- Security scanning in pipelines — SAST, DAST, SCA tools. Microsoft Defender for DevOps. GitHub Advanced Security for Azure DevOps.
- Compliance frameworks — Azure Policy, Blueprints, governance gates in release pipelines.
This isn't theoretical stuff. The exam gives you scenarios like: "Your team needs to deploy to production but the service principal token expired. The pipeline uses a classic service connection. What's the least-privilege fix?"
If you've only studied pipeline YAML, you're toast.
The Other Trap: GitHub Actions vs Azure Pipelines
The AZ-400 now tests BOTH. Since Microsoft owns GitHub, they want you fluent in both ecosystems. Expect questions like:
- When to use GitHub Actions vs Azure Pipelines
- GitHub-hosted runners vs Azure DevOps agents
- Migrating workflows between the two
- GitHub Advanced Security features (Dependabot, secret scanning, code scanning)
I'd estimate 15-20% of the questions touch GitHub Actions specifically. If you've only studied Azure Pipelines, you're leaving points on the table.
What Actually Gets Tested (By Weight)
Here's my experience after taking the exam:
- Configure processes and communications (10-15%) — Azure Boards, work item tracking, dashboards, team notifications. The easiest section.
- Design and implement source control (15-20%) — Git branching strategies, pull request workflows, mono-repo vs multi-repo patterns.
- Design and implement build and release pipelines (40-45%) — The biggest chunk. YAML pipelines, templates, environments, deployment strategies (blue-green, canary, rolling), artifact management.
- Develop a security and compliance plan (25-30%) — The killer. See above.
Most study guides spend 80% of their time on domain 3. Smart money says spend 40% of your time on domain 3 and 30% on domain 4.
How I Actually Passed
Here's what worked for me:
Week 1-2: Microsoft Learn paths (free, but surface-level). Good for foundational concepts.
Week 3-4: Hands-on labs. Set up an Azure DevOps org, create multi-stage YAML pipelines, integrate Key Vault, configure GitHub Advanced Security. You can't fake this stuff on the exam.
Week 5-6: Practice questions. This is where I found the security domain gaps in my knowledge. I used ExamCert's AZ-400 practice exam — the scenario questions there mirror the exam's style really well, especially for the security and compliance domain. $4.99 lifetime access with a pass-or-refund guarantee.
Week 7: Review weak areas. For me, that was workload identity federation and GitHub Advanced Security configuration.
The One Tip That Saved Me
When you see a question about pipeline security, always pick the least-privilege option. Microsoft's exam philosophy is zero-trust. If one answer uses a PAT and another uses a managed identity, pick the managed identity. Every time.
This single heuristic probably got me 5-8 extra points.
Bottom Line
The AZ-400 isn't a pipeline exam. It's a DevOps culture exam that happens to test pipelines. Security, compliance, communication, and source control strategy are just as important as knowing YAML syntax.
Study accordingly. Don't be the person who can write a 200-line pipeline but can't explain workload identity federation.
Good luck. 🚀
Top comments (0)