Introduction
The AZ-400 (Designing and Implementing Microsoft DevOps Solutions) earns the Microsoft Certified: DevOps Engineer Expert badge. It validates that you can design and implement processes for collaboration, source control, build, release, infrastructure-as-code, configuration management, monitoring, and security across the entire Azure DevOps and GitHub ecosystem.
If AZ-104 is about operating Azure and AZ-305 is about designing it, AZ-400 is about automating it — at scale, with quality, and with security baked in.
This guide breaks down the current AZ-400 objectives, the six domains and their weights, prerequisites, hands-on skills you must build, and a realistic 12–16 week study plan.
Prerequisites: AZ-400 Has Two
Unlike most Azure exams, AZ-400 has formal prerequisites for the DevOps Engineer Expert badge. You must already hold one of:
- AZ-104 (Azure Administrator Associate), or
- AZ-204 (Azure Developer Associate)
You can sit and pass AZ-400 without the prerequisite, but the Expert designation only activates when you hold one of those associate certifications.
Beyond the formal prerequisite, AZ-400 expects:
- 1+ year of Azure DevOps or GitHub Actions experience
- Strong CI/CD fundamentals (build, test, deploy pipelines)
- Working knowledge of YAML, Bash, PowerShell
- Experience with at least one IaC tool (Bicep, ARM, Terraform)
- Familiarity with at least one language ecosystem (Node.js, .NET, Python, Java)
AZ-400 Exam Specifications
| Attribute | Detail |
|---|---|
| Exam code | AZ-400 |
| Title | Designing and Implementing Microsoft DevOps Solutions |
| Format | Case studies, multi-choice, multi-select, drag-and-drop, hot-area |
| Questions | 40–60 |
| Duration | 120 minutes testing |
| Passing score | 700 / 1000 |
| Cost | $165 USD |
| Validity | 1 year (free Microsoft Learn renewal) |
| Prerequisite for Expert badge | Active AZ-104 or AZ-204 |
AZ-400 Domains (Current 2026 Objectives)
Microsoft refreshed AZ-400 to consolidate around six high-level domains:
| Domain | Weight |
|---|---|
| Design and implement processes and communications | 10–15% |
| Design and implement a source control strategy | 10–15% |
| Design and implement build and release pipelines | 50–55% |
| Develop a security and compliance plan | 10–15% |
| Implement an instrumentation strategy | 5–10% |
| (Cross-cutting) GitHub Advanced Security topics | embedded |
The 50–55% weight on pipelines is the signal: this is overwhelmingly a CI/CD exam.
Domain 1: Processes and Communications (10–15%)
- Work item tracking in Azure Boards and GitHub Issues
- Team dashboards, wikis, integration with Slack/Teams
- Stakeholder communication strategy
- Change management and release notes automation
Domain 2: Source Control Strategy (10–15%)
- Branching strategies: trunk-based, GitFlow, GitHub Flow, release flow
- Git workflows: rebase vs. merge, force-push policies, branch protection rules
- Monorepo vs. multi-repo trade-offs
- Repository hygiene: large files (Git LFS), submodules, hooks
- Code reviews, pull request templates, CODEOWNERS
Domain 3: Build and Release Pipelines (50–55%) — THE BIG ONE
This is half the exam. Topics include:
- Azure Pipelines (YAML and classic): stages, jobs, steps, templates, variables, conditions, dependencies
- GitHub Actions: workflows, reusable workflows, composite actions, GitHub-hosted vs. self-hosted runners
- Artifact management: Azure Artifacts feeds, npm/NuGet/Maven, retention policies, upstream sources
- Build optimization: caching, parallelization, container builds, multi-stage Dockerfiles
- Release strategies: blue/green, canary, ring-based, feature flags, dark launches
- Deployment targets: App Service, AKS, VM scale sets, Container Apps, Functions, ARM/Bicep deploys
- Approvals and gates: manual approvals, environment-based gates, quality gates with SonarQube
- Infrastructure as Code: Bicep, ARM, Terraform within pipelines; drift detection; rollback patterns
- Configuration management: Azure App Configuration, Key Vault references, environment-specific configs
Domain 4: Security and Compliance (10–15%)
- GitHub Advanced Security: secret scanning, code scanning (CodeQL), dependency review, Dependabot
- Microsoft Defender for DevOps
- Secrets management: Key Vault integration with pipelines, managed identities for pipeline auth
- Supply chain security: SBOM generation, signed commits, signed container images, attestations
- Compliance: policy-as-code (Azure Policy, OPA), audit logs, separation of duties
Domain 5: Instrumentation Strategy (5–10%)
- Application Insights: instrumenting code, custom metrics, availability tests
- Azure Monitor: alerting strategy, action groups, automated remediation with Logic Apps or Functions
- SLO/SLI/SLA design: error budgets, burn rates
- Log Analytics and KQL for incident investigation
What Makes AZ-400 Hard
- Tool breadth. You must be comfortable with both Azure DevOps and GitHub. Many candidates know one well and the other superficially.
- YAML pipeline literacy. Reading and modifying multi-stage YAML pipelines is non-negotiable. You’ll see them on the exam.
- Branching and release strategies. Theoretical knowledge isn’t enough — questions ask which strategy fits which team size, risk tolerance, and deployment cadence.
- Trade-off thinking. Like AZ-305, several answers are technically correct. The right one balances security, speed, and cost.
Recommended 12–16 Week Study Plan
Weeks 1–2: Source control and branching
- Trunk-based vs. GitFlow vs. GitHub Flow — when each wins
- Branch policies in Azure Repos and GitHub
- Code review and CODEOWNERS patterns
Weeks 3–6: Pipelines (the heaviest block)
- YAML pipelines from scratch in Azure DevOps
- Multi-stage pipelines with environments and approvals
- GitHub Actions workflows including reusable workflows
- Self-hosted vs. Microsoft-hosted runners
- Pipeline templates, parameters, conditional jobs
- Container builds and image promotion patterns
Weeks 7–8: Release strategies and IaC
- Blue/green, canary, ring deployment patterns
- Bicep and ARM in pipelines
- Terraform pipelines (state backend, drift, plan-as-PR)
- Feature flags with Azure App Configuration
Weeks 9–10: Security and supply chain
- GitHub Advanced Security (CodeQL, secret scanning, Dependabot)
- Secrets management with Key Vault and managed identities
- SBOM, signed commits, signed images
Weeks 11–12: Observability and SRE
- Application Insights end-to-end
- KQL queries for incident investigation
- Alerts, action groups, runbooks
Weeks 13–16: Mock exams and final review
- 4+ full-length mocks from Sailor.sh’s AZ-400 mock exam bundle
- Targeted re-study of weak domains
- Build at least one end-to-end pipeline you can demo in an interview
Must-Build Hands-On Skills
Before booking, build these in real Azure DevOps or GitHub accounts:
- End-to-end YAML pipeline that builds, tests, scans, and deploys a containerized app
- GitHub Actions reusable workflow consumed by 3 repos
- Multi-stage release with manual approval and Application Insights smoke test gate
- Bicep IaC pipeline with
what-ifpreview as a PR comment - Key Vault + managed identity authentication from a pipeline (zero secrets in YAML)
- CodeQL workflow that fails the build on a critical security finding
- Feature flag rollout using Azure App Configuration with progressive exposure
If you can build all seven without referring to docs, you’re exam-ready.
Salary Impact
AZ-400 is one of the highest-paid Azure credentials in the market:
- US average: $140K–$190K for “DevOps Engineer + AZ-400”
- UK average: £80K–£115K
- India average: ₹20L–₹45L
DevOps Engineer Expert is in particularly high demand at enterprises modernizing legacy CI/CD onto Azure DevOps or GitHub Actions.
AZ-400 vs. Other DevOps Certifications
| Certification | Provider | Focus | Difficulty |
|---|---|---|---|
| AZ-400 | Microsoft | Azure DevOps + GitHub | Hard |
| AWS DevOps Engineer Professional | AWS | AWS-native DevOps | Hard |
| GCP Professional Cloud DevOps Engineer | GCP + SRE | Medium-Hard | |
| HashiCorp Terraform Associate | HashiCorp | IaC fundamentals | Medium |
If you work in a multi-cloud environment, AZ-400 + Terraform Associate is a powerful combination.
Most Common Reasons People Fail AZ-400
- Surface-level YAML pipeline knowledge. You must comfortably read and modify YAML, including templates, parameters, and conditions.
- GitHub blind spot. Candidates who only know Azure DevOps lose 15+ points on GitHub Actions and GitHub Advanced Security questions.
- No real IaC experience. Theoretical knowledge of Bicep or Terraform isn’t enough.
- Skipping security domain. Supply chain security questions are heavily weighted relative to the 10–15% domain percentage.
- Booking after AZ-305 momentum. AZ-305 is design-heavy; AZ-400 is hands-on. They’re different muscles. Plan dedicated AZ-400 prep.
After You Pass
You’re now a Microsoft Certified: DevOps Engineer Expert. Natural next steps:
- AZ-500 (Security Engineer): for DevSecOps focus
- AZ-305 (Solutions Architect Expert): add the architect designation
- HashiCorp Terraform Associate: lock in cloud-agnostic IaC credibility
- CKA + CKAD: for AKS-heavy DevOps roles
Frequently Asked Questions
Q: Do I need AZ-104 or AZ-204 before AZ-400? A: To take the exam, no. To earn the DevOps Engineer Expert designation, yes — you need active AZ-104 or AZ-204.
Q: How hard is AZ-400? A: Hard, especially the pipelines domain. Even experienced DevOps engineers report struggling with the breadth across Azure DevOps and GitHub.
Q: Should I learn Azure DevOps or GitHub Actions for AZ-400? A: Both. The exam tests both platforms and the GitHub-Azure DevOps integration patterns.
Q: How long to prep for AZ-400? A: 12–16 weeks for working DevOps engineers. Up to 20+ weeks if you’re new to DevOps tooling.
Q: Is AZ-400 worth it without the prerequisite? A: Less so. You can pass AZ-400 alone, but the Expert designation drives most of the resume value.
Q: Are dumps useful for AZ-400? A: No. AZ-400 questions evolve quickly and dumps are often outdated or wrong. Stick to realistic, current practice exams like Sailor.sh’s AZ-400 mock exam bundle.
Ready to Start?
AZ-400 rewards practitioners. The candidates who pass first time spend 12–16 weeks building actual pipelines, integrating real security tooling, and drilling realistic mock exams.
Take a free AZ-400 practice test on Sailor.sh to identify your weakest domain. Then work through the 12–16 week plan with hands-on labs and exam-style practice until you consistently score 80%+.