The Microsoft Certified: DevOps Engineer Expert certification is Microsoft’s expert-level DevOps credential for engineers who design and implement collaboration, source control, pipelines, security, and observability practices across Azure and GitHub-based delivery systems. The certification is earned by passing AZ-400 and first holding either Azure Administrator Associate or Azure Developer Associate.
This is not a basic CI/CD exam. Microsoft is testing whether you can design an end-to-end DevOps operating model, including how teams work, how code moves, how releases are secured, how infrastructure is defined, and how telemetry and feedback loops shape delivery. That means your preparation should stay close to GitHub, Azure DevOps, Azure Pipelines, GitHub Actions, IaC, compliance automation, and platform-level delivery decisions.
As of May 28, 2026, Microsoft positions this certification for DevOps engineers who combine development and infrastructure experience and who can work across cross-functional teams that include developers, site reliability engineers, Azure administrators, and security engineers.
Exam At a Glance
| Attribute | Value |
|---|---|
| Certification | Microsoft Certified: DevOps Engineer Expert |
| Exam code | AZ-400 |
| Level | Expert |
| Duration | 100 minutes |
| Cost | $165 USD |
| Renewal | Every 12 months |
| Prerequisites | You must first earn Microsoft Certified: Azure Administrator Associate or Microsoft Certified: Azure Developer Associate, then pass AZ-400 |
| Target candidate | DevOps engineers designing and implementing collaboration, automation, deployment, security, and observability workflows on Azure and GitHub/Azure DevOps platforms |
| Primary focus | Processes and communications, source control, pipelines, deployments, security and compliance, and instrumentation |
- Official certification page: Microsoft Certified: DevOps Engineer Expert
- Official exam page: Exam AZ-400: Designing and Implementing Microsoft DevOps Solutions
- Official study guide: AZ-400 study guide
- Official course: Design and Implement Microsoft DevOps solutions
- Official learning paths: AZ-400: Development for Enterprise DevOps, AZ-400: Implement CI with Azure Pipelines and GitHub Actions, AZ-400: Design and implement a release strategy, AZ-400: Implement a secure continuous deployment using Azure Pipelines, AZ-400: Manage infrastructure as code using Azure and DSC
- Official practice assessment: AZ-400 practice assessment
Official Assessed Areas
- Design and implement processes and communications
- Design and implement a source control strategy
- Design and implement build and release pipelines
- Develop a security and compliance plan
- Implement an instrumentation strategy
AZ-400 is best treated as an operating-system-for-delivery exam. Microsoft is not just checking whether you can write one pipeline. It is checking whether you can design the collaboration, automation, governance, and feedback system around software delivery.
1. Design and Implement Processes and Communications
This domain covers flow-of-work design and the collaboration structure around delivery teams.
- Traceability and workflow design - Study GitHub Flow, work-item traceability, feedback cycles, GitHub Projects, Azure Boards, and how development work should connect to planning and quality outcomes. Official resources: AZ-400 study guide, Development for Enterprise DevOps.
- Metrics and dashboards - Microsoft explicitly includes cycle time, time to recovery, lead time, and delivery and security metrics. This is about making delivery visible and measurable. Official resources: Azure DevOps dashboards overview, AZ-400 study guide.
- Collaboration and communication integrations - Review wikis, release documentation, webhooks, GitHub-to-Azure Boards integration, and notifications into tools like Microsoft Teams. Official resources: Connect Azure Boards to GitHub, AZ-400 study guide.
- This domain is about team system design - The right answer usually improves flow, visibility, and coordination across the team rather than optimizing an isolated tool choice. Official resources: Certification overview, AZ-400 course.
Exam tip: If the prompt is about feedback loops, work-item tracking, dashboards, or tool integrations between teams, treat it as a processes-and-communications design question first.
2. Design and Implement a Source Control Strategy
This domain focuses on how repositories, branches, and pull-request controls support reliable delivery.
- Branching and PR workflows - Study trunk-based development, feature branches, release branches, branch protection, pull request policies, and merge restrictions. Official resources: AZ-400 study guide, Enterprise DevOps path.
- Repository management - Microsoft includes large-file strategy, repo scaling, permissions, tagging, data recovery, and data removal. This is where Git operations become an enterprise management concern. Official resources: Azure Repos branch policies, Manage large files in Git.
- This domain is about delivery safety - The best answer usually preserves control, auditability, and clean collaboration while still enabling fast iteration. Official resources: Certification overview, Azure Repos documentation.
Exam tip: If the scenario is about branch models, pull requests, repo scale, or permissions inside GitHub or Azure Repos, you are almost certainly in this source-control domain.
3. Design and Implement Build and Release Pipelines
This is the largest AZ-400 domain and the center of the certification.
- Package management, testing, and quality gates - Review Azure Artifacts, GitHub Packages, dependency versioning, pipeline artifacts, code coverage, test integration, and quality and release gates. Official resources: Implement CI with Azure Pipelines and GitHub Actions, AZ-400 study guide.
- Pipeline design - Study GitHub Actions, Azure Pipelines, runners and agents, trigger rules, YAML pipelines, reusable templates, variable groups, approvals, and complex multi-stage scenarios. Official resources: Azure Pipelines documentation, GitHub Actions documentation.
- Deployment strategies - Microsoft explicitly includes blue-green, canary, ring, feature flags, deployment slot usage, hotfix paths, and ordered dependency deployments. Official resources: Design and implement a release strategy, Secure continuous deployment path.
- Infrastructure as code and pipeline maintenance - Expect ARM, Bicep, Azure Deployment Environments, desired state configuration, retention, concurrency tuning, migration from classic to YAML, and operational pipeline optimization. Official resources: Manage infrastructure as code using Azure and DSC, Bicep overview.
- This domain is about delivery architecture - The right answer usually optimizes repeatability, security, and maintainability across the full release lifecycle rather than making one build pass today. Official resources: AZ-400 course, Certification overview.
Exam tip: If a question feels broad and touches CI/CD, approvals, releases, feature flags, YAML design, or IaC, start here. This domain carries the most exam weight.
4. Develop a Security and Compliance Plan
This domain focuses on securing pipelines, identities, secrets, and supply chain controls.
- Authentication and authorization - Study service principals, managed identities, GitHub Apps, GITHUB_TOKEN, Azure DevOps service connections, permissions, security groups, and access-level decisions. Official resources: AZ-400 study guide, Azure Key Vault overview.
- Secrets and sensitive information in automation - Review Key Vault, workload identity federation or OIDC, secretless auth, secure files, and controls to prevent secret leakage in pipelines. Official resources: OIDC for GitHub Actions, Use Azure Key Vault with pipelines.
- Security and compliance scanning - Microsoft includes dependency scanning, code scanning, secret scanning, licensing analysis, GitHub Advanced Security, Defender for Cloud DevOps Security, container scanning, and Dependabot. Official resources: Defender for Cloud DevOps Security, GitHub Advanced Security documentation.
- This domain is about secure-by-default delivery - The best answer usually reduces exposure while keeping automation sustainable, not by adding manual gates everywhere. Official resources: Secure deployment path, Certification overview.
Exam tip: If the problem mentions secrets, service connections, scanning, software supply chain, or identity in pipelines, classify it as a security-and-compliance question before anything else.
5. Implement an Instrumentation Strategy
This final domain is about what happens after deployment: observability and feedback.
- Monitoring integration - Study Azure Monitor, Azure Monitor Logs, Application Insights, VM Insights, Container Insights, storage and network monitoring, GitHub insights, and pipeline alerts. Official resources: Azure Monitor overview, Application Insights overview.
- Metrics and telemetry analysis - Microsoft expects you to inspect infrastructure indicators, application telemetry, traces, and basic KQL-based log analysis to support delivery feedback. Official resources: Kusto Query Language documentation, AZ-400 study guide.
- This domain is about closing the loop - The exam rewards engineers who connect deployment, runtime behavior, and operational learning rather than stopping at successful release automation. Official resources: AZ-400 course, Certification overview.
Exam tip: If the scenario is about alerts, logs, traces, dashboards, or using telemetry to tune delivery decisions, move into the instrumentation domain immediately.
Recommended 5-Week Study Plan
| Week | Focus | Primary resources |
|---|---|---|
| 1 | Flow of work, traceability, dashboards, Teams and Board integrations | AZ-400 study guide, Enterprise DevOps path, Azure DevOps docs |
| 2 | Branch strategies, pull requests, repo scale, permissions, recovery operations | Enterprise DevOps path, Azure Repos docs, GitHub docs |
| 3 | CI, package strategy, YAML pipelines, runners and agents, release design | AZ-400 course, CI and release learning paths, Azure Pipelines docs, GitHub Actions docs |
| 4 | IaC, deployment strategies, secrets, service connections, scanning, Defender and GitHub Advanced Security | Secure deployment path, IaC path, Key Vault docs, Defender for Cloud DevOps docs |
| 5 | Instrumentation, Azure Monitor, KQL, mixed review, practice assessment | Azure Monitor docs, Application Insights docs, AZ-400 practice assessment |
Last-Mile Exam Strategy
- Study AZ-400 as a systems-design exam for software delivery. The core skill is not one tool; it is choosing the right operating model across tools.
- Spend extra time on pipelines because Microsoft weights build and release design more heavily than the other areas.
- Do not split GitHub and Azure DevOps into separate worlds. AZ-400 repeatedly tests where they integrate and where tradeoffs exist between them.
- Use the public practice assessment late in prep to calibrate how Microsoft phrases scenario questions around pipelines, approvals, and security controls.
- When stuck, classify the problem as workflow, source control, delivery, security, or instrumentation. That five-part split usually narrows the right answer quickly.
If you want adjacent context from this repo, pair this guide with our Azure Administrator Associate study guide and Azure Developer Associate study guide because one of those certifications is required before the expert credential can be earned. For broader delivery context, our platform engineer vs DevOps engineer guide is also a useful comparison.
The fastest way to pass AZ-400 is to think like the engineer responsible for making delivery reliable across the whole organization: structure the work, protect the code, automate the pipelines, secure the supply chain, and instrument the runtime so delivery decisions keep improving over time.