nerdexam
Microsoft

AZ-400 · Question #375

You have an Azure subscription that contains an Azure pipeline named Pipeline1 and a GitHub repository named Repo1, Repo1 contains Bicep modules. Pipeline1 deploys Azure resources by using the Bicep m

The correct answer is A. Configure a deployment gate for Pipeline1 and include the Azure DevOps Security and. To ensure Azure Policy compliance before deploying Azure resources to production, configure an Azure Pipeline deployment gate that integrates with Azure Policy evaluations.

Submitted by miguelv· Mar 6, 2026Develop a security and compliance plan

Question

You have an Azure subscription that contains an Azure pipeline named Pipeline1 and a GitHub repository named Repo1, Repo1 contains Bicep modules. Pipeline1 deploys Azure resources by using the Bicep modules. You need to ensure that all releases comply With Azure Policy before they are deployed to production. What should you do?

Options

  • AConfigure a deployment gate for Pipeline1 and include the Azure DevOps Security and
  • BCreate an Azure DevOps build runs on the creation of a pull request assesses the code tor
  • CTo Pipeline1, add a step that runs a What If deployment before the deployment step.
  • DConfigure a deployment gate for Pipeline1 that uses Azure Automation to run a What If

How the community answered

(42 responses)
  • A
    48% (20)
  • B
    7% (3)
  • C
    29% (12)
  • D
    17% (7)

Why each option

To ensure Azure Policy compliance before deploying Azure resources to production, configure an Azure Pipeline deployment gate that integrates with Azure Policy evaluations.

AConfigure a deployment gate for Pipeline1 and include the Azure DevOps Security andCorrect

A deployment gate in Azure Pipelines can pause the release flow until specific conditions are met. The Azure DevOps Security and Compliance gate can integrate with Azure Policy evaluations, scanning the planned deployment against defined policies and failing the gate if non-compliant resources are detected, thereby preventing deployment to production.

BCreate an Azure DevOps build runs on the creation of a pull request assesses the code tor

Creating a build run on a pull request assesses code changes before they are merged, not before a release is deployed to production, and primarily focuses on code quality rather than live resource policy compliance.

CTo Pipeline1, add a step that runs a What If deployment before the deployment step.

Adding a 'What If' deployment step directly into the pipeline provides a preview of changes but does not inherently enforce Azure Policy compliance as a blocking gate without additional custom logic.

DConfigure a deployment gate for Pipeline1 that uses Azure Automation to run a What If

While a deployment gate can use Azure Automation to run a What If deployment, this approach requires custom scripting to interpret What If results against Azure Policies, which is less integrated than using a specialized compliance gate.

Concept tested: Azure Pipelines deployment gates for Azure Policy enforcement

Source: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/deployment-gates

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice