AZ-400 logo
Focused certification exam prep
Start practice

AZ-400 Domain 4: Develop a security and compliance plan (10-15%) - Complete Study Guide 2026

TL;DR
  • Domain 4 covers 10-15% of AZ-400, smaller than Domain 3's 50-55% but not skippable.
  • Expect scenario items on secret scanning, dependency vulnerability management, and Azure Policy.
  • Master Azure Key Vault integration with pipelines before touching practice questions.
  • Passing score is 700; weak Domain 4 answers can still sink an otherwise strong attempt.

Domain 4 Overview: Why Security and Compliance Matter on AZ-400

Domain 4, "Develop a security and compliance plan," makes up 10-15% of the AZ-400 exam according to Microsoft's published skills-measured outline. That places it in a tie with two other domains for second-tier weighting, well behind the dominant Domain 3 (Design and implement build and release pipelines) at 50-55%, but ahead of Domain 5 at only 5-10%. If you're mapping out study time across the full AZ-400 exam domains, Domain 4 deserves a focused block, not a rushed afternoon.

What makes this domain tricky isn't volume of content, it's the way Microsoft blends security concepts across the entire DevOps toolchain: source control, pipelines, container registries, and Azure infrastructure all show up again inside Domain 4 questions, just viewed through a security-and-compliance lens. A candidate who only memorizes definitions of "DevSecOps" or "shift-left security" will struggle with the scenario-based items Microsoft favors. You need to know which Azure DevOps or GitHub feature solves which specific compliance requirement.

Scope Reality Check: Domain 4 isn't a standalone security certification. It tests whether you can bake security and compliance controls into existing DevOps workflows, not whether you can design a full enterprise security architecture from scratch.

Core Topics You Must Master

Based on Microsoft's skills outline for this domain, candidates should expect to demonstrate practical understanding of the following areas, not just textbook recall:

Security Scanning in the DevOps Lifecycle

Candidates must understand how to integrate static analysis, dependency scanning, and container image scanning into build and release pipelines.

  • Static Application Security Testing (SAST) tool placement in a YAML pipeline
  • Dynamic Application Security Testing (DAST) considerations for web workloads
  • Container and image scanning before deployment to Azure Kubernetes Service or App Service

Compliance and Governance Controls

Expect questions on enforcing organizational standards using native Azure governance tooling rather than manual processes.

  • Azure Policy assignment and remediation tasks
  • Compliance reporting and audit trail requirements
  • Branch policies and approval gates tied to compliance sign-off

Secrets, Identity, and Access Management

A recurring theme across the domain is removing hardcoded credentials from source and pipeline definitions.

  • Azure Key Vault integration with Azure Pipelines and GitHub Actions
  • Managed identities versus service principals for pipeline authentication
  • Least-privilege access design for pipeline service connections

Security Scanning and Dependency Management

Security scanning is the topic most likely to appear alongside Domain 3 pipeline concepts because scanning steps live directly inside the build definition. You should be comfortable explaining where in a pipeline each scan type belongs and why ordering matters, for example scanning dependencies before a build step consumes them, or blocking a release stage when a critical vulnerability is found.

Dependency and package vulnerability management deserves particular attention. Candidates are expected to understand how vulnerable open-source packages get flagged, how findings feed into work items or alerts, and how a team decides whether a vulnerability blocks a release or gets tracked for remediation later. This overlaps with package management topics covered more broadly in Domain 3, so reviewing the Domain 3 build and release pipelines guide alongside this section reinforces both areas at once.

Key Takeaway

Don't study security scanning in isolation. Every scanning scenario on the exam assumes you already understand pipeline stages, gates, and approvals from Domain 3.

Compliance, Policy, and Governance in Azure

Governance questions test your ability to enforce standards at scale rather than manually checking each deployment. Azure Policy is the centerpiece here: you should know how policies get assigned to management groups, subscriptions, or resource groups, how effects like "deny" or "audit" behave differently, and how remediation tasks bring non-compliant resources back into line.

Beyond Azure Policy, expect coverage of compliance reporting expectations, including how audit logs and pipeline history support regulatory or internal audit requirements. Branch policies in Azure Repos or GitHub also reappear here, this time framed as compliance enforcement mechanisms rather than pure source control hygiene, which connects back to concepts from Domain 2's source control strategy.

Governance MechanismPrimary Use CaseWhere It's Tested
Azure PolicyEnforce resource configuration standardsCompliance and governance scenarios
Branch policiesRequire reviews before mergeSource control and compliance overlap
Pipeline approval gatesRequire sign-off before releaseSecurity and pipeline overlap
Azure Key VaultCentralize secret storageIdentity and secrets management

Secrets Management and Identity in Pipelines

Secrets management is one of the highest-yield subtopics in Domain 4 because it is concrete, testable, and directly tied to real Azure DevOps and GitHub Actions configuration. You should know how to reference Key Vault secrets as pipeline variables, how variable groups link to Key Vault, and the tradeoffs of doing so versus storing secrets directly in pipeline settings.

Identity questions typically contrast managed identities with service principals for authenticating pipelines to Azure resources. Microsoft expects candidates to recommend the option that minimizes credential management overhead while satisfying least-privilege requirements. Expect a scenario describing a pipeline that deploys to multiple environments and asks which identity approach reduces long-lived credential exposure.

Common Trap: Exam scenarios often describe a "quick fix" involving hardcoded credentials or overly broad service connection permissions. The correct answer almost always favors Key Vault integration or a scoped managed identity instead.

How Domain 4 Questions Are Actually Asked

Microsoft's exam format for AZ-400, like other role-based exams, uses scenario-driven items rather than pure definition recall. Formats can include multiple choice, multiple response, drag and drop, build list, hot area, and case study sets, with an exact question count and duration not fixed publicly, both are shown to you during scheduling and at exam launch. Passing requires a scaled score of 700.

For Domain 4 specifically, expect prompts that describe an organization's current insecure practice (hardcoded secrets, no dependency scanning, manual compliance checks) and ask you to select the Azure DevOps or GitHub feature that resolves it with the least operational overhead. Some items may be framed as case studies where security requirements are buried in a longer scenario description alongside unrelated details, so careful reading matters as much as technical knowledge.

Key Takeaway

Practice reading long scenario stems and identifying only the sentences relevant to security and compliance. Domain 4 questions often hide the real requirement in a paragraph about team structure or release cadence.

Building Domain 4 Into Your Study Timeline

Because Domain 4 sits at 10-15%, it shouldn't consume equal time to Domain 3's 50-55% weighting, but it also shouldn't be an afterthought squeezed into your final review day. A practical approach is to schedule Domain 4 study after you've built a working knowledge of pipelines, since so many Domain 4 concepts (scanning, gates, secret injection) are implemented inside pipeline YAML you'll already be reviewing for Domain 3.

Week 3

Foundations After Pipelines

  • Review Azure Key Vault integration patterns with Azure Pipelines and GitHub Actions
  • Study managed identity versus service principal decision criteria
Week 4

Governance and Scanning Deep Dive

  • Work through Azure Policy assignment and remediation scenarios
  • Map SAST, DAST, and dependency scanning tools to pipeline stages
Week 5

Integration Practice

  • Combine Domain 4 concepts with Domain 2 branch policy scenarios
  • Run practice questions that mix security requirements into pipeline design problems

For a full week-by-week structure covering all five domains together, see the complete AZ-400 study guide for 2026, which sequences this domain against the others rather than treating it in isolation.

Domain 4 vs. the Other Four Domains

It helps to see Domain 4 in context against the full exam blueprint rather than studying it as an island:

DomainWeightRelationship to Domain 4
Domain 1: Processes and communications10-15%Defines the workflows security controls get layered onto
Domain 2: Source control strategy10-15%Branch policies double as compliance enforcement
Domain 3: Build and release pipelines50-55%Hosts the scanning steps and gates Domain 4 tests
Domain 4: Security and compliance plan10-15%The focus of this guide
Domain 5: Instrumentation strategy5-10%Monitoring can surface compliance drift or security incidents

If you're still deciding how much overall effort AZ-400 requires relative to other certifications, the AZ-400 difficulty guide breaks down where most candidates report the exam feeling hardest, and Domain 3's density is usually the bigger factor than Domain 4's security content.

Who Actually Uses This Skill Set on the Job

Domain 4 content maps closely to responsibilities held by DevOps engineers, platform engineers, and release managers who are accountable for pipeline security, not just pipeline speed. Organizations hiring for roles that reference AZ-400 typically expect candidates to already administer or develop in Azure and to have implemented GitHub or Azure DevOps solutions in production, per Microsoft's stated prerequisites for this credential.

To actually earn the Microsoft Certified: DevOps Engineer Expert title, passing AZ-400 alone isn't sufficient, candidates must also hold either Microsoft Certified: Azure Administrator Associate or Microsoft Certified: Azure Developer Associate. That prerequisite structure reinforces why Domain 4 assumes baseline Azure identity and governance knowledge rather than teaching it from zero. If you're evaluating whether this career path fits your goals, the AZ-400 jobs overview and AZ-400 salary guide outline where this security-and-compliance skill set gets applied day to day.

Registration Note: AZ-400 is delivered through Pearson VUE with both test-center and online proctored options. U.S. pricing is commonly listed at $165 USD, though final pricing is confirmed during scheduling and can vary by region. Full cost breakdowns, including renewal, are covered in the AZ-400 certification cost guide.

Once you've reviewed the core Domain 4 material here, reinforce retention with timed practice questions on ../ so you experience the scenario format under realistic conditions before exam day. Repeated exposure to case-study-style security scenarios on ../ is one of the more efficient ways to close gaps between "I understand Key Vault" and "I can pick the right answer in twenty seconds."

Frequently Asked Questions

How much of the AZ-400 exam is Domain 4?

Domain 4, "Develop a security and compliance plan," accounts for 10-15% of the exam according to Microsoft's published skills-measured outline, the same weighting range as Domain 1 and Domain 2.

What Azure services should I know for Domain 4?

Azure Key Vault for secrets management, Azure Policy for governance and compliance enforcement, and managed identity or service principal configurations for pipeline authentication are the most exam-relevant services.

Does Domain 4 overlap with other AZ-400 domains?

Yes. Security scanning steps are implemented inside pipelines covered under Domain 3, and branch policies used for compliance enforcement are also part of Domain 2's source control strategy content.

Is Domain 4 harder than Domain 3?

Domain 3 carries far more exam weight at 50-55% and covers broader technical ground, but Domain 4 questions can feel harder individually because they require connecting security concepts across multiple tools rather than recalling isolated facts.

Do I need separate security certification knowledge to pass Domain 4?

No. Domain 4 tests applied DevOps security practices within Azure DevOps and GitHub workflows, not the depth of knowledge covered in dedicated Microsoft security certifications.

Ready to pass your AZ-400 exam?

Put this into practice with free AZ-400 questions across every exam domain.