πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-400 Domain 2
Domain 2 β€” Module 2 of 3 67%
5 of 25 overall

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces
Domain 2: Design and Implement a Source Control Strategy Premium ⏱ ~12 min read

Pull Requests: Policies, Protections & Merge Rules

Design pull request workflows with branch policies in Azure DevOps and branch protection rules in GitHub. Configure required reviewers, status checks, merge strategies, and automated enforcement.

Why Pull Request Policies Matter

β˜• Simple explanation

Think of airport security.

Before you board a plane, you go through a checkpoint. Your bag is scanned (automated check). Your ID is verified (reviewer approval). If anything looks suspicious, you’re pulled aside for a closer look (required status checks). You can’t skip the line β€” everyone goes through the same process.

Pull request policies are the security checkpoint for your code. Every change must pass automated tests (bag scan), get reviewed by a team member (ID check), and meet quality standards before it can merge into the main branch. No exceptions, no bypassing β€” the rules enforce themselves.

Pull request (PR) policies and branch protection rules are automated guardrails that enforce your team’s quality standards. Instead of trusting every developer to remember to run tests, request reviews, and follow conventions, the platform enforces these requirements before code can merge.

The AZ-400 exam expects you to design PR workflows using Azure DevOps branch policies and GitHub branch protection rules (including the newer GitHub rulesets). You need to know which settings exist, how they differ between platforms, and when to apply them.

You also need to understand merge strategies β€” squash, rebase, and merge commit β€” and when each is appropriate.

Azure DevOps Branch Policies

Branch policies in Azure DevOps are configured per branch (typically main and develop). They are found in Repos > Branches > Branch Policies.

PolicyWhat It EnforcesCommon Configuration
Require a minimum number of reviewersAt least N approvals before merge2 reviewers; requestor cannot approve their own; reset votes on new pushes
Check for linked work itemsPR must be linked to a work itemRequired β€” ensures traceability
Check for comment resolutionAll PR comments must be resolved before mergeRequired β€” prevents ignored feedback
Limit merge typesOnly allow specific merge strategiesAllow squash merge only (most common)
Build validationA specified build pipeline must succeedCI pipeline must pass; set to required (blocking)
Status checksExternal services must report successSonarQube quality gate, security scanner
Automatically included reviewersSpecific people or teams auto-added as reviewersSecurity team on infrastructure changes, DBA on schema changes
Reset code reviewer votesPrevious approvals are reset when new commits are pushedEnabled β€” forces re-review of new changes

Key Details for the Exam

  • Bypass permissions: Project Administrators can bypass branch policies (with audit logging). You can grant β€œExempt from policy enforcement” to specific users or groups β€” but this should be rare and audited.
  • Build validation timing: You can trigger the validation build β€œimmediately when updated” or β€œwhen the merge is attempted.” Immediate is more common.
  • Path-based policies: You can add automatically included reviewers based on file path (e.g., add the security team when *.bicep files change).
Question

In Azure DevOps, what happens when 'Reset code reviewer votes when there are new changes' is enabled?

Click or press Enter to reveal answer

Answer

When a developer pushes new commits to a PR that already has approvals, all existing votes are reset to 'No vote.' Reviewers must re-review and re-approve the updated code. This prevents the scenario where a developer gets approval, then pushes additional unreviewed changes and merges. It ensures every line of merged code has been reviewed.

Click to flip back

GitHub Branch Protection Rules

GitHub offers two mechanisms: legacy branch protection rules and the newer repository rulesets. The exam covers both.

Legacy Branch Protection Rules

Configured in Settings > Branches > Branch protection rules.

RuleWhat It Enforces
Require a pull request before mergingNo direct pushes to the branch
Required approving reviewsMinimum number of approvals (1-6)
Dismiss stale pull request approvalsReset approvals when new commits are pushed (equivalent to Azure DevOps reset votes)
Require review from code ownersCODEOWNERS file designates who must review which paths
Require status checks to passCI/CD checks must succeed before merge
Require branches to be up to dateBranch must be rebased on latest target before merge
Require signed commitsAll commits must be GPG-signed
Require linear historyPrevents merge commits (forces squash or rebase)
Include administratorsEven admins must follow the rules
Restrict who can pushOnly specific people/teams can push to the branch
Allow force pushesGenerally disabled β€” force push rewrites history
Allow deletionsPrevent branch deletion

GitHub Repository Rulesets (Newer)

Rulesets are the newer, more powerful replacement for branch protection rules. Key differences:

  • Apply to multiple branches using patterns (e.g., release/*, main)
  • Layered rules β€” multiple rulesets can apply to the same branch; most restrictive wins
  • Organisation-level β€” apply rulesets across all repositories in an organisation
  • Bypass actors β€” explicitly define who can bypass (deploy bots, release managers)
  • Evaluate mode β€” test a ruleset without enforcing it (see what would be blocked)
Question

What is the key advantage of GitHub repository rulesets over legacy branch protection rules?

Click or press Enter to reveal answer

Answer

Rulesets can be applied at the ORGANISATION level across multiple repositories and multiple branches using patterns. They support layered rules (multiple rulesets stack), explicit bypass actors, and an evaluate mode for testing rules before enforcement. Legacy branch protection rules are per-repository, per-branch only.

Click to flip back

Azure DevOps vs GitHub: Protection Comparison

Branch Protection: Azure DevOps vs GitHub
CapabilityAzure DevOps Branch PoliciesGitHub Branch Protection / Rulesets
Minimum reviewersConfigurable count; requestor self-approval optional1-6 required approvals; code owner reviews optional
Reset votes on new pushReset code reviewer votes settingDismiss stale pull request approvals
Build validationSpecify build pipeline that must succeedRequired status checks (any CI system)
Path-based reviewersAutomatically included reviewers by file pathCODEOWNERS file maps paths to reviewers
Comment resolutionRequire all comments resolved before mergeNo built-in equivalent (convention-based)
Work item linkingRequire linked work items for traceabilityNo built-in equivalent (use PR templates)
Merge type restrictionLimit to specific merge types per branchRequire linear history (forces squash or rebase)
Bypass mechanismExempt from policy enforcement permissionBypass actors in rulesets; include administrators option
Signed commitsNot supported nativelyRequire signed commits (GPG)
Organisation-wideProject-level onlyRulesets support organisation-level enforcement
Audit trailFull audit log of policy changes and bypassesAudit log for Enterprise; ruleset change history

The CODEOWNERS File

The CODEOWNERS file (placed in the root, docs/, or .github/ directory) maps file paths to required reviewers.

# Default owner for everything
*                       @org/platform-team

# Frontend code owned by frontend team
/src/components/**      @org/frontend-team

# Infrastructure as code requires security review
/infra/**               @org/security-team @jordan-rivera

# Database migrations require DBA approval
/db/migrations/**       @org/dba-team

# API contracts require architect review
/api/openapi.yaml       @kai-tanaka

When β€œRequire review from code owners” is enabled, PRs that modify matched paths must be approved by the designated owner β€” even if other reviewers have already approved.

πŸ›οΈ Amira’s CODEOWNERS Strategy

Dr. Amira sets up CODEOWNERS for her government client’s project:

  • * β€” Farah and Amira (default reviewers for everything)
  • /infra/** β€” Major Collins’ approved infrastructure team
  • /security/** β€” Amira herself (security configurations require DevSecOps review)
  • /docs/compliance/** β€” Marcus (audit) β€” all compliance documentation changes need his sign-off

This ensures the right eyes see the right code β€” automatically, without relying on developers to remember to tag reviewers.

Question

Where can the CODEOWNERS file be placed in a GitHub repository?

Click or press Enter to reveal answer

Answer

In three locations: the repository root (/CODEOWNERS), the docs/ directory (/docs/CODEOWNERS), or the .github/ directory (/.github/CODEOWNERS). GitHub checks these locations in order. The file uses glob pattern matching to map file paths to GitHub users or teams who must review changes to those paths.

Click to flip back

Merge Strategies

The exam expects you to know three merge strategies, when to use each, and how they affect Git history.

Merge Commit (No Fast-Forward)

Creates a merge commit that ties two branches together. Preserves full branch history.

main     ──A───B───────M──     (M is merge commit)
                      / 
feature  ──C───D───Eβ”€β”˜         (branch history preserved)

Use when: You want to see the complete history of a feature branch, including all individual commits.

Squash Merge

Combines all feature branch commits into a single new commit on main. The feature branch history is discarded.

main     ──A───B───S──         (S contains all changes from C+D+E)
                               
feature  ──C───D───E           (branch deleted after merge)

Use when: You want a clean, linear main branch history. Each merge is one commit with one purpose. Most teams prefer this for feature branches.

Rebase and Merge

Replays feature branch commits on top of main, creating new commits. Results in a linear history without merge commits.

main     ──A───B───C'───D'───E'──   (C', D', E' are replayed commits)
                                     
feature  ──C───D───E                 (original commits, branch deleted)

Use when: You want linear history but also want to preserve individual commits (not squash them).

Question

What is the difference between squash merge and rebase merge?

Click or press Enter to reveal answer

Answer

Squash merge combines all feature branch commits into ONE new commit on the target branch β€” you lose individual commit history but get a very clean log. Rebase merge replays each feature branch commit individually on top of the target β€” you get linear history while preserving each commit. Both produce linear history (no merge commits), but squash is one commit vs rebase is many.

Click to flip back
Exam Tip: Merge Strategy Selection

The exam often asks which merge strategy to recommend. The decision tree:

  • Need audit trail of individual commits? Use merge commit or rebase merge.
  • Need clean, linear history where each merge is one logical change? Use squash merge.
  • Need to preserve branch topology for debugging (see where branches diverged)? Use merge commit.
  • Team uses trunk-based development with tiny changes? Squash merge or rebase β€” both keep history clean.
  • Team has compliance requirements needing granular commit history? Merge commit preserves everything.

Most AZ-400 scenarios favour squash merge for feature branches because it keeps main history clean and each merged commit represents a complete, reviewed feature.

🏒 Nadia’s Merge Policy

Nadia configures Azure DevOps to only allow squash merge on the main branch. Every merged PR becomes one commit with the PR title as the commit message. The full branch history is preserved in the PR itself (auditors can drill into the PR to see every individual commit).

For the release/* branches, she allows merge commits β€” she wants to see exactly which bug fixes were backported from develop during stabilisation.

Putting It All Together: PR Workflow Design

πŸ›οΈ Amira’s High-Security PR Workflow

For Major Collins’ defence project, Amira designs this PR workflow:

  1. Developer creates a feature branch and opens a PR
  2. Automated checks run: CI build, unit tests, SAST scan, dependency vulnerability scan, licence compliance check
  3. CODEOWNERS auto-assigns reviewers based on changed files
  4. Two approvals required β€” one from the development team, one from the security team
  5. All comments must be resolved before merge
  6. PR must be linked to an approved work item (traceability)
  7. Reset votes on any new push β€” forces re-review
  8. Squash merge only β€” clean audit trail on main
  9. Post-merge: Work item auto-transitions to β€œDone”

Every step is enforced by branch policies β€” no human judgement required, no steps can be skipped.

Knowledge Check

Amira's client requires that security team members review any PR that modifies infrastructure code, even if other developers have already approved it. Which feature should Amira configure?
Knowledge Check

Kai's team wants a clean, linear Git history on main where each commit represents one complete feature. They also want to preserve the detailed commit history for audit purposes. Which merge strategy should Kai configure?
Knowledge Check

Nadia wants to apply consistent branch protection rules across all 47 repositories in her Azure DevOps organisation's GitHub Enterprise account. What should she use?

🎬 Video coming soon

Pull Request Policies Deep Dive

Next up: Repository Management: LFS, Permissions & Recovery

← Previous

Branching Strategies: Trunk-Based, Feature & Release

Next β†’

Repository Management: LFS, Permissions & Recovery

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.