🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-400 Domain 3
Domain 3 — Module 12 of 13 92%
18 of 25 overall

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces
Domain 3: Design and Implement Build and Release Pipelines Premium ⏱ ~11 min read

IaC in Practice: Desired State & Deployment Environments

Implement desired state configuration with Azure Automation State Configuration and Azure Machine Configuration. Design on-demand self-deployment with Azure Deployment Environments.

From Templates to Continuous Compliance

☕ Simple explanation

Think of a thermostat.

You set the temperature to 22 degrees. If the room gets cold, the heater kicks in. If it gets hot, the heater turns off. You declared the DESIRED STATE (“22 degrees”) and the thermostat continuously enforces it.

Desired state configuration works the same way for servers. You declare “IIS must be installed, TLS 1.2 must be enabled, port 443 must be open.” The system checks every 15 minutes — if anything drifts from the desired state, it either reports the drift or automatically fixes it.

Module 17 covered IaC for provisioning resources (ARM, Bicep, Terraform). This module focuses on configuration management — ensuring the operating system and application settings INSIDE those resources remain correct over time. It also covers Azure Deployment Environments, which provide self-service, guardrailed infrastructure for developers.

The exam tests your ability to distinguish between resource provisioning (Bicep/Terraform) and configuration management (DSC/Machine Configuration), and to design Azure Deployment Environments for developer self-service.

Configuration Drift

Configuration drift occurs when the actual state of a server diverges from its intended configuration. Common causes:

  • Manual changes via RDP/SSH (“just a quick fix” that is never documented)
  • Failed or partial updates
  • Software installations outside the pipeline
  • Security patches that change settings

Drift is dangerous because environments that were once identical become unpredictably different. A bug that cannot be reproduced in staging might only exist because production has drifted.

Two approaches to prevent drift:

  1. Detect and report — monitor for drift, alert the team, require manual remediation
  2. Detect and auto-correct — automatically revert any drift to the desired state

Azure Automation State Configuration

Azure Automation State Configuration uses PowerShell Desired State Configuration (DSC) to define and enforce server configurations.

How It Works

  1. Write a DSC configuration (PowerShell script defining desired state)
  2. Compile it into a MOF (Managed Object Format) file
  3. Assign the MOF to target nodes (VMs)
  4. The Local Configuration Manager (LCM) on each node pulls and applies the configuration

Example DSC Configuration

configuration WebServerConfig {
    Node 'webserver01' {
        WindowsFeature IIS {
            Ensure = 'Present'
            Name   = 'Web-Server'
        }
        File WebContent {
            Ensure          = 'Present'
            Type            = 'Directory'
            DestinationPath = 'C:\inetpub\wwwroot\app'
        }
        Registry TLS12 {
            Ensure    = 'Present'
            Key       = 'HKLM:\SYSTEM\CurrentControlSet\...'
            ValueName = 'Enabled'
            ValueData = '1'
        }
    }
}

Configuration Modes

ModeBehaviourUse When
ApplyAndMonitorApply once, then only report drift (no auto-fix)Audit-first environments, initial rollout
ApplyAndAutoCorrectApply and continuously fix any drift automaticallyProduction servers requiring strict compliance
ApplyOnlyApply once, never check againOne-time setup, immutable infrastructure
Question

What are the three LCM configuration modes in Azure Automation DSC?

Click or press Enter to reveal answer

Answer

1) ApplyAndMonitor — applies the configuration once, then monitors for drift and reports it but does not auto-correct. 2) ApplyAndAutoCorrect — applies the configuration and automatically corrects any detected drift back to the desired state. 3) ApplyOnly — applies the configuration once and never checks again. Choose based on your compliance requirements.

Click to flip back

Azure Machine Configuration (formerly Guest Configuration)

Azure Machine Configuration is the modern replacement for Automation DSC when managing Azure VMs and Arc-enabled servers. It integrates with Azure Policy for compliance reporting.

Key Differences from Automation DSC

Machine Configuration is the strategic direction — Automation DSC is supported but not receiving new features
CapabilityAzure Automation DSCAzure Machine Configuration
PlatformAzure Automation account requiredBuilt into Azure Policy — no additional infrastructure
Supported OSWindows (PowerShell DSC)Windows and Linux
Configuration formatPowerShell DSC / MOF filesPowerShell DSC v3 or custom (machine configuration packages)
Compliance reportingAutomation DSC dashboardAzure Policy compliance dashboard (unified view)
Assignment modelPull from Automation accountAzure Policy assignment (inherited, scoped)
RemediationLCM auto-correct modesPolicy remediation tasks (audit-only or deploy-if-not-exists)
Arc supportLimitedFull support for Arc-enabled servers (on-premises and other clouds)
DirectionRetiring September 2027 (Linux retired Sept 2023) — migrate to Machine ConfigurationActively developed — the future of Azure config management
Best forExisting DSC investments, Windows-onlyNew projects, cross-platform, Azure Policy integration
Question

What is Azure Machine Configuration and how does it differ from Automation DSC?

Click or press Enter to reveal answer

Answer

Machine Configuration (formerly Guest Configuration) manages OS-level configuration through Azure Policy rather than a separate Automation account. It supports Windows AND Linux, integrates with Azure Policy compliance reporting, works with Arc-enabled servers (on-premises), and uses policy assignment for configuration delivery. Automation DSC requires a dedicated Automation account, is Windows-focused, and is in maintenance mode.

Click to flip back

Machine Configuration Workflow

  1. Author a machine configuration package (PowerShell DSC v3 or custom)
  2. Publish the package to Azure Blob Storage or a built-in package
  3. Assign via Azure Policy (audit mode or enforce mode)
  4. The Guest Configuration agent on each VM checks compliance every 15 minutes
  5. Results appear in the Azure Policy compliance dashboard

Two policy effects control behaviour:

  • AuditIfNotExists — report non-compliance but do not fix (audit mode)
  • DeployIfNotExists — automatically remediate drift (enforce mode)
💡 Exam tip: Provisioning vs configuration management

The exam draws a clear line between two layers:

Resource provisioning (WHAT to create):

  • ARM templates, Bicep, Terraform
  • Create VMs, databases, App Services, networking
  • Runs once per deployment

Configuration management (HOW to configure what is inside):

  • Automation DSC, Machine Configuration
  • Install software, set registry keys, configure OS settings
  • Runs continuously to prevent drift

When a question asks about “ensuring IIS is installed and TLS 1.2 is enabled on all VMs” — this is configuration management (DSC/Machine Config), NOT Bicep/Terraform.

When a question asks about “provisioning a VM with a specific SKU in East US” — this is resource provisioning (Bicep/Terraform), NOT DSC.

Azure Deployment Environments

Azure Deployment Environments (ADE) provide self-service, template-based infrastructure for developers. Instead of submitting a ticket and waiting days for an environment, developers spin up pre-approved infrastructure in minutes.

How It Works

  1. Platform engineers create a Dev Center with project definitions
  2. They define environment types (Dev, Test, Staging, Production)
  3. They build a catalogue of approved IaC templates (Bicep or Terraform) stored in a Git repository
  4. Developers self-serve: pick a template, provide parameters, click deploy
  5. Guardrails enforce policies — developers cannot exceed resource limits or create non-compliant resources
  6. Auto-delete policies destroy idle environments after a configurable period (cost control)

Key Components

ComponentPurpose
Dev CenterCentral management hub for projects and catalogues
ProjectLogical grouping — maps to a team or application
Environment TypeClassification (Dev, Test, Staging) with different policies
CatalogueGit repository containing approved IaC templates
Environment DefinitionA specific template in the catalogue (e.g., “3-tier web app”)
EnvironmentA running instance created by a developer from a definition
💡 Scenario: Jordan builds a self-service platform

☁️ Jordan at Cloudstream Media creates a Dev Center for the engineering team:

Catalogue templates:

  • “Microservice sandbox” — App Service + SQL Database + Redis Cache
  • “Full-stack dev” — AKS cluster + ACR + PostgreSQL + Storage Account
  • “Data pipeline” — Event Hub + Stream Analytics + Cosmos DB

Guardrails:

  • Dev environments limited to B-series VMs (cost control)
  • Auto-delete after 7 days of inactivity
  • All resources tagged with owner and project automatically

Developer experience: Avery (dev lead) needs a new environment for a feature branch. She opens the Azure Developer CLI, picks “Microservice sandbox,” names it feature-payments, and has a running environment in 8 minutes. When the feature merges, the environment auto-deletes after 7 idle days.

This eliminates the “wait 3 days for infra team to provision an environment” bottleneck while maintaining cost and compliance guardrails.

Question

What is Azure Deployment Environments and who is it designed for?

Click or press Enter to reveal answer

Answer

Azure Deployment Environments provides developer self-service infrastructure provisioning with guardrails. Platform engineers define approved templates in a catalogue (Bicep/Terraform stored in Git). Developers create environments from those templates on demand. Guardrails (policies, resource limits, auto-delete) keep costs and compliance in check. It bridges the gap between developer agility and platform governance.

Click to flip back

Comprehensive IaC Comparison

Use the right tool for the right layer — do not use Bicep for OS configuration or DSC for resource provisioning
ToolLayerScopeStateBest For
ARM TemplatesResource provisioningAzure onlyAzure manages stateLegacy templates, maximum compatibility
BicepResource provisioningAzure onlyAzure manages stateNew Azure-only projects, clean syntax
TerraformResource provisioningMulti-cloudExternal state fileMulti-cloud environments, existing Terraform teams
Automation DSCOS configurationWindows VMsAutomation accountExisting DSC investments, Windows-only shops
Machine ConfigurationOS configurationWindows + Linux (Azure and Arc)Azure PolicyModern config management, cross-platform, compliance
Deployment EnvironmentsSelf-service provisioningAzureDev CenterDeveloper self-service with governance guardrails
Knowledge Check

Dr. Amira's government client requires that all Windows VMs have TLS 1.2 enabled and that any drift is automatically corrected. The solution must report compliance through Azure Policy. Which tool should Amira recommend?
Knowledge Check

Jordan wants to enable developers to create their own test environments from approved templates without involving the platform team. Environments should auto-delete after 7 days of inactivity. What should Jordan implement?
Knowledge Check

Which configuration mode should you use for an initial rollout where you want to apply the desired state and monitor for drift WITHOUT automatically fixing it?

🎬 Video coming soon

Desired State Configuration and Deployment Environments

Next up: Pipeline Maintenance: Health, Migration and Retention

← Previous

Infrastructure as Code: ARM vs Bicep vs Terraform

Next →

Pipeline Maintenance: Health, Migration & Retention

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.