Objectives in this domain

Design and implement authentication and authorization methods, including Microsoft Entra service principals, managed identities, GitHub Apps, and Azure DevOps service connections and permissions.
Section 4.1hard
Design and implement a strategy for managing sensitive information in automation, including Azure Key Vault, secretless authentication, and workload identity federation.
Section 4.2hard
Automate security and compliance scanning, including dependency, code, secret, and licensing scanning with GitHub Advanced Security and Microsoft Defender for Cloud.
Section 4.3hard

Sample question from this domain

Free sampleDevelop a Security and Compliance Planhard

A pipeline in "Azure Pipelines" deploys to an Azure subscription through an Azure Resource Manager service connection. A security review requires that the pipeline hold no long-lived credential that could be exported or leaked, while still authenticating to Microsoft Entra to obtain Azure access tokens. Which way of configuring the service connection meets the requirement?

ACreate the service connection using a Microsoft Entra service principal with a client secret, then store that secret in "Azure Key Vault" and have the pipeline read it at run time so it is never committed to the repository.
BCreate the service connection using workload identity federation so Azure DevOps presents an OpenID Connect token to Microsoft Entra and exchanges it for an access token, with no secret or certificate held on the connection. Correct
CCreate the service connection using a Microsoft Entra service principal authenticated with a certificate, and rotate the certificate automatically every ninety days so a leaked credential has a short useful lifetime.
DCreate the service connection from a personal access token scoped only to release management, and grant that token rights on the subscription so the pipeline authenticates without storing an Entra service principal secret.

Use workload identity federation on an Azure Resource Manager service connection to authenticate to Microsoft Entra without storing any long-lived secret. Workload identity federation configures a federated credential in Microsoft Entra that trusts tokens issued by Azure DevOps. At run time the service connection presents a short-lived OpenID Connect token and exchanges it for an Azure access token, so authentication succeeds without any client secret or certificate being stored on the connection.

Why A is wrong: Keeping the secret in a vault improves storage hygiene and is tempting, but a client secret is still a long-lived credential that can be exported, so it does not satisfy the no-stored-credential requirement.

Why B is correct: Workload identity federation lets the service connection exchange a short-lived OpenID Connect token for an Azure access token through a federated credential, so no secret or certificate is ever stored, meeting the requirement exactly.

Why C is wrong: Certificate credentials with rotation reduce exposure and look secure, but the certificate is still a long-lived secret stored against the connection, which is exactly the artefact the review wants eliminated.

Why D is wrong: A personal access token authenticates to Azure DevOps itself rather than to an Azure subscription, and it is still a long-lived secret, so it can neither perform the deployment nor satisfy the requirement.

Other domains in this exam

Design and Implement Processes and Communications13% of the exam
Design and Implement a Source Control Strategy13% of the exam
Design and Implement Build and Release Pipelines53% of the exam
Implement an Instrumentation Strategy8% of the exam

See also the AZ-400 cert hub, the study guide, and the cheat sheet.