Microsoft DevOps Engineer Expert AZ-400 Practice Question

Storing a personal access token (PAT) that is scoped only to Work Item (read and write) operations inside an Azure Key Vault-backed variable group meets all the stated requirements. A PAT is a non-interactive credential that the script can pass in the Authorization header when calling the Azure DevOps REST API. Because the PAT is stored as a secret variable, it is never embedded in the container image or source code. Revoking or rotating the PAT affects only this pipeline, leaving other pipelines unaffected.

The System.AccessToken is automatically generated for every job and provides the build identity permissions granted to the project. Although it avoids interactive sign-in, it cannot be individually revoked without disabling the pipeline or modifying project-level permissions for the build service account, so it fails the revocation requirement. While you can authenticate with a Microsoft Entra ID application using OAuth 2.0, this method adds more complexity than necessary for this scenario, requiring the setup of an App Registration and managing its permissions in Azure DevOps. The PAT approach is more direct. An Azure Resource Manager service connection authenticates against Azure resources and has no authority over Azure DevOps work item endpoints, so it is not relevant to the scenario.