ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-400 All Questions

View all questions & answers for the AZ-400 exam
Go to Exam

Exam AZ-400 topic 4 question 16 discussion

Actual exam question from Microsoft's AZ-400
Question #: 16
Topic #: 4
[All AZ-400 Questions]

DRAG DROP -
Your company has an Azure subscription named Subscription1. Subscription1 is associated to an Azure Active Directory tenant named contoso.com.
You need to provision an Azure Kubernetes Services (AKS) cluster in Subscription1 and set the permissions for the cluster by using RBAC roles that reference the identities in contoso.com.
Which three objects should you create in sequence? To answer, move the appropriate objects from the list of objects to the answer area and arrange them in the correct order.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:
Step 1: Create an AKS cluster -
Step 2: a system-assigned managed identity
To create an RBAC binding, you first need to get the Azure AD Object ID.
1. Sign in to the Azure portal.
2. In the search field at the top of the page, enter Azure Active Directory.
3. Click Enter.
4. In the Manage menu, select Users.
5. In the name field, search for your account.
6. In the Name column, select the link to your account.
7. In the Identity section, copy the Object ID.


Step 3: a RBAC binding -
Reference:
https://docs.microsoft.com/en-us/azure/developer/ansible/aks-configure-rbac
by Sylph at April 4, 2021, 1:27 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Sylph
Highly Voted 4 years, 2 months ago
1. an application registration in contoso.com 2. a cluster 3. an RBAC binding https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli The new, improved way: https://docs.microsoft.com/en-us/azure/aks/managed-aad
upvoted 63 times
Beast_Hollow
4 years, 1 month ago
Why, when you are creating the AKS cluster in the subscription that is tied to contoso.com?
upvoted 3 times
...
LeeVee
4 years, 2 months ago
This is correct.
upvoted 2 times
...
yaziciali
4 years, 2 months ago
it makes more sense
upvoted 2 times
...
rdemontis
3 years, 3 months ago
I think you are correct. The requirement is to allow AAD users from the contoso.com tenant to access the cluster. But to do this what do you need a system assigned managed identity for? These identities are automatically generated by the azure service and are used to allow the service itself to access other azure resources or any other service that supports AAD authentication. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#how-can-i-use-managed-identities-for-azure-resources You can find the solution (even if now it is a legacy solution) to allow AAD users to access the cluster in the following document: https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli
upvoted 3 times
rdemontis
3 years, 3 months ago
As we can see we need to create two app registrations, one for the Server and one for the Client component, on AAD before creating the cluster. The same thing is stated in the link provided in the examtopics explanation. https://docs.microsoft.com/en-us/azure/developer/ansible/aks-configure-rbac Just look at the section "Configure Azure AD for AKS authentication" and the yaml file used to create the cluster (section "aad_profile"). Clearly, you need to create the app registrations first. I think the answers proposed in the question are not precise because they specify the need for only one app registration. But since system-assigned managed identity doesn't make any sense in this context the correct answer is: 1. an application registration in contoso.com 2. a cluster 3. an RBAC binding
upvoted 6 times
...
...
Load full discussion...
...
JohnWix
Highly Voted 4 years, 2 months ago
I think the answer provided is correct. You dont need to register application in Contoso.com
upvoted 41 times
noussa
4 years, 1 month ago
That's my opinion too
upvoted 4 times
...
...
Mattt
Most Recent 8 months, 2 weeks ago
The given answer is correct
upvoted 2 times
...
[Removed]
1 year ago
This is correct.
upvoted 2 times
...
vsvaid
1 year, 6 months ago
Agree with suggested answer --Create Cluster --Create Managed identity --Assigned required RBAC
upvoted 4 times
...
KumaTed
1 year, 12 months ago
when use system-assigned managed identity, should be only two steps 1. a cluster 2. an RBAC binding Managed identities are the recommended way to authenticate with other resources in Azure, and is the default authentication method for your AKS cluster. https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli A system-assigned managed identity is automatically created when you create an AKS cluster. https://learn.microsoft.com/en-us/azure/aks/use-managed-identity ------------------------------------------------------------------------------------------------------------------------------------------------ when use service principle, should be three steps 1. a cluster 2. an application registration in contoso.com 3. an RBAC binding https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli
upvoted 4 times
Takj81
1 year, 7 months ago
This is correct.
upvoted 2 times
...
...
Cervezerg
2 years ago
ChatGPT answer: 1) an application registration in contoso.com: First, you need to create an application registration (also known as a service principal) in the Azure Active Directory tenant contoso.com. This application registration represents the identity that will be used to authenticate and authorize access to the AKS cluster. 2) a cluster: Once you have the application registration in place, you can provision the AKS cluster in Subscription1. During the creation process, you will associate the cluster with the contoso.com Azure Active Directory tenant. 3) an RBAC binding: After the AKS cluster is provisioned, you need to set the permissions and access controls for the cluster using RBAC (Role-Based Access Control). RBAC allows you to define roles and assign them to specific users, groups, or service principals. In this step, you will create an RBAC binding that references the identities in contoso.com and grant them the appropriate roles and permissions for the AKS cluster.
upvoted 4 times
...
randomaccount123
2 years, 2 months ago
It is now recommended to use Managed Identities over Service Principals for AKS Clusters. Therefore the answer is correct.
upvoted 2 times
...
mohiniu
2 years, 3 months ago
https://www.youtube.com/watch?v=mulBa_No4hw&t=1s Explain RBAC on AKS
upvoted 1 times
...
syu31svc
2 years, 10 months ago
Given answer is correct and supported by provided link
upvoted 3 times
...
Mcelona
3 years ago
In my opinion the answer is correct.
upvoted 3 times
...
darsh19
3 years, 5 months ago
1- AKS cluster 2- System assigned managed identity 3- RBAC binding
upvoted 9 times
...
frutos46
3 years, 7 months ago
Its correct
upvoted 2 times
...
ukkuru
3 years, 10 months ago
Please look at the options in AKS cluser creation page Basics Node pools Authentication Networking Integrations Tags Review + create Cluster infrastructure The cluster infrastructure authentication specified is used by Azure Kubernetes Service to manage cloud resources attached to the cluster. This can be either a service principal or a system-assigned managed identity. Authentication method Service principal System-assigned managed identity Kubernetes authentication and authorization Authentication and authorization are used by the Kubernetes cluster to control user access to the cluster as well as what the user may do once authenticated.Learn more about Kubernetes authentication Role-based access control (RBAC) Enabled Disabled AKS-managed Azure Active Directory Node pool OS disk encryption By default, all disks in AKS are encrypted at rest with Microsoft-managed keys. For additional control over encryption, you can supply your own keys using a disk encryption set backed by an Azure Key Vault. The disk encryption set will be used to encrypt the OS disks for all node pools in the cluster.Learn more
upvoted 1 times
...
MaTaO
3 years, 11 months ago
I think provided answer is correct when you create AKS in the portal, in Authentication tab you either select System assigned managed identity or Service principal (this step you need to create an app in AAD first) then set up RBAC below
upvoted 3 times
...
amanp
3 years, 11 months ago
App registrations is not required when setting up AKS. The given answer is correct
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel