Exam AZ-500 topic 1 question 20 discussion

correct answer

i think its B as it wold need an RBAC role instead AAD role

Hey everyone, just to clarify this question is correct as written. AKS does not get AcrPull permission by default when using a service principal, unless you explicitly grant it. This solution says: "You create an Azure Active Directory (Azure AD) role assignment." That means you manually assign the required role (like AcrPull) to the auto-generated service principal, so that AKS can pull images from the Azure Container Registry. So yes, this meets the goal. Correct answer: A. Yes Hope that helps!

The answer is B, but not because of that. The Microsoft Entra group will attach the AcrPull permission automatically, completing RBAC. The reason why the answer is No is because the authentication is done automatically, you don't have to create any roles. You just need to attach the service (AKS) to the container (ACR)

No, the solution does not meet the goal. To ensure that the Azure Kubernetes Service (AKS) cluster can authenticate to the Azure Container Registry using the auto-generated service principal, you need to assign the AcrPull role to the service principal associated with the AKS cluster. Creating an Azure Active Directory (Azure AD) role assignment alone does not automatically configure the necessary permissions for the AKS cluster to pull images from the Azure Container Registry.

Answer: B, No Reason: Creating an Azure AD role assignment alone does not enable AKS to authenticate to ACR using the auto-generated service principal. Instead, you need to grant the AKS-generated service principal the appropriate permissions on the ACR using the AcrPull role. This allows AKS to pull images from the ACR without additional configuration. Reference: https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#create-a-new-aks-cluster-with-acr-integration

A service principal is recommended in several Kubernetes scenarios to pull images from an Azure container registry. With Azure Kubernetes Service (AKS), you can also use an automated mechanism to authenticate with a target registry by enabling the cluster's managed identity.

b is correct

In Azure Active Directory (Azure AD), if another administrator or non-administrator needs to manage Azure AD resources, you assign them an Azure AD role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names. This article lists the Azure AD built-in roles you can assign to allow management of Azure AD resources. For information about how to assign roles, see Assign Azure AD roles to users. If you are looking for roles to manage Azure resources, see Azure built-in roles.

The answer is No. When an AKS cluster is created, Azure automatically generates a service principal to facilitate interactions with other Azure resources, including ACR. This auto-generated service principal can be directly used for authenticating the AKS cluster to the ACR registry. Therefore, creating an additional Azure AD role assignment is unnecessary as the auto-generated service principal already fulfills the authentication requirements. The proposed solution of creating an Azure AD role assignment adds complexity without providing any additional benefit, making it unnecessary and not meeting the goal efficiently. https://learn.microsoft.com/bs-latn-ba/azure/aks/cluster-container-registry-integration?tabs=azure-cli

Unless there's a typo in the question, B because it refers specifically to an "Azure AD role" which is not required here.

This should be usually done with Azure RBAC: az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>

Obviously answer is B, why would anyone select A as it is related to role assigment

In Topic 3, question 16. You have the same question but to choose answer, there "Azure Active Directory (Azure AD) role assignment" is correct so answer is def A

Requires ACR-Pull which is an Azure RBAC Built in Role: https://learn.microsoft.com/bs-latn-ba/azure/role-based-access-control/built-in-roles#acrpull Answer is B

The AKS to ACR integration assigns the AcrPull role to the Microsoft Entra ID managed identity associated with the agent pool in your AKS cluster.

it's just a confusion between Azure AD roles and Azure RBAC but i think that to goal of this question is to make sure that the SPN should have a permission this is the goal and not the role/permission it self i think the answer is yes