exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam

Exam AZ-104 topic 2 question 2 discussion

Actual exam question from Microsoft's AZ-104
Question #: 2
Topic #: 2
[All AZ-104 Questions]

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?

  • A. From contoso.com, modify the Organization relationships settings.
  • B. From contoso.com, create an OAuth 2.0 authorization endpoint.
  • C. Recreate AKS1.
  • D. From AKS1, create a namespace.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
AlleyC
Highly Voted 2 years, 6 months ago
Selected Answer: B
Answer is correct B Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol https://docs.microsoft.com/en-us/azure/aks/managed-aad
upvoted 72 times
FredFrom
1 month, 2 weeks ago
it does not address the specific issue described in the question, which is that the administrator is unable to grant access to the AKS cluster to users in contoso.com. the issue here is not about configuring authentication mechanisms like OAuth 2.0; it’s about ensuring that Azure AD integration is in place to allow access control for AKS. Correct Answer: C. Recreate AKS1
upvoted 1 times
...
tweedo
2 years, 4 months ago
This seems to be a correct answer in scope of listed answers, but please mind that AKS now supports direct integration with AAD, the method using OAuth 2.0 is considered legacy: https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli
upvoted 34 times
...
jackdryan
1 year, 9 months ago
B is correct
upvoted 2 times
...
...
18c2076
Highly Voted 8 months, 3 weeks ago
as of late 2023 / early 2024 Azure Kubernetes Service is NO LONGER part of the exam. This question is defunct. Please review the MS provided documentation regarding the AZ104 exam: https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-104
upvoted 18 times
GlixRox
6 months ago
Glad you said this because I had never heard of this during my course.
upvoted 3 times
...
...
FredFrom
Most Recent 1 month, 2 weeks ago
Selected Answer: C
When an administrator is unable to grant access to an AKS cluster for users in an Azure Active Directory (Azure AD) tenant, it typically indicates that the AKS cluster was not configured with Azure AD integration when it was initially created. Azure AD integration must be enabled when the AKS cluster is created in order to manage access and authentication through Azure AD. If this integration was not enabled during the cluster's creation, users in the Azure AD tenant (in this case, contoso.com) cannot be assigned access. The only way to enable Azure AD integration after creation is to recreate the AKS cluster with the proper configuration.
upvoted 2 times
...
FredFrom
1 month, 2 weeks ago
C. When an administrator is unable to grant access to an AKS cluster for users in an Azure Active Directory (Azure AD) tenant, it typically indicates that the AKS cluster was not configured with Azure AD integration when it was initially created. Azure AD integration must be enabled when the AKS cluster is created in order to manage access and authentication through Azure AD. If this integration was not enabled during the cluster's creation, users in the Azure AD tenant (in this case, contoso.com) cannot be assigned access. The only way to enable Azure AD integration after creation is to recreate the AKS cluster with the proper configuration.
upvoted 1 times
...
loganvm
1 month, 3 weeks ago
Correct Answer is C To ensure that access to the Azure Kubernetes Service (AKS) cluster can be granted to the users in your Azure Active Directory (Azure AD) tenant (contoso.com), you should first: C. Recreate AKS1. This is because, when you create an AKS cluster, you can specify the Azure AD integration settings. If it was not configured correctly to allow access to users from the contoso.com tenant during the initial setup, recreating the cluster with the correct Azure AD integration settings is necessary to resolve the access issue. Other options do not directly address the need for Azure AD integration with AKS.
upvoted 1 times
...
Chuong0810
2 months ago
Selected Answer: A
You need to integrate Azure AD with AKS. This often requires modifying the organization relationships settings in Azure AD
upvoted 1 times
...
Andre369
2 months, 1 week ago
Selected Answer: A
Option A is the correct choice. By modifying the Organization relationships settings in the Azure AD tenant (contoso.com), you can establish the required connection between the Azure AD tenant and the AKS cluster. This configuration allows users in contoso.com to access and manage AKS resources. Here's a high-level overview of the steps involved in this process: Sign in to the Azure portal using an account with appropriate permissions in the contoso.com Azure AD tenant. Navigate to the Azure AD tenant (contoso.com) settings. Locate the Organization relationships settings and configure the necessary settings to establish the connection between Azure AD and AKS. Follow any additional prompts or steps provided during the configuration process. Once the Organization relationships settings are properly configured, the administrator should be able to grant access to AKS1 for the users in the contoso.com Azure AD tenant.
upvoted 4 times
...
JonHanes
2 months, 1 week ago
This one had me confused between B and C, asking the Bing AI resulted in the following: The question does leave out some important details that would help determine the most appropriate answer. For instance, it doesn’t specify whether Azure RBAC is enabled on the AKS cluster. If Azure RBAC is not enabled, then the cluster would need to be recreated with Azure RBAC enabled (Option C). However, if Azure RBAC is already enabled and the cluster is integrated with Azure AD, then creating an OAuth 2.0 authorization endpoint could be a valid first step (Option B). The question also doesn’t specify whether the users are part of the same Azure AD tenant as the AKS cluster or if they are external users. If they are external users, additional steps might be needed to grant them access to the AKS cluster.
upvoted 2 times
...
SeMo0o0o0o
3 months ago
Selected Answer: B
B is correct
upvoted 1 times
...
Witbaas13
3 months, 2 weeks ago
A. This is because Azure Active Directory needs to be properly configured to grant access to AKS1. Modifying the organization relationships settings can help resolve issues related to user access.
upvoted 2 times
...
Nico1973
4 months, 3 weeks ago
To ensure that access to AKS1 can be granted to the users in the contoso.com Azure AD tenant, you should first: A. From contoso.com, modify the Organization relationships settings. Explanation: By modifying the Organization relationships settings in the contoso.com Azure AD tenant, you can establish the necessary trust relationships and permissions required for users in the tenant to access and manage resources, such as the AKS1 cluster. This step is essential for enabling user access and control over AKS1 within the Azure environment. Once the Organization relationships settings are appropriately configured, users in the contoso.com Azure AD tenant will be able to grant access to AKS1 effectively.
upvoted 2 times
...
Nico1973
4 months, 3 weeks ago
To ensure that access to AKS1 can be granted to the users in contoso.com, you should first select option A: From contoso.com, modify the Organization relationships settings. This action will allow you to establish the necessary connections and permissions between the Azure AD tenant (contoso.com) and the AKS cluster (AKS1), enabling users in contoso.com to access and manage AKS1 effectively.
upvoted 1 times
...
Lazylinux
6 months ago
Selected Answer: B
B is correct as per https://learn.microsoft.com/en-us/azure/aks/concepts-identity
upvoted 2 times
...
3c5adce
6 months, 3 weeks ago
D. From AKS1, create a namespace. To manage access to Azure Kubernetes Service (AKS) clusters effectively, namespaces are used within Kubernetes to segment resources and provide a scope for access policies. By creating a namespace in AKS1, you can define Role-Based Access Control (RBAC) policies specifically for that namespace, which can then be used to grant appropriate permissions to users from the contoso.com Azure AD tenant. This is the first operational step in ensuring users can be granted access to specific parts of the AKS cluster without recreating the cluster or modifying authentication systems.
upvoted 2 times
trevax
3 months ago
However, by default, the default namespace is used in AKS. We can apply RBAC directly to this namespace, so creating a new one may not be necessary for access management.
upvoted 1 times
...
...
3c5adce
7 months, 1 week ago
ChatGPT says D: D. From AKS1, create a namespace. To grant access to the users in the contoso.com Azure AD tenant, you need to integrate AKS with Azure AD for authentication and authorization. One of the steps involved in this process is to create a Kubernetes namespace. Once the namespace is created, you can configure RBAC (Role-Based Access Control) to grant appropriate permissions to users and groups from the Azure AD tenant. Options A and B are not relevant to granting access to AKS. Option C, recreating AKS1, is not necessary as the existing AKS cluster can be configured to integrate with Azure AD for user access control. Therefore, option D is the correct first step to enable access for contoso.com users.
upvoted 3 times
trevax
3 months ago
true but by default, the default namespace is used in AKS. We can apply RBAC directly to this namespace, so creating a new one may not be necessary for access management. Answer is still B i think
upvoted 1 times
...
...
Iron_Man_111
8 months, 2 weeks ago
Still confuse between A and B. Can someone provide more reasons to go for A or B whatever you feel the correct answer ?
upvoted 1 times
...
tashakori
8 months, 3 weeks ago
B is right
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...