Exam AZ-104 topic 2 question 2 discussion

Answer is correct B Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol https://docs.microsoft.com/en-us/azure/aks/managed-aad

as of late 2023 / early 2024 Azure Kubernetes Service is NO LONGER part of the exam. This question is defunct. Please review the MS provided documentation regarding the AZ104 exam: https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-104

related to Azure Active Directory (Azure AD) integration and identity federation.

You can only enable Azure Active Directory integration when you create your AKS cluster. It can't be added to an existing AKS cluster later. When you want to manage access to AKS using Azure AD identities, AKS must be integrated with Azure AD at the time of creation. If it's not integrated, you can’t use Azure AD users/groups to assign roles (e.g., viewer, contributor) at the Kubernetes level.

Azure AD integration must be enabled during AKS cluster creation.

Correct Answer: C. Recreate AKS1 AKS must be created with Azure AD integration enabled. This setting cannot be modified after creation. Azure AD integration for AKS must be enabled during cluster creation and cannot be added later. If it was not enabled, the only solution is to delete and recreate the AKS cluster with Azure AD authentication. After that, we can assign roles to Azure AD users to control access. Why is B Incorrect? - OAuth 2.0 authorization endpoints are used for application authentication and API access control, not for granting users access to an AKS cluster. - AKS integrates directly with Azure AD for authentication and role-based access control (RBAC). - If Azure AD authentication was not enabled during the AKS cluster creation, the only way to fix it is to recreate the cluster with Azure AD integration enabled.

Answer is correct B

If Azure AD integration was not initially enabled during the creation of AKS1, and the administrator is unable to grant access to contoso.com users, the cluster might lack proper Azure AD integration. However, if the cluster already has Azure AD integration configured, the issue is likely related to proper setup of RBAC or permissions in Azure AD. In this question, there is no explicit mention of whether Azure AD integration is already configured for the AKS cluster (AKS1). Therefore, we cannot assume it is enabled by default. Given the ambiguity of the question, the safest assumption is that Azure AD integration is not configured, as it aligns with the reported issue ("unable to grant access"). This scenario is more common and consistent with real-world problems. Without explicit information stating that Azure AD integration is enabled, the correct action is to: C. Recreate AKS1.

according to the official Microsoft Learn page, the Azure Kubernetes Service (AKS) is no longer part of the AZ-104 Azure Administrator certification exam as of late 2023. The current exam objectives focus on managing Azure identities and governance, implementing and managing storage, deploying and managing Azure compute resources, implementing and managing virtual networking, and monitoring and maintaining Azure resources. For the most up-to-date information and exam preparation resources, you can refer to the official AZ-104 certification page on Microsoft Learn: [Microsoft Certified: Azure Administrator Associate](https://learn.microsoft.com/en-us/credentials/certifications/azure-administrator/).

Azure Kubernetes Service (AKS) does not allow enabling Azure Active Directory (Azure AD) integration on an existing cluster that was not originally configured with it. If the AKS cluster (AKS1) was created without Azure AD integration, you cannot simply enable it later. Instead, you must recreate the cluster with Azure AD integration enabled.

When an administrator is unable to grant access to an AKS cluster for users in an Azure Active Directory (Azure AD) tenant, it typically indicates that the AKS cluster was not configured with Azure AD integration when it was initially created. Azure AD integration must be enabled when the AKS cluster is created in order to manage access and authentication through Azure AD. If this integration was not enabled during the cluster's creation, users in the Azure AD tenant (in this case, contoso.com) cannot be assigned access. The only way to enable Azure AD integration after creation is to recreate the AKS cluster with the proper configuration.

C. When an administrator is unable to grant access to an AKS cluster for users in an Azure Active Directory (Azure AD) tenant, it typically indicates that the AKS cluster was not configured with Azure AD integration when it was initially created. Azure AD integration must be enabled when the AKS cluster is created in order to manage access and authentication through Azure AD. If this integration was not enabled during the cluster's creation, users in the Azure AD tenant (in this case, contoso.com) cannot be assigned access. The only way to enable Azure AD integration after creation is to recreate the AKS cluster with the proper configuration.

Correct Answer is C To ensure that access to the Azure Kubernetes Service (AKS) cluster can be granted to the users in your Azure Active Directory (Azure AD) tenant (contoso.com), you should first: C. Recreate AKS1. This is because, when you create an AKS cluster, you can specify the Azure AD integration settings. If it was not configured correctly to allow access to users from the contoso.com tenant during the initial setup, recreating the cluster with the correct Azure AD integration settings is necessary to resolve the access issue. Other options do not directly address the need for Azure AD integration with AKS.

You need to integrate Azure AD with AKS. This often requires modifying the organization relationships settings in Azure AD

Option A is the correct choice. By modifying the Organization relationships settings in the Azure AD tenant (contoso.com), you can establish the required connection between the Azure AD tenant and the AKS cluster. This configuration allows users in contoso.com to access and manage AKS resources. Here's a high-level overview of the steps involved in this process: Sign in to the Azure portal using an account with appropriate permissions in the contoso.com Azure AD tenant. Navigate to the Azure AD tenant (contoso.com) settings. Locate the Organization relationships settings and configure the necessary settings to establish the connection between Azure AD and AKS. Follow any additional prompts or steps provided during the configuration process. Once the Organization relationships settings are properly configured, the administrator should be able to grant access to AKS1 for the users in the contoso.com Azure AD tenant.

This one had me confused between B and C, asking the Bing AI resulted in the following: The question does leave out some important details that would help determine the most appropriate answer. For instance, it doesn’t specify whether Azure RBAC is enabled on the AKS cluster. If Azure RBAC is not enabled, then the cluster would need to be recreated with Azure RBAC enabled (Option C). However, if Azure RBAC is already enabled and the cluster is integrated with Azure AD, then creating an OAuth 2.0 authorization endpoint could be a valid first step (Option B). The question also doesn’t specify whether the users are part of the same Azure AD tenant as the AKS cluster or if they are external users. If they are external users, additional steps might be needed to grant them access to the AKS cluster.

A. This is because Azure Active Directory needs to be properly configured to grant access to AKS1. Modifying the organization relationships settings can help resolve issues related to user access.