AZ-500 Question #22: Real Exam Question with Answer & Explanation

Question

You are configuring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry. You need to use the auto-generated service principal to authenticate to the Azure Container Registry. What should you create?

Options

• Aan Azure Active Directory (Azure AD) group
• Ban Azure Active Directory (Azure AD) role assignment
• Can Azure Active Directory (Azure AD) user
• Da secret in Azure Key Vault

Explanation

Explanation

Creating an Azure AD role assignment grants the AKS cluster's auto-generated service principal the necessary permissions (specifically the AcrPull role) to authenticate and pull images from the Azure Container Registry - this is the standard, built-in RBAC mechanism for authorizing one Azure resource to access another. An Azure AD group (A) is used to organize users or service principals together, but simply creating a group doesn't grant any access permissions to the registry. An Azure AD user (C) represents a human identity and is irrelevant here since AKS uses a service principal, not a user account, for automated authentication. Azure Key Vault (D) is used for storing secrets and credentials, but AKS-to-ACR authentication via a service principal relies on RBAC role assignments, not manually stored secrets.

🧠 Memory Tip: Think "Role = Permission." Whenever you need one Azure service to access another, you assign a role to its identity - just remember the phrase: "Grant the SP the AcrPull role." If it's about access control between Azure services, a role assignment is almost always the answer.

No community discussion yet for this question.