AZ-500 Question #263: Real Exam Question with Answer & Explanation

Question

You plan to create an Azure Kubernetes Service (AKS) cluster in an Azure subscription. The manifest of the registered server application is shown in the following exhibit. You need to ensure that the AKS cluster and Azure Active Directory (Azure AD) are integrated. Which property should you modify in the manifest?

Options

• AaccessTokenAcceptedVersion
• BkeyCredentials
• CgroupMembershipClaims
• DacceptMappedClaims

Explanation

Explanation

groupMembershipClaims must be modified (set to "All" or "SecurityGroup") in the server application manifest to enable AKS and Azure AD integration, because this property controls whether group membership information is included in the OAuth 2.0 access tokens - which AKS uses to authorize users based on their Azure AD group memberships.

Why the distractors are wrong:

• accessTokenAcceptedVersion controls which version of the access token (v1 or v2) the application accepts, and does not affect group-based authorization in AKS.
• keyCredentials relates to certificate-based credentials for the application, not to how group membership data flows into tokens.
• acceptMappedClaims allows an application to use custom claims mapping without a custom signing key - it is unrelated to enabling group membership claims for AKS-AD integration.

Memory Tip: Think of groupMembershipClaims as the "guest list" - AKS needs to know which groups a user belongs to before granting access, and this property is what puts the group information on the token's "guest list." If it's not set, AKS can't see which AD groups the user is in, breaking the integration.

No community discussion yet for this question.