AZ-500 Question #64: Real Exam Question with Answer & Explanation

Question

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure HDInsight cluster on a virtual network. You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials. You need to configure the environment to support the planned authentication. Solution: You deploy Azure Active Directory Domain Services (Azure AD DS) to the Azure subscription. Does this meet the goal?

Options

• AYes
• BNo

Explanation

Why B (No) is Correct: Deploying Azure AD DS alone does not meet the goal because Azure AD DS is a managed domain service that creates a new, separate domain in Azure - it does not extend or integrate directly with your on-premises Active Directory identities in a way that enables seamless on-premises credential authentication to HDInsight. For HDInsight to authenticate users using on-premises AD credentials in a hybrid scenario, you need to configure Azure AD Connect to sync on-premises identities to Azure AD, and then use Azure AD DS with a trust relationship, or more correctly, deploy HDInsight with Enterprise Security Package (ESP) joined directly to the on-premises AD domain using a site-to-site VPN or ExpressRoute connection.

Why A (Yes) is Wrong: Simply deploying Azure AD DS is insufficient on its own - it doesn't bridge on-premises Active Directory credentials to HDInsight without additional configuration steps, such as ensuring proper network connectivity (VPN/ExpressRoute) and identity synchronization via Azure AD Connect.

Memory Tip: Think of Azure AD DS as a cloud copy of a domain, not a bridge to your on-premises domain. For true hybrid authentication to HDInsight, remember the full chain: on-premises AD → Azure AD Connect → Azure AD → Azure AD DS + ESP + network connectivity.

No community discussion yet for this question.