updated Deploy App section

Author: MGoedtel

articles/aks/workload-identity-deploy-cluster.md

@@ -140,13 +140,6 @@ az identity federated-credential create --name myfederatedIdentity --identity-na
 
 ## Deploy your application
 
-> [!IMPORTANT]
-> Ensure your application pods using workload identity have added the following label [azure.workload.identity/use: "true"] to your running pods/deployments, otherwise the pods will fail once restarted.
-
-```azurecli-interactive
-kubectl apply -f <your application>
-```
-
 When deploying your application pods, it should reference the service account created in the Create Kubernetes service account step. The following manifest demonstrates how to reference the account, specifically `metadata\namespace` and `spec\serviceAccountName` properties:
 
 ```yml
@@ -173,6 +166,25 @@ spec:
 EOF
 ```
 
+> [!IMPORTANT]
+> Ensure your application pods using workload identity have added the following label [azure.workload.identity/use: "true"] to your running pods/deployments, otherwise the pods will fail once restarted.
+
+```azurecli-interactive
+kubectl apply -f <your application>
+```
+
+To check whether all properties are injected properly by the webhook, use the [kubectl describe][kubectl-describe] command:
+
+```bash
+kubectl describe pod containerName
+```
+
+To verify that pod is able to get a token and access the resource, use the kubectl logs command:
+
+```bash
+kubectl logs containerName
+```
+
 ## Optional - Grant permissions to access Azure Key Vault
 
 This step is necessary if you need to access secrets, keys, and certificates that are mounted in Azure Key Vault from a pod. Perform the following steps to configure access with a managed identity. These steps assume you have an Azure Key Vault already created and configured in your subscription. If you don't have one, see [Create an Azure Key Vault using the Azure CLI][create-key-vault-azure-cli].