{
	"id": "12cb2b36-0a9c-4427-98ad-4ac7a21b8448",
	"created_at": "2026-04-06T00:09:31.117333Z",
	"updated_at": "2026-04-10T03:21:19.576764Z",
	"deleted_at": null,
	"sha1_hash": "ba388bc2e5955eea3194b1169be60274fb084161",
	"title": "Enable AKS-managed Microsoft Entra integration on an Azure Kubernetes Service cluster - Azure Kubernetes Service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89205,
	"plain_text": "Enable AKS-managed Microsoft Entra integration on an Azure\r\nKubernetes Service cluster - Azure Kubernetes Service\r\nBy davidsmatlak\r\nArchived: 2026-04-05 23:48:18 UTC\r\nEnable AKS-managed Microsoft Entra integration for Kubernetes clusters with\r\nkubelogin\r\nThe AKS-managed Microsoft Entra integration simplifies the Microsoft Entra integration process. Previously, you\r\nwere required to create a client and server app, and the Microsoft Entra tenant had to assign Directory Readers\r\nrole permissions. Now, the Azure Kubernetes Service (AKS) resource provider manages the client and server apps\r\nfor you.\r\nCluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's\r\nidentity or directory group membership. Microsoft Entra authentication is provided to AKS clusters with OpenID\r\nConnect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on\r\nOpenID Connect, see the OpenID Connect documentation.\r\nLearn more about the Microsoft Entra integration flow in the Microsoft Entra documentation.\r\nThe following are constraints to integrate authentication on AKS:\r\nIntegration can't be disabled after being added.\r\nDowngrades from an integrated cluster to the legacy Microsoft Entra ID clusters aren't supported.\r\nClusters without Kubernetes RBAC support are unable to add the integration.\r\nTo install the AKS addon, verify you have the following items:\r\nYou have Azure CLI version 2.29.0 or later installed and configured. To find the version, run the az --\r\nversion command. If you need to install or upgrade, see Install Azure CLI.\r\nYou need kubectl with a minimum version of 1.18.1 or kubelogin . With the Azure CLI and the Azure\r\nPowerShell module, these two commands are included and automatically managed. Meaning, they're\r\nupgraded by default and running az aks install-cli isn't required or recommended. If you're using an\r\nautomated pipeline, you need to manage upgrades for the correct or latest version. The difference between\r\nthe minor versions of Kubernetes and kubectl shouldn't be more than one version. Otherwise,\r\nauthentication issues occur on the wrong version.\r\nIf you're using helm, you need a minimum version of helm 3.3.\r\nThis configuration requires you have a Microsoft Entra group for your cluster. This group is registered as\r\nan admin group on the cluster to grant admin permissions. If you don't have an existing Microsoft Entra\r\ngroup, you can create one using the az ad group create command.\r\nhttps://learn.microsoft.com/en-us/azure/aks/managed-aad\r\nPage 1 of 5\n\nNote\r\nMicrosoft Entra integrated clusters using a Kubernetes version newer than version 1.24 automatically use the\r\nkubelogin format. Beginning with Kubernetes version 1.24, the default format of the clusterUser credential\r\nfor Microsoft Entra ID clusters is exec , which requires kubelogin binary in the execution PATH . There's no\r\nbehavior change for non-Microsoft Entra clusters, or Microsoft Entra ID clusters running a version older than\r\n1.24. Existing downloaded kubeconfig continues to work. An optional query parameter format is included\r\nwhen getting clusterUser credential to overwrite the default behavior change. You can explicitly specify format\r\nto azure if you need to maintain the old kubeconfig format.\r\n1. Create an Azure resource group using the az group create command.\r\naz group create --name myResourceGroup --location centralus\r\n2. Create an AKS cluster and enable administration access for your Microsoft Entra group using the az aks\r\ncreate command.\r\naz aks create \\\r\n --resource-group myResourceGroup \\\r\n --name myManagedCluster \\\r\n --enable-aad \\\r\n --aad-admin-group-object-ids \u003cid\u003e \\\r\n --aad-tenant-id \u003cid\u003e \\\r\n --generate-ssh-keys\r\nA successful creation of an AKS-managed Microsoft Entra ID cluster has the following section in the\r\nresponse body.\r\n\"AADProfile\": {\r\n \"adminGroupObjectIds\": [\r\n \"aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb\"\r\n ],\r\n \"clientAppId\": null,\r\n \"managed\": true,\r\n \"serverAppId\": null,\r\n \"serverAppSecret\": null,\r\n \"tenantId\": \"aaaabbbb-0000-cccc-1111-dddd2222eeee\"\r\n}\r\nEnable AKS-managed Microsoft Entra integration on your existing Kubernetes RBAC enabled cluster using the\r\naz aks update command. Make sure to set your admin group to keep access on your cluster.\r\naz aks update \\\r\n --resource-group MyResourceGroup \\\r\nhttps://learn.microsoft.com/en-us/azure/aks/managed-aad\r\nPage 2 of 5\n\n--name myManagedCluster \\\r\n --enable-aad \\\r\n --aad-admin-group-object-ids \u003cid-1\u003e,\u003cid-2\u003e \\\r\n --aad-tenant-id \u003cid\u003e\r\nA successful activation of an AKS-managed Microsoft Entra ID cluster has the following section in the response\r\nbody:\r\n\"AADProfile\": {\r\n \"adminGroupObjectIds\": [\r\n \"aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb\"\r\n ],\r\n \"clientAppId\": null,\r\n \"managed\": true,\r\n \"serverAppId\": null,\r\n \"serverAppSecret\": null,\r\n \"tenantId\": \"aaaabbbb-0000-cccc-1111-dddd2222eeee\"\r\n}\r\nIf your cluster uses legacy Microsoft Entra integration, you can upgrade to AKS-managed Microsoft Entra\r\nintegration through the az aks update command.\r\nWarning\r\nFree tier clusters might experience API server downtime during the upgrade. We recommend upgrading during\r\nyour nonbusiness hours. After the upgrade, the kubeconfig content changes. You need to run az aks get-credentials --resource-group \u003cAKS resource group name\u003e --name \u003cAKS cluster name\u003e to merge the new\r\ncredentials into the kubeconfig file.\r\naz aks update \\\r\n --resource-group myResourceGroup \\\r\n --name myManagedCluster \\\r\n --enable-aad \\\r\n --aad-admin-group-object-ids \u003cid\u003e \\\r\n --aad-tenant-id \u003cid\u003e\r\nA successful migration of an AKS-managed Microsoft Entra ID cluster has the following section in the response\r\nbody:\r\n\"AADProfile\": {\r\n \"adminGroupObjectIds\": [\r\n \"aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb\"\r\n ],\r\n \"clientAppId\": null,\r\n \"managed\": true,\r\nhttps://learn.microsoft.com/en-us/azure/aks/managed-aad\r\nPage 3 of 5\n\n\"serverAppId\": null,\r\n \"serverAppSecret\": null,\r\n \"tenantId\": \"aaaabbbb-0000-cccc-1111-dddd2222eeee\"\r\n}\r\n1. Get the user credentials to access your cluster using the az aks get-credentials command.\r\naz aks get-credentials --resource-group myResourceGroup --name myManagedCluster\r\n2. Follow your sign in instructions.\r\n3. Set kubelogin to use the Azure CLI.\r\nkubelogin convert-kubeconfig -l azurecli\r\n4. View the nodes in the cluster with the kubectl get nodes command.\r\nkubectl get nodes\r\nThere are some non-interactive scenarios that don't support kubectl . In these cases, use kubelogin to connect\r\nto the cluster with a non-interactive service principal credential to perform continuous integration pipelines.\r\nNote\r\nMicrosoft Entra integrated clusters using a Kubernetes version newer than version 1.24 automatically use the\r\nkubelogin format. Beginning with Kubernetes version 1.24, the default format of the clusterUser credential\r\nfor Microsoft Entra ID clusters is exec , which requires kubelogin binary in the execution PATH. There's no\r\nbehavior change for non-Microsoft Entra clusters, or Microsoft Entra ID clusters running a version older than\r\n1.24. Existing downloaded kubeconfig continues to work. An optional query parameter format is included\r\nwhen getting clusterUser credential to overwrite the default behavior change. You can explicitly specify format\r\nto azure if you need to maintain the old kubeconfig format.\r\nWhen getting the clusterUser credential, you can use the format query parameter to overwrite the default\r\nbehavior. You can set the value to azure to use the original kubeconfig format:\r\naz aks get-credentials --format azure\r\nIf your Microsoft Entra integrated cluster uses Kubernetes version 1.24 or lower, you need to manually convert the\r\nkubeconfig format.\r\nexport KUBECONFIG=/path/to/kubeconfig\r\nkubelogin convert-kubeconfig\r\nhttps://learn.microsoft.com/en-us/azure/aks/managed-aad\r\nPage 4 of 5\n\nIf you receive the message error: The Azure auth plugin has been removed., you need to run the command\r\nkubelogin convert-kubeconfig to convert the kubeconfig format manually. For more information, see Azure\r\nKubelogin Known Issues.\r\nImportant\r\nThe step described in this section suggests an alternative authentication method compared to the normal Microsoft\r\nEntra group authentication. Use this option only in an emergency.\r\nIf you lack administrative access to a valid Microsoft Entra group, you can follow this workaround. Sign in with\r\nan account that is a member of the Azure Kubernetes Service Cluster Admin role and grant your group or tenant\r\nadmin credentials to access your cluster.\r\nLearn about Microsoft Entra integration with Kubernetes RBAC.\r\nLearn more about AKS and Kubernetes identity concepts.\r\nLearn how to use kubelogin for all supported Microsoft Entra authentication methods in AKS.\r\nUse Azure Resource Manager templates to create AKS-managed Microsoft Entra ID enabled clusters.\r\nSource: https://learn.microsoft.com/en-us/azure/aks/managed-aad\r\nhttps://learn.microsoft.com/en-us/azure/aks/managed-aad\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/azure/aks/managed-aad"
	],
	"report_names": [
		"managed-aad"
	],
	"threat_actors": [],
	"ts_created_at": 1775434171,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba388bc2e5955eea3194b1169be60274fb084161.pdf",
		"text": "https://archive.orkl.eu/ba388bc2e5955eea3194b1169be60274fb084161.txt",
		"img": "https://archive.orkl.eu/ba388bc2e5955eea3194b1169be60274fb084161.jpg"
	}
}