AAD Tenant-admin required or not when using AAD integration v2 ?

[ezYakaEagle442]

The doc states "Azure AD integration with AKS v2 is designed to simplify the Azure AD integration with AKS v1 experience, where users were required to create a client app, a server app, and required the Azure AD tenant to grant Directory Read permissions".

But could you please clarify explaining explicitly if it is still required to be AAD Tenant-admin when using AAD integration v2 ?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 22a4b366-3eac-83f8-05bb-1302ce5c9235
• Version Independent ID: 73a9c88b-784d-2f96-becc-14e8d751834f
• Content: Use Azure AD in Azure Kubernetes Service - Azure Kubernetes Service
• Content Source: articles/aks/azure-ad-v2.md
• Service: container-service
• GitHub Login: @mlearned
• Microsoft Alias: mlearned

[mlearned]

@TomGeske

[TomGeske]

@ezYakaEagle442: For AADv2 you don't need to be AAD tenant admin. What error message did you receive?

[VikasPullagura-MSFT]

@ezYakaEagle442 Thanks for your Query. As Thomas mentioned, you don't need to be AAD tenant admin for AADv2. So, are you looking for more content to the document clarifying this OR you ran into any issues trying this?

[ezYakaEagle442]

I was looking for more content to the document clarifying this, I did not have any error message, it is just that the current config I have obviously is not supported :

I have created an AKS cluster in my MS internal subscription (private cluster with AAD v1 + MI enabled), while having SP + aad-server-app-id + client-app-id created in my VS subscription where I am tenant admin, cluster creation went well but I then hit the service deployment issue, not being able to provision a LB , due to role assigment missing ;

I plan to recreate my AKS cluster with AAD v2 as it does not require to be tenant admin ....

[TomGeske]

AADv1 requires tenant admin privildiges AADv2 does not requiree tenant admin privildiges.

The following section mentions that we cover the previously manual steps.

Azure AD integration with AKS v2 is designed to simplify the Azure AD integration with AKS v1 experience, where users were required to create a client app, a server app, and required the Azure AD tenant to grant Directory Read permissions. In the new version, the AKS resource provider manages the client and server apps for you.

The role assigment you call out are related to managed identity + CNI. There is a section talking about it: https://docs.microsoft.com/en-us/azure/aks/use-managed-identity

For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the MC_* resource group, use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. For more information on role assignment, see Delegate access to other Azure resources.

Permission grants to cluster Managed Identity used by Azure Cloud provider may take up 60 minutes to populate.

[VikasPullagura-MSFT]

@TomGeske, thanks for sharing more details.

@ezYakaEagle442 Hope the provided information is helpful.

We will now close this issue. If there are further questions regarding this, please tag me in a comment. I will reopen it and we will continue the discussion.