Reading Time: 4 minutes
Follow by Email

So hopefully you have seen my previous blog (Create Azure AD Server and Client apps using Azure CLI for an AKS deployment) where I created two Azure AD applications that are needed to create an AKS cluster with Azure AD integration.

Below I will go through the steps you will need to perform to create the AKS cluster.


  • You will need to have:
  • aad-server-app-id
  • aad-server-app-secret
  • aad-client-app-id
  • aad-tenant-id

Hopefully, you will have this stored safely. If you do not have it follow the blog post mentioned above first.

You will need Azure CLI version 2.0.76 or later. You can check what version you have by running az –version. You can use the Azure Cloud Shell to perform the below actions. The Cloud Shell should always have the latest version of the Azure CLI.

The account you are using to set up the Azure AD components will also need to be an Azure Tenant administrator.

Enough talk lets start!

Time to deploy the cluster

First, you will need to create a resource group. You can do that by using the az group create command.

Now you will use the az aks create command to actually start the creation of the AKS cluster. This will create the AKS cluster with 2 nodes in a nodepool, using VM Scale Sets (VMSS) and use the default VM size of Standard_DS2_v2. You can read more about the available switch’s at

If you are following on from the blog post linked above then you will only have to change the resource group name to match the one you used above and the number of nodes you would like to have. If you are using the information you have stored previously then you will need to edit the below command to add your information in.

This can take some time, but once finished you should have something like the image below.

Now its time to get the cluster-admin credentials using the az aks get-credentials command. This will allow you to connect to the AKS cluster using the admin credentials. Do not do this every time you need to connect. Below I will show you how to create the RBAC bindings to allow you to use your Azure AD credentials to log into the AKS cluster.

Create RBAC Bindings

So, before you can actually use your Azure AD credentials to log into your AKS cluster you need to create a cluster role binding. I recommend creating this for the User who is going to look after the whole cluster. Probably you who is setting it up.

First, you will need to get your User Principal Name (UPN). To do that you can use the az ad command. The command below will get the UPN of the signed-in user.

Now you need to create a YAML file which you will then apply to the AKS cluster. I recommend using visual studio code for this. You will need to edit the YAML file to add your UPN on to the last line.

Note: The UPN (email address) is case sensitive it seems.

It’s now time to apply the RBAC to your cluster. To do that you are going to use the kubectl apply -f command.

In your terminal window navigate to the location you have saved the YAML file. I have saved it in the root to make life easy. I have also called it RBAC.yaml.

Time to connect to the cluster

Finally, its time to test you can log into the cluster using Azure AD. For this we are going to use the az aks get-credentials command again, but this time without the –Admin at the end.

Now that you have the AKS context set as the current one you can now use the kubectl command to interact with the cluster. You should be asked to log in to Azure also. So, if you use the below command it will ask you to log in via the browser and then give you a list of the kubernetes nodes.

This will cache the authentication token for your AKS cluster. You will be re-prompted to sign in and when the token has expired for your kubernetes config file is re-created.

Well, there you have it, you have created an AKS cluster using the Azure CLI. I hope you found this article helpful. If you have any comments or questions please feel free to reach out using the usual methods or by leaving a comment below.

Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *