remove default flag --enable-managed-identity for az aks create calls

Author: tamram

articles/aks/configure-kubenet.md

@@ -254,14 +254,13 @@ You need to use the subnet ID for where you plan to deploy your AKS cluster. Thi
     az network vnet subnet list --resource-group myResourceGroup --vnet-name myAKSVnet [--subscription]
     ```
 
-2. Create an AKS cluster with a custom subnet pre-configured with a route table using the [`az aks create`][az-aks-create] command and providing your values for the `--vnet-subnet-id`, `--enable-managed-identity`, and `--assign-identity` parameters.
+2. Create an AKS cluster with a custom subnet pre-configured with a route table using the [`az aks create`][az-aks-create] command and providing your values for the `--vnet-subnet-id` and `--assign-identity` parameters.
 
     ```azurecli-interactive
     az aks create \
         --resource-group myResourceGroup \
         --name myManagedCluster \
         --vnet-subnet-id mySubnetIDResourceID \
-        --enable-managed-identity \
         --assign-identity controlPlaneIdentityResourceID \
         --generate-ssh-keys
     ```

articles/aks/cost-analysis.md

@@ -83,7 +83,13 @@ You can enable the cost analysis with the `--enable-cost-analysis` flag during o
 The following example creates a new AKS cluster in the `Standard` tier with cost analysis enabled:
 
 ```azurecli-interactive
-az aks create --resource-group <resource-group> --name <cluster-name> --location <location> --enable-managed-identity --generate-ssh-keys --tier standard --enable-cost-analysis
+az aks create \
+    --resource-group <resource-group> \
+    --name <cluster-name> \
+    --location <location> \
+    --tier standard \
+    --enable-cost-analysis \
+    --generate-ssh-keys
 ```
 
 The following example updates an existing AKS cluster in the `Standard` tier to enable cost analysis:

articles/aks/csi-secrets-store-driver.md

@@ -42,7 +42,7 @@ A container using *subPath volume mount* doesn't receive secret updates when it'
     az group create --name myResourceGroup --location eastus2
     ```
 
-2. Create an AKS cluster with Azure Key Vault provider for Secrets Store CSI Driver capability using the [`az aks create`][az-aks-create] command with the --enable-managed-identity parameter and the `--enable-addons azure-keyvault-secrets-provider` parameter. The add-on creates a user-assigned managed identity you can use to authenticate to your key vault. The following example creates an AKS cluster with the Azure Key Vault provider for Secrets Store CSI Driver enabled.
+2. Create an AKS cluster with Azure Key Vault provider for Secrets Store CSI Driver capability using the [`az aks create`][az-aks-create] command with the `--enable-addons azure-keyvault-secrets-provider` parameter. The add-on creates a user-assigned managed identity you can use to authenticate to your key vault. The following example creates an AKS cluster with the Azure Key Vault provider for Secrets Store CSI Driver enabled.
 
     > [!NOTE]
     > If you want to use Microsoft Entra Workload ID, you must also use the `--enable-oidc-issuer` and `--enable-workload-identity` parameters, such as in the following example:
@@ -52,7 +52,11 @@ A container using *subPath volume mount* doesn't receive secret updates when it'
     > ```
 
     ```azurecli-interactive
-    az aks create --name myAKSCluster --resource-group myResourceGroup --enable-managed-identity --enable-addons azure-keyvault-secrets-provider --generate-ssh-keys
+    az aks create \
+        --name myAKSCluster \
+        --resource-group myResourceGroup \
+        --enable-addons azure-keyvault-secrets-provider \
+        --generate-ssh-keys
     ```
 
 3. The previous command creates a user-assigned managed identity, `azureKeyvaultSecretsProvider`, to access Azure resources. The following example uses this identity to connect to the key vault that stores the secrets, but you can also use other [identity access methods][identity-access-methods]. Take note of the identity's `clientId` in the output.

articles/aks/howto-deploy-java-quarkus-app.md

@@ -273,8 +273,7 @@ az aks create \
     --name $CLUSTER_NAME \
     --attach-acr $REGISTRY_NAME \
     --node-count 1 \
-    --generate-ssh-keys \
-    --enable-managed-identity
+    --generate-ssh-keys
 ```
 
 After a few minutes, the command completes and returns JSON-formatted information about the cluster, including the following output:

articles/aks/limit-egress-traffic.md

@@ -309,16 +309,18 @@ If you don't have user-assigned identities, follow the steps in this section. If
 
 #### Create an AKS cluster with your existing identities
 
-Create an AKS cluster with your existing identities in the subnet using the [`az aks create`][az-aks-create] command, provide the resource ID of the managed identity for the control plane by including the `assign-kubelet-identity` argument.
+Create an AKS cluster with your existing user-assigned managed identities in the subnet using the [`az aks create`][az-aks-create] command. Provide the resource ID of the managed identity for the control plane and the resource ID of the kubelet identity.
 
 ```azurecli-interactive
-az aks create --resource-group $RG --name $AKSNAME --location $LOC \
+az aks create \
+    --resource-group $RG \
+    --name $AKSNAME \
+    --location $LOC \
     --node-count 3 \
     --network-plugin kubenet \
     --outbound-type userDefinedRouting \
     --vnet-subnet-id $SUBNETID \
     --api-server-authorized-ip-ranges $FWPUBLIC_IP
-    --enable-managed-identity \
     --assign-identity <identity-resource-id> \
     --assign-kubelet-identity <kubelet-identity-resource-id> \
     --generate-ssh-keys    

articles/aks/manage-node-pools.md

@@ -269,12 +269,16 @@ As your workload demands change, you can associate existing capacity reservation
 
 * You can also assign the user-managed identity on an existing managed cluster with update command.
 
-  ```azurecli-interactive
-    az aks update --resource-group $RG_NAME --name $CLUSTER_NAME --location $LOCATION \
-            --node-vm-size $VM_SKU --node-count $NODE_COUNT \
-            --assign-identity $IDENTITY_ID --enable-managed-identity         
-  ```
-
+    ```azurecli-interactive
+    az aks update \
+        --resource-group $RG_NAME \
+        --name $CLUSTER_NAME \
+        --location $LOCATION \
+        --node-vm-size $VM_SKU \
+        --node-count $NODE_COUNT \
+        --assign-identity $IDENTITY_ID         
+    ```
+    
 ### Associate an existing capacity reservation group with a node pool
 
 Associate an existing capacity reservation group with a node pool using the [`az aks nodepool add`][az-aks-nodepool-add] command and specify a capacity reservation group with the `--crg-id` flag. The following example assumes you have a CRG named "myCRG".

articles/aks/monitor-control-plane-metrics.md

@@ -63,15 +63,15 @@ az provider register --namespace "Microsoft.ContainerService"
 
 ## Enable control plane metrics on your AKS cluster
 
-You can enable control plane metrics with the Azure Monitor managed service for Prometheus add-on during cluster creation or for an existing cluster. To collect Prometheus metrics from your Kubernetes cluster, see [Enable Prometheus and Grafana for Kubernetes clusters][enable-monitoring-kubernetes-cluster] and follow the steps on the **CLI** tab for an AKS cluster. On the command-line, be sure to include the parameters `--generate-ssh-keys` and `--enable-managed-identity`.
+You can enable control plane metrics with the Azure Monitor managed service for Prometheus add-on during cluster creation or for an existing cluster. To collect Prometheus metrics from your Kubernetes cluster, see [Enable Prometheus and Grafana for Kubernetes clusters][enable-monitoring-kubernetes-cluster] and follow the steps on the **CLI** tab for an AKS cluster.
 
 If your cluster already has the Prometheus addon deployed, then you can simply run an `az aks update` to ensure the cluster updates to start collecting control plane metrics.
 
 ```azurecli
-az aks update -n <cluster-name> -g <resource-group>
+az aks update --name <cluster-name> --resource-group <resource-group>
 ```
 
->[!NOTE]
+> [!NOTE]
 > Unlike the metrics collected from cluster nodes, control plane metrics are collected by a component which isn't part of the **ama-metrics** add-on. Enabling the `AzureMonitorMetricsControlPlanePreview` feature flag and the managed prometheus add-on ensures control plane metrics are collected. After enabling metric collection, it can take several minutes for the data to appear in the workspace.
 
 ## Querying control plane metrics

articles/aks/operator-best-practices-cluster-security.md

@@ -55,7 +55,7 @@ For more information about Microsoft Entra integration, Kubernetes RBAC, and Azu
 
 > [!NOTE]
 > To implement Network Policy, include the attribute `--network-policy azure` when creating the AKS cluster. Use the following command to create the cluster:
-> `az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity --network-plugin azure --network-policy azure --generate-ssh-keys`
+> `az aks create -g myResourceGroup -n myManagedCluster --network-plugin azure --network-policy azure --generate-ssh-keys`
 
 ```yaml
 apiVersion: networking.k8s.io/v1

articles/aks/use-group-managed-service-accounts.md

@@ -91,7 +91,6 @@ You can either [grant access to your key vault for the identity after cluster cr
 
 2. Create an AKS cluster using the [`az aks create`][az-aks-create] command with the following parameters:
 
-    * `--enable-managed-identity`: Enables managed identity for the cluster.
     * `--enable-windows-gmsa`: Enables GMSA for the cluster.
     * `--gmsa-dns-server`: The IP address of the DNS server.
     * `--gmsa-root-domain-name`: The root domain name of the DNS server.