Merge pull request #223943 from schaffererin/aad-cluster-rolebinding

prmerger-automator[bot] · web-flow · commit 2a5c017b3f55 · 2023-01-13T20:44:53.000Z
Adding same messaging from legacy docs that explains how to assign permissions based on whether the user is in the same Azure AD tenant
diff --git a/articles/aks/azure-ad-rbac.md b/articles/aks/azure-ad-rbac.md
@@ -184,6 +184,8 @@ kubectl create namespace dev
 
 > [!NOTE]
 > In Kubernetes, *Roles* define the permissions to grant, and *RoleBindings* apply them to desired users or groups. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see [Using Kubernetes RBAC authorization][rbac-authorization].
+>
+> If the user you grant the Kubernetes RBAC binding for is in the same Azure AD tenant, assign permissions based on the *userPrincipalName (UPN)*. If the user is in a different Azure AD tenant, query for and use the *objectId* property instead.
 
 3. Create a Role for the *dev* namespace, which grants full permissions to the namespace. In production environments, you can specify more granular permissions for different users or groups. Create a file named `role-dev-namespace.yaml` and paste the following YAML manifest:
 
