Merge pull request #235294 from schaffererin/managedaadrearchitecture

Rearchitect AKS-enabled Azure AD integration doc

Author: v-shils

.openpublishing.redirection.json

@@ -965,6 +965,11 @@
             "redirect_url": "/azure/aks/workload-identity-migrate-from-pod-identity",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/aks/managed-aad.md",
+            "redirect_url": "/azure/aks/managed-azure-ad",
+            "redirect_document_id": false
+        },
         {
             "source_path": "articles/germany/germany-developer-guide.md",
             "redirect_url": "/previous-versions/azure/germany/germany-developer-guide",

articles/aks/TOC.yml

@@ -325,7 +325,13 @@
             - name: Enable Azure Active Directory integration
               items:
                 - name: AKS-managed Azure AD
-                  href: managed-aad.md
+                  items: 
+                    - name: Enable AKS-managed Azure AD integration
+                      href: managed-azure-ad.md
+                    - name: Manage local accounts
+                      href: manage-local-accounts-managed-azure-ad.md
+                    - name: Cluster access control
+                      href: access-control-managed-azure-ad.md
                 - name: Azure AD integration (legacy)
                   href: azure-ad-integration-cli.md
                 - name: Enable GMSA integration

articles/aks/access-control-managed-azure-ad.md

@@ -0,0 +1,171 @@
+---
+title: Cluster access control with AKS-managed Azure Active Directory integration
+description: Learn how to access clusters when integrating Azure AD in your Azure Kubernetes Service (AKS) clusters.
+ms.topic: article
+ms.date: 04/20/2023
+ms.custom: devx-track-azurecli
+---
+
+# Cluster access control with AKS-managed Azure Active Directory integration
+
+When you integrate Azure AD with your AKS cluster, you can use [Conditional Access][aad-conditional-access] or Privileged Identity Management (PIM) for just-in-time requests to control access to your cluster. This article shows you how to enable Conditional Access and PIM on your AKS clusters.
+
+> [!NOTE]
+> Azure AD Conditional Access and Privileged Identity Management are Azure AD Premium capabilities requiring a Premium P2 SKU. For more on Azure AD SKUs, see the [pricing guide][aad-pricing].
+
+## Before you begin
+
+* See [AKS-managed Azure Active Directory integration](./managed-azure-ad.md) for an overview and setup instructions.
+
+## Use Conditional Access with Azure AD and AKS
+
+1. In the Azure portal, go to the **Azure Active Directory** page and select **Enterprise applications**.
+2. Select **Conditional Access** > **Policies** > **New policy**.
+
+    :::image type="content" source="./media/managed-aad/conditional-access-new-policy.png" alt-text="Screenshot of adding a Conditional Access policy." lightbox="./media/managed-aad/conditional-access-new-policy.png":::
+
+3. Enter a name for the policy, such as *aks-policy*.
+
+4. Under **Assignments**, select **Users and groups**. Choose the users and groups you want to apply the policy to. In this example, choose the same Azure AD group that has administrator access to your cluster.
+
+    :::image type="content" source="./media/managed-aad/conditional-access-users-groups.png" alt-text="Screenshot of selecting users or groups to apply the Conditional Access policy." lightbox="./media/managed-aad/conditional-access-users-groups.png":::
+
+5. Under **Cloud apps or actions** > **Include**, select **Select apps**. Search for **Azure Kubernetes Service** and select **Azure Kubernetes Service AAD Server**.
+
+    :::image type="content" source="./media/managed-aad/conditional-access-apps.png" alt-text="Screenshot of selecting Azure Kubernetes Service AD Server for applying the Conditional Access policy." lightbox="./media/managed-aad/conditional-access-apps.png":::
+
+6. Under **Access controls** > **Grant**, select **Grant access**, **Require device to be marked as compliant**, and **Require all the selected controls**.
+
+    :::image type="content" source="./media/managed-aad/conditional-access-grant-compliant.png" alt-text="Screenshot of selecting to only allow compliant devices for the Conditional Access policy." lightbox="./media/managed-aad/conditional-access-grant-compliant.png" :::
+
+7. Confirm your settings, set **Enable policy** to **On**, and then select **Create**.
+
+    :::image type="content" source="./media/managed-aad/conditional-access-enable-policy.png" alt-text="Screenshot of enabling the Conditional Access policy." lightbox="./media/managed-aad/conditional-access-enable-policy.png":::
+
+### Verify your Conditional Access policy has been successfully listed
+
+1. Get the user credentials to access the cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.
+
+    ```azurecli-interactive
+     az aks get-credentials --resource-group myResourceGroup --name myManagedCluster
+    ```
+
+2. Follow the instructions to sign in.
+
+3. View the nodes in the cluster using the `kubectl get nodes` command.
+
+    ```azurecli-interactive
+    kubectl get nodes
+    ```
+
+4. In the Azure portal, navigate to **Azure Active Directory** and select **Enterprise applications** > **Activity** > **Sign-ins**.
+
+5. Under the **Conditional Access** column you should see a status of *Success*. Select the event and then select the **Conditional Access** tab. Your Conditional Access policy will be listed.
+
+    :::image type="content" source="./media/managed-aad/conditional-access-sign-in-activity.png" alt-text="Screenshot that shows failed sign-in entry due to Conditional Access policy." lightbox="./media/managed-aad/conditional-access-sign-in-activity.png":::
+
+## Configure just-in-time cluster access with Azure AD and AKS
+
+1. In the Azure portal, go to **Azure Active Directory** and select **Properties**.
+
+2. Note the value listed under **Tenant ID**. It will be referenced in a later step as `<tenant-id>`.
+
+    :::image type="content" source="./media/managed-aad/jit-get-tenant-id.png" alt-text="Screenshot of the Azure portal screen for Azure Active Directory with the tenant's ID highlighted." lightbox="./media/managed-aad/jit-get-tenant-id.png":::
+
+3. Select **Groups** > **New group**.
+
+    :::image type="content" source="./media/managed-aad/jit-create-new-group.png" alt-text="Screenshot of the Azure portal Active Directory groups screen with the New Group option highlighted." lightbox="./media/managed-aad/jit-create-new-group.png":::
+
+4. Verify the group type **Security** is selected and specify a group name, such as *myJITGroup*. Under the option **Azure AD roles can be assigned to this group (Preview)**, select **Yes** and then select **Create**.
+
+    :::image type="content" source="./media/managed-aad/jit-new-group-created.png" alt-text="Screenshot of the new group creation screen in the Azure portal." lightbox="./media/managed-aad/jit-new-group-created.png":::
+
+5. On the **Groups** page, select the group you just created and note the Object ID. It will be referenced in a later step as `<object-id>`.
+
+    :::image type="content" source="./media/managed-aad/jit-get-object-id.png" alt-text="Screenshot of the Azure portal screen for the just-created group with the Object ID highlighted." lightbox="./media/managed-aad/jit-get-object-id.png":::
+
+6. Create the AKS cluster with AKS-managed Azure AD integration using the [`az aks create`][az-aks-create] command with the `--aad-admin-group-objects-ids` and `--aad-tenant-id parameters` and include the values noted in the steps earlier.
+
+    ```azurecli-interactive
+    az aks create -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <object-id> --aad-tenant-id <tenant-id>
+    ```
+
+7. In the Azure portal, select **Activity** > **Privileged Access (Preview)** > **Enable Privileged Access**.
+
+    :::image type="content" source="./media/managed-aad/jit-enabling-priv-access.png" alt-text="Screenshot of the Privileged access (Preview) page in the Azure portal with Enable privileged access highlighted." lightbox="./media/managed-aad/jit-enabling-priv-access.png":::
+
+8. To grant access, select **Add assignments**.
+
+    :::image type="content" source="./media/managed-aad/jit-add-active-assignment.png" alt-text="Screenshot of the Privileged access (Preview) screen in the Azure portal after enabling. The option to Add assignments is highlighted." lightbox="./media/managed-aad/jit-add-active-assignment.png":::
+
+9. From the **Select role** drop-down list, select the users and groups you want to grant cluster access. These assignments can be modified at any time by a group administrator. Then select **Next**.
+
+    :::image type="content" source="./media/managed-aad/jit-adding-assignment.png" alt-text="Screenshot of the Add assignments Membership screen in the Azure portal with a sample user selected to be added as a member. The Next option is highlighted." lightbox="./media/managed-aad/jit-adding-assignment.png":::
+
+10. Under **Assignment type**, select **Active** and then specify the desired duration. Provide a justification and then select **Assign**.
+
+    :::image type="content" source="./media/managed-aad/jit-set-active-assignment-details.png" alt-text="Screenshot of the Add assignments Setting screen in the Azure portal. An assignment type of Active is selected and a sample justification has been given. The Assign option is highlighted." lightbox="./media/managed-aad/jit-set-active-assignment-details.png":::
+
+For more information about assignment types, see [Assign eligibility for a privileged access group (preview) in Privileged Identity Management][aad-assignments].
+
+### Verify just-in-time access is working by accessing the cluster
+
+1. Get the user credentials to access the cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.
+
+    ```azurecli-interactive
+    az aks get-credentials --resource-group myResourceGroup --name myManagedCluster
+    ```
+
+2. Follow the steps to sign in.
+
+3. Use the `kubectl get nodes` command to view the nodes in the cluster.
+
+    ```azurecli-interactive
+    kubectl get nodes
+    ```
+
+4. Note the authentication requirement and follow the steps to authenticate. If successful, you should see an output similar to the following  example output:
+
+    ```output
+    To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AAAAAAAAA to authenticate.
+    NAME                                STATUS   ROLES   AGE     VERSION
+    aks-nodepool1-61156405-vmss000000   Ready    agent   6m36s   v1.18.14
+    aks-nodepool1-61156405-vmss000001   Ready    agent   6m42s   v1.18.14
+    aks-nodepool1-61156405-vmss000002   Ready    agent   6m33s   v1.18.14
+    ```
+
+### Apply just-in-time access at the namespace level
+
+1. Integrate your AKS cluster with [Azure RBAC](manage-azure-rbac.md).
+
+2. Associate the group you want to integrate with just-in-time access with a namespace in the cluster using the [`az role assignment create`][az-role-assignment-create] command.
+
+    ```azurecli-interactive
+    az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee <AAD-ENTITY-ID> --scope $AKS_ID/namespaces/<namespace-name>
+    ```
+
+3. Associate the group you configured at the namespace level with PIM to complete the configuration.
+
+## Troubleshooting
+
+If `kubectl get nodes` returns an error similar to the following:
+
+```output
+Error from server (Forbidden): nodes is forbidden: User "aaaa11111-11aa-aa11-a1a1-111111aaaaa" cannot list resource "nodes" in API group "" at the cluster scope
+```
+
+Make sure the admin of the security group has given your account an *Active* assignment.
+
+## Next steps
+
+* Use [kubelogin](https://github.com/Azure/kubelogin) to access features for Azure authentication that aren't available in kubectl.
+
+<!-- LINKS - External -->
+[aad-pricing]: https://azure.microsoft.com/pricing/details/active-directory/
+
+<!-- LINKS - Internal -->
+[aad-conditional-access]: ../active-directory/conditional-access/overview.md
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
+[aad-assignments]: ../active-directory/privileged-identity-management/groups-assign-member-owner.md#assign-an-owner-or-member-of-a-group
+[az-aks-create]: /cli/azure/aks#az_aks_create

articles/aks/azure-ad-integration-cli.md

@@ -13,7 +13,7 @@ ms.author: miwithro
 > [!WARNING]
 > **The feature described in this document, Azure AD Integration (legacy), will be deprecated on June 1st, 2023.
 >
-> AKS has a new improved [AKS-managed Azure AD][managed-aad] experience  that doesn't require you to manage server or client application. If you want to migrate follow the instructions [here][managed-aad-migrate].
+> AKS has a new improved [AKS-managed Azure AD][managed-aad] experience that doesn't require you to manage server or client applications. If you want to migrate follow the instructions [here][managed-aad-migrate].
 
 Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (AD) for user authentication. In this configuration, you can log into an AKS cluster using an Azure AD authentication token. Cluster operators can also configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership.
 
@@ -282,5 +282,5 @@ For best practices on identity and resource control, see [Best practices for aut
 [rbac-authorization]: concepts-identity.md#kubernetes-rbac
 [operator-best-practices-identity]: operator-best-practices-identity.md
 [azure-ad-rbac]: azure-ad-rbac.md
-[managed-aad]: managed-aad.md
-[managed-aad-migrate]: managed-aad.md#upgrade-to-aks-managed-azure-ad-integration
+[managed-aad]: managed-azure-ad.md
+[managed-aad-migrate]: managed-azure-ad.md#upgrade-a-legacy-azure-ad-cluster-to-aks-managed-azure-ad-integration

articles/aks/azure-ad-rbac.md

@@ -461,7 +461,7 @@ az ad group delete --group opssre
 <!-- LINKS - internal -->
 [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
 [install-azure-cli]: /cli/azure/install-azure-cli
-[azure-ad-aks-cli]: managed-aad.md
+[azure-ad-aks-cli]: managed-azure-ad.md
 [az-aks-show]: /cli/azure/aks#az_aks_show
 [az-ad-group-create]: /cli/azure/ad/group#az_ad_group_create
 [az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
@@ -471,4 +471,4 @@ az ad group delete --group opssre
 [rbac-authorization]: concepts-identity.md#kubernetes-rbac
 [operator-best-practices-identity]: operator-best-practices-identity.md
 [terraform-on-azure]: /azure/developer/terraform/overview
-[enable-azure-ad-integration-existing-cluster]: managed-aad.md#enable-aks-managed-azure-ad-integration-on-your-existing-cluster
+[enable-azure-ad-integration-existing-cluster]: managed-azure-ad.md#use-an-existing-cluster

articles/aks/concepts-identity.md

@@ -162,7 +162,7 @@ As shown in the graphic above, the API server calls the AKS webhook server and p
 10. Once authorized, the API server returns a response to `kubectl`.
 11. `kubectl` provides feedback to the user.
 
-Learn how to integrate AKS with Azure AD with our [AKS-managed Azure AD integration how-to guide](managed-aad.md).
+Learn how to integrate AKS with Azure AD with our [AKS-managed Azure AD integration how-to guide](managed-azure-ad.md).
 
 ## AKS service permissions
 
@@ -282,7 +282,7 @@ For more information on core Kubernetes and AKS concepts, see the following arti
 [openid-connect]: ../active-directory/develop/v2-protocols-oidc.md
 [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
 [azure-rbac]: ../role-based-access-control/overview.md
-[aks-aad]: managed-aad.md
+[aks-aad]: managed-azure-ad.md
 [aks-concepts-clusters-workloads]: concepts-clusters-workloads.md
 [aks-concepts-security]: concepts-security.md
 [aks-concepts-scale]: concepts-scale.md

articles/aks/concepts-security.md

@@ -158,7 +158,7 @@ For more information on core Kubernetes and AKS concepts, see:
 [microsoft-defender-for-containers]: ../defender-for-cloud/defender-for-containers-introduction.md
 [aks-daemonsets]: concepts-clusters-workloads.md#daemonsets
 [aks-upgrade-cluster]: upgrade-cluster.md
-[aks-aad]: ./managed-aad.md
+[aks-aad]: ./managed-azure-ad.md
 [aks-add-np-containerd]: learn/quick-windows-container-deploy-cli.md#add-a-windows-server-node-pool-with-containerd
 [aks-concepts-clusters-workloads]: concepts-clusters-workloads.md
 [aks-concepts-identity]: concepts-identity.md

articles/aks/intro-kubernetes.md

@@ -170,7 +170,7 @@ Learn more about deploying and managing AKS.
 [concepts-identity]: concepts-identity.md
 [concepts-storage]: concepts-storage.md
 [conf-com-node]: ../confidential-computing/confidential-nodes-aks-overview.md
-[aad]: managed-aad.md
+[aad]: managed-azure-ad.md
 [aks-monitor]: monitor-aks.md
 [azure-monitor]: /previous-versions/azure/azure-monitor/containers/containers
 [azure-logs]: ../azure-monitor/logs/log-analytics-overview.md

articles/aks/kubernetes-portal.md

@@ -75,7 +75,7 @@ This section addresses common problems and troubleshooting steps.
 To access the Kubernetes resources, you must have access to the AKS cluster, the Kubernetes API, and the Kubernetes objects. Ensure that you're either a cluster administrator or a user with the appropriate permissions to access the AKS cluster. For more information on cluster security, see [Access and identity options for AKS][concepts-identity].
 
 >[!NOTE]
-> The Kubernetes resource view in the Azure portal is only supported by [managed-AAD enabled clusters](managed-aad.md) or non-AAD enabled clusters. If you're using a managed-AAD enabled cluster, your AAD user or identity needs to have the respective roles/role bindings to access the Kubernetes API and the permission to pull the [user `kubeconfig`](control-kubeconfig-access.md).
+> The Kubernetes resource view in the Azure portal is only supported by [managed-AAD enabled clusters](managed-azure-ad.md) or non-AAD enabled clusters. If you're using a managed-AAD enabled cluster, your AAD user or identity needs to have the respective roles/role bindings to access the Kubernetes API and the permission to pull the [user `kubeconfig`](control-kubeconfig-access.md).
 
 ### Enable resource view
 
@@ -119,6 +119,6 @@ This article showed you how to access Kubernetes resources from the Azure portal
 [concepts-identity]: concepts-identity.md
 [aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md
 [deployments]: concepts-clusters-workloads.md#deployments-and-yaml-manifests
-[aks-managed-aad]: managed-aad.md
-[cli-aad-upgrade]: managed-aad.md#upgrade-to-aks-managed-azure-ad-integration
+[aks-managed-aad]: managed-azure-ad.md
+[cli-aad-upgrade]: managed-azure-ad.md#upgrade-a-legacy-azure-ad-cluster-to-aks-managed-azure-ad-integration
 [enable-monitor]: ../azure-monitor/containers/container-insights-enable-existing-clusters.md