Merge pull request #18546 from leslielin-5/patch-52

Update kubernetes-rbac-local.md

Author: prmerger-automator[bot]

AKS-Arc/kubernetes-rbac-local.md

@@ -3,12 +3,12 @@ title: Control access using Microsoft Entra ID and Kubernetes RBAC in AKS enable
 description: Learn how to use Microsoft Entra group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in AKS Arc.
 author: sethmanheim
 ms.author: sethm 
-ms.lastreviewed: 06/25/2025
-ms.reviewer: abha
+ms.lastreviewed: 07/25/2025
+ms.reviewer: leslielin
 ms.topic: how-to
 ms.custom:
   - devx-track-azurecli
-ms.date: 06/25/2025
+ms.date: 07/25/2025
 
 # Intent: As an IT Pro, I need to learn how to enable Kubernetes role-based access control so that I can manage access to resources.
 # Keyword: Kubernetes role-based access control 
@@ -20,16 +20,24 @@ ms.date: 06/25/2025
 
 You can configure Azure Kubernetes Service (AKS) to use Microsoft Entra ID for user authentication. In this configuration, you sign in to a Kubernetes cluster using a Microsoft Entra authentication token. Once authenticated, you can use the built-in Kubernetes role-based access control (Kubernetes RBAC) to manage access to namespaces and cluster resources based on a user's identity or group membership.
 
-This article describes how to control access using Kubernetes RBAC in a Kubernetes cluster based on Microsoft Entra group membership in AKS. You create a demo group and users in Microsoft Entra ID. Then, you create roles and role bindings in the cluster to grant the appropriate permissions to create and view resources.
+This article describes how to control access using Kubernetes RBAC in a Kubernetes cluster based on Microsoft Entra group membership in AKS. First, you create a demo group and users in Microsoft Entra ID. Then you create roles and role bindings in the cluster to grant the appropriate permissions to create and view resources.
 
 ## Prerequisites
 
 Before you set up Kubernetes RBAC using Microsoft Entra ID, you must have the following prerequisites:
 
-- An AKS enabled by Azure Arc cluster. If you need to set up your cluster, see the instructions for using the [Azure portal](aks-create-clusters-portal.md) or [Azure CLI](aks-create-clusters-cli.md).
+- An AKS Arc cluster. If you need to set up your cluster, see the instructions for using the [Azure portal](aks-create-clusters-portal.md) or [Azure CLI](aks-create-clusters-cli.md).
 - Azure CLI installed and configured. If you need to install CLI or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
-- **Azure CLI and the connectedk8s extension**. The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. To check whether you have the Azure CLI, open a command line tool, and type: `az -v`. Also, install the [connectedk8s extension](https://github.com/Azure/azure-cli-extensions/tree/main/src/connectedk8s) in order to open a channel to your Kubernetes cluster. For installation instructions, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
-- **Kubectl**. The Kubernetes command-line tool, **kubectl**, enables you to run commands that target your Kubernetes clusters. To check whether you have installed kubectl, open a command line tool, and type: `kubectl version --client`. Make sure your kubectl client version is at least `v1.24.0`. For installation instructions, see [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl).
+- Azure CLI and the **connectedk8s** extension. The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. To check whether you have the Azure CLI, open a command prompt and type `az -v`. Also, install the [connectedk8s extension](https://github.com/Azure/azure-cli-extensions/tree/main/src/connectedk8s) in order to open a channel to your Kubernetes cluster. For installation instructions, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
+- **Kubectl**. The Kubernetes command line tool, **kubectl**, enables you to run commands that target your Kubernetes clusters. To check whether you installed **kubectl**, open a command prompt and type `kubectl version --client`. Make sure your **kubectl** client version is at least **v1.24.0**. You can use the following Azure CLI or Azure PowerShell commands to install **kubectl**:
+
+   # [Azure CLI](#tab/cli)
+
+   Install kubectl locally using the [az aks install-cli](/cli/azure/aks?view=azure-cli-latest#az-aks-install-cli&preserve-view=true) command.
+
+   # [PowerShell](#tab/powershell)
+
+   Install kubectl locally using the [Install-AzAksCliTool](/powershell/module/az.aks/install-azaksclitool?view=azps-14.2.0&preserve-view=true) cmdlet.
 - You can access your Kubernetes cluster with the specified permissions either with direct mode or proxy mode.
   - To access the Kubernetes cluster directly using the `az aksarc get-credentials` command, you need the **Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action**, which is included in the **Azure Kubernetes Service Arc Cluster User** role permissions
   - To access the Kubernetes cluster from anywhere with a proxy mode using `az connectedk8s proxy` command, you need the **Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action**, which is included in **Azure Arc-enabled Kubernetes Cluster User** role permission. Meanwhile, you need to verify that the agents and the machine performing the onboarding process meet the network requirements in [Azure Arc-enabled Kubernetes network requirements](/azure/azure-arc/kubernetes/network-requirements?tabs=azure-cloud#details).