Update azure-rbac-23h2.md

leslielin-5 · web-flow · commit 8e0970c0f42a · 2025-02-19T18:33:20.000-08:00
diff --git a/AKS-Arc/azure-rbac-23h2.md b/AKS-Arc/azure-rbac-23h2.md
@@ -46,9 +46,13 @@ Before you begin, make sure you have the following prerequisites:
   ```
   
 - To interact with Kubernetes clusters, you must install [**kubectl**](https://kubernetes.io/docs/tasks/tools/) and [**kubelogin**](https://azure.github.io/kubelogin/install.html).
-- You need the following permissions to enable Azure RBAC while creating a Kubernetes cluster:
-  - To create a Kubernetes cluster, you need the **Azure Kubernetes Service Arc Contributor** role.
-  - To use the `--enable-azure-rbac` parameter, you need the **Role Based Access Control Administrator** role for access to the **Microsoft.Authorization/roleAssignments/write** permission. For more information, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles/general).
+- The following permissions are required to enable Azure RBAC when creating a Kubernetes cluster:
+  - To create a Kubernetes cluster, the [**Azure Kubernetes Service Arc Contributor**](/azure/role-based-access-control/built-in-roles/containers#azure-kubernetes-service-arc-contributor-role) role is required.
+  - To use the `--enable-azure-rbac` parameter, the [**Role Based Access Control Administrator**](/azure/role-based-access-control/built-in-roles/privileged#role-based-access-control-administrator) role is required for access to the **Microsoft.Authorization/roleAssignments/write** permission.
+  - To assign these roles, use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command or follow [**Assign Azure roles using Azure CLI**](/azure/role-based-access-control/role-assignments-cli) guide:
+  ```azurecli
+  az role assignment create --assignee <assignee-object-id> --role <role-name-or-id> --scope $ARM_ID
+  ```
   - New role assignments can take up to five minutes to propagate and be updated by the authorization server.
 - Once Azure RBAC is enabled, you can access your Kubernetes cluster with the given permissions using either direct mode or proxy mode.
   - To access the Kubernetes cluster directly using the `az aksarc get-credentials` command, you need the **Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action**, which is included in the **Azure Kubernetes Service Arc Cluster User** role permission.
