Support migrating a RBAC-enabled non-AAD cluster to a AKS-managed AAD cluster (Azure#14420)

Author: bingosummer

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -468,8 +468,8 @@
     text: az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 0.0.0.0/32
   - name: Update a AKS-managed AAD cluster with tenant ID or admin group object IDs.
     text: az aks update -g MyResourceGroup -n MyManagedCluster --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
-  - name: Update an existing AKS AAD-Integrated cluster to the new AKS-managed AAD experience.
-    text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad
+  - name: Migrate a AKS AAD-Integrated cluster or a non-AAD cluster to a AKS-managed AAD cluster.
+    text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
 """
 
 helps['aks delete'] = """

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -2257,9 +2257,7 @@ def aks_update(cmd, client, resource_group_name, name,
             _populate_api_server_access_profile(api_server_authorized_ip_ranges, instance=instance)
 
     if enable_aad:
-        if instance.aad_profile is None:
-            raise CLIError('Cannot specify "--enable-aad" for a non-AAD cluster')
-        if instance.aad_profile.managed:
+        if instance.aad_profile is not None and instance.aad_profile.managed:
             raise CLIError('Cannot specify "--enable-aad" if managed AAD is already enabled')
         instance.aad_profile = ManagedClusterAADProfile(
             managed=True