How can I provision an AKS cluster via Lighthouse?

Question

I have a customer who has delegated access to me to one of their resource groups. The delegation grants me Contributor and User Access Admin roles. The User Admin Access role has a list of other roles that I can grant, but none of these roles are allowed to enable/restrict data actions.

This limits me to using an AKS cluster without Azure Active Directory integration, as otherwise I can't access it (compare actions on Azure Kubernetes Service Cluster Admin Role with Azure Kubernetes Service RBAC Cluster Admin).

This issue aside, provisioning the AKS cluster involves creating a separate node resource group as well as creating a service principal for use as the kubelet identity, and another for use as the oms agent identity for Azure Monitoring. When I attempt to create a cluster through Lighthouse it seems that the kubelet identity gets created fine, but the oms agent can't be created. I suspect this is because behind the scenes a data action is required to set this up. Without this identity, I don't believe it's possible to ship logs from K8S to Azure Monitor.