Control cluster access using Conditional Access with AKS-managed Microsoft Entra integration
Article
When you integrate Microsoft Entra ID with your AKS cluster, you can use Conditional Access for just-in-time requests to control access to your cluster. This article shows you how to enable Conditional Access on your AKS clusters.
Use Conditional Access with Microsoft Entra ID and AKS
In the Azure portal, go to the Microsoft Entra ID page and select Enterprise applications.
Select Conditional Access > Policies > New policy.
Enter a name for the policy, such as aks-policy.
Under Assignments, select Users and groups. Choose the users and groups you want to apply the policy to. In this example, choose the same Microsoft Entra group that has administrator access to your cluster.
Under Cloud apps or actions > Include, select Select apps. Search for Azure Kubernetes Service and select Azure Kubernetes Service Microsoft Entra Server.
Under Access controls > Grant, select Grant access, Require device to be marked as compliant, and Require all the selected controls.
Confirm your settings, set Enable policy to On, and then select Create.
Verify your Conditional Access policy has been successfully listed
Get the user credentials to access the cluster using the az aks get-credentials command.
az aks get-credentials --resource-group myResourceGroup --name myManagedCluster
Follow the instructions to sign in.
View the nodes in the cluster using the kubectl get nodes command.
kubectl get nodes
In the Azure portal, navigate to Microsoft Entra ID and select Enterprise applications > Activity > Sign-ins.
Under the Conditional Access column you should see a status of Success. Select the event and then select the Conditional Access tab. Your Conditional Access policy will be listed.
Next steps
For more information, see the following articles:
Use kubelogin to access features for Azure authentication that aren't available in kubectl.
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
Azure Kubernetes Service feedback
Azure Kubernetes Service is an open source project. Select a link to provide feedback: