@GSIMON Apologies for the delay in response since I missed on notification on this response and was not able to reach out to you earlier.
I had discussion internally and below is the response:
Firstly, "the documentation of the ARO v4.x, where explicitly described how to remove kubeadmin." is not an MS doc, it is an openshift doc: https://docs.openshift.com/container-platform/4.6/authentication/remove-kubeadmin.html#removing-kubeadmin_removing-kubeadmin
Secondly, a regular user being given cluster-admin permissions are simply as it happens to be on Kubernetes. There's no additional recommendation on that front. ReferenceHowever, if he is removing kubeadmin user you:
- must have configured at least one identity provider.
- must have added the cluster-admin role to a user.
- must be logged in as an administrator.
You can review Openshift docs for Openshift guidelines:
https://docs.openshift.com/aro/3/admin_guide/index.html
https://docs.openshift.com/container-platform/4.6/authentication/understanding-authentication.html#rbac-users_understanding-authentication
Here is what Microsoft recommends:
When an Azure Red Hat OpenShift 4 cluster is created, a temporary administrative user is created. Connect to your cluster, add users and groups and configure the appropriate permissions for both.
Reference: https://learn.microsoft.com/en-us/azure/openshift/migration#authentication
Now if you want to use AAD then,SLA for AAD: https://azure.microsoft.com/en-us/support/legal/sla/active-directory/v1_0/
Procedure for AAD integration with ARO:
https://learn.microsoft.com/en-us/azure/openshift/configure-azure-ad-cli
https://learn.microsoft.com/en-us/azure/openshift/configure-azure-ad-ui
Hope it helps!!!
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.