Subscription prerequisites

Note

We will retire Azure HDInsight on AKS on January 31, 2025. Before January 31, 2025, you will need to migrate your workloads to Microsoft Fabric or an equivalent Azure product to avoid abrupt termination of your workloads. The remaining clusters on your subscription will be stopped and removed from the host.

Only basic support will be available until the retirement date.

Important

This feature is currently in preview. The Supplemental Terms of Use for Microsoft Azure Previews include more legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability. For information about this specific preview, see Azure HDInsight on AKS preview information. For questions or feature suggestions, please submit a request on AskHDInsight with the details and follow us for more updates on Azure HDInsight Community.

If you're using Azure subscription first time for HDInsight on AKS, the following features might need to be enabled.

Tenant registration

If you're trying to onboard a new tenant to HDInsight on AKS, you need to provide consent to first party App of HDInsight on AKS to Access API. This app tries to provision the application used to authenticate cluster users and groups.

Note

Tenant admin would be able to run the command to provision the first party service principal on the given tenant.

Commands:

az ad sp create --id d3d1a4fe-edb2-4b09-bc39-e41d342323d6
New-AzureADServicePrincipal -AppId d3d1a4fe-edb2-4b09-bc39-e41d342323d6

Enable features

  1. Sign in to Azure portal.

  2. Click the Cloud Shell icon ( ) at the top right, and select PowerShell or Bash as your environment depending on the command you use.

At the next command prompt, enter each of the following commands:

  1. Register your subscription for 'AKS-AzureKeyVaultSecretsProvider' feature.

    az feature register --name AKS-AzureKeyVaultSecretsProvider --namespace "Microsoft.ContainerService" --subscription <Your Subscription>
    
    Register-AzProviderFeature -FeatureName AKS-AzureKeyVaultSecretsProvider -ProviderNamespace Microsoft.ContainerService
    

    Output: All requests for this feature should be automatically approved. The state in the response should show as Registered.
    If you receive a response that the registration is still ongoing (state in the response shows as "Registering"), wait for a few minutes.
    Run the command again in few minutes and the state changes to "Registered" once feature registration is completed.

  2. Register your subscription for 'EnablePodIdentityPreview' feature.

     az feature register --name EnablePodIdentityPreview --namespace "Microsoft.ContainerService" --subscription <Your Subscription>
    
    Register-AzProviderFeature -FeatureName EnablePodIdentityPreview -ProviderNamespace Microsoft.ContainerService
    

    Output: The response indicates the registration is in progress (state in the response shows as "Registering"). It might take a few minutes to register the feature.
    Run the command again in few minutes and the state changes to "Registered" once feature registration is completed.

  3. Register your subscription for 'KubeletDisk' feature.

    az feature register --name KubeletDisk --namespace "Microsoft.ContainerService" --subscription <Your Subscription>
    
    Register-AzProviderFeature -FeatureName KubeletDisk -ProviderNamespace Microsoft.ContainerService
    

    Output: The response indicates the registration is in progress (state in the response shows as "Registering"). It might take a few minutes to register the feature.
    Run the command again in few minutes and the state changes to "Registered" once feature registration is completed.

  4. Register with 'Microsoft.ContainerService' provider to propagate the features registered in the previous steps.

    az provider register -n Microsoft.ContainerService --subscription <Your Subscription>
    
    Register-AzResourceProvider -ProviderNamespace Microsoft.ContainerService
    

    Output: No response means the feature registration propagated and you can proceed. If you receive a response that the registration is still ongoing, wait for a few minutes, and run the command again until you receive no response.

Next steps