Thanks for the feedback! We are currently investigating and will update you shortly.

I am assigning the issue to the content author to investigate further and update the document as appropriate.

@iainfoulds Please take a look at this issue.

Here are the commands I used. There does seem to be a bug with the CLI though on version 2.0.54 and I'm unable to run either of the grant commands. It's easy enough to just go to the portal and grant manually in the meantime though.

serverApplicationSecret="$(openssl rand -base64 30)"
serverApplicationId="$(az ad app create --display-name AKSAADServer --identifier-uris "https://AKSAADServer" --end-date "2050-1-1" --password $serverApplicationSecret --query appId -o tsv)"
az ad app update --id $serverApplicationId --set groupMembershipClaims=All
az ad app permission add --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
az ad app permission grant --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000 --subscription $tenantId

oAuthPermissionId="$(az ad app show --id $serverApplicationId --query "oauth2Permissions[0].id" -o tsv)"
clientApplicationId="$(az ad app create --display-name AKSAADClient --native-app --reply-urls https://AKSAADClient --query appId -o tsv)"
az ad app permission add --id $clientApplicationId --api $serverApplicationId --api-permissions $oAuthPermissionId=Scope

I can submit a PR but I'd like to figure out why the grant fails first.

@cwoolum have you been able to figure out why the grant fails?

Sorry for the delay on this one. We actually published a doc a few weeks that outlines how to use the Azure CLI to create an Azure AD-enabled cluster - https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli

There was an issue in the Azure CLI in how it was granting permissions. That was resolved a few releases ago, so make sure you're running the latest Azure CLI.

please-close

@haodeon We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

Hi Ian I personally tested the procedure in https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli and it doesn't work. I was able to fix the problem just setting the following values in the manifest of both the client and server applications:

I was able to fix this issue with Azure AD v2 application by setting the following in the client manifest:

"allowPublicClient": true,
"oauth2AllowIdTokenImplicitFlow": true,
"signInAudience": "AzureADMultipleOrgs",

I'm investigating how to set the allowPublicClient property as it looks like that the following command doesn't work:
az ad app update \
--id $aksServerApplicationAppId \
--set allowPublicClient=true

@paolosalvatori You've already found my other issue, which I opened when I encountered problems with "allowPublicClient=true".

But for those who are new to this issue I am referencing it here to help. Azure/azure-cli#7955