Logging AAD username of AKS-AAD integrated Clusters

  1. Create an AAD Group in Azure Active Directory

We take the ObjectId of this Group as we’ll need to add it later at the cluster creation time

2. We create an AKS-AAD integrated cluster for testing purpose with the Azure CLI:

3. Create an AAD User and assign to the aksadmin Group

4. Assign permission for respective Group

6. Login with AAD User (aksdev@…onmicrosoft.com) and execute some operations on the cluster level, in our case we ran a test nginx Pod

7. We assume that we enabled the kube-audit and kube-audit-admin Settings in Log Analytics for this AKS Cluster.

Execute the following Kusto query:



| where TimeGenerated > ago(4h)

| where Category contains ‘kube-audit’

| project TimeGenerated, Category , pod=tostring(pod_s), log=tostring(log_s)

| where log contains “ResponseComplete”

| extend audit=parse_json(log)

| project TimeGenerated, pod, requestURI=tostring(audit.requestURI), verb=tostring(audit.verb), status=tostring(audit.responseStatus.code), userAgent=tostring(audit.userAgent), user=tostring(audit.user.username),latency=datetime_diff(‘millisecond’, todatetime(audit.stageTimestamp), todatetime(audit.requestReceivedTimestamp)), audit

| where user !in (“aksService”, “masterclient”, “nodeclient”)

| sort by TimeGenerated asc

| summarize count() by user, userAgent

In the log_s part of the result will find the user that executed that operation:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store