Logging AAD username of AKS-AAD integrated Clusters

We take the ObjectId of this Group as we’ll need to add it later at the cluster creation time

2. We create an AKS-AAD integrated cluster for testing purpose with the Azure CLI:

az aks create -g aad -n aad — enable-aad — aad-admin-group-object-ids 7938ded3–6d6d-4116-b5d0–8ac7f734ec68 — aad-tenant-id 716e7f5b-8914–47f5–85f0–84db07e6xxxx — enable-azure-rbac — node-count 1 — generate-ssh-keys

3. Create an AAD User and assign to the aksadmin Group

4. Assign permission for respective Group

AKS_ID=$(az aks show — resource-group aad — name aad — query id -o tsv)

az role assignment create — assignee 7938ded3–6d6d-4116-b5d0–8ac7f734ec68 — role “Azure Kubernetes Service Cluster User Role” — scope $AKS_ID

5. Creating Role/RoleBinding for that cluster. For this step, we need to get credentials for admin user (az aks get-credentials -n aks -g aks –admin)

kind: Role

apiVersion: rbac.authorization.k8s.io/v1


name: dev-user-full-access


- apiGroups: [“”, “extensions”, “apps”]

resources: [“*”]

verbs: [“*”]

- apiGroups: [“batch”]


- jobs

- cronjobs

verbs: [“*”]

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1


name: dev-user-access


apiGroup: rbac.authorization.k8s.io

kind: Role

name: dev-user-full-access


- kind: Group

namespace: default

name: 7938ded3–6d6d-4116-b5d0–8ac7f734ec68

6. Login with AAD User (aksdev@…onmicrosoft.com) and execute some operations on the cluster level, in our case we ran a test nginx Pod

7. We assume that we enabled the kube-audit and kube-audit-admin Settings in Log Analytics for this AKS Cluster.

Execute the following Kusto query:


| where log_s contains “nginx”

| where log_s contains “aksdev”



| where TimeGenerated > ago(4h)

| where Category contains ‘kube-audit’

| project TimeGenerated, Category , pod=tostring(pod_s), log=tostring(log_s)

| where log contains “ResponseComplete”

| extend audit=parse_json(log)

| project TimeGenerated, pod, requestURI=tostring(audit.requestURI), verb=tostring(audit.verb), status=tostring(audit.responseStatus.code), userAgent=tostring(audit.userAgent), user=tostring(audit.user.username),latency=datetime_diff(‘millisecond’, todatetime(audit.stageTimestamp), todatetime(audit.requestReceivedTimestamp)), audit

| where user !in (“aksService”, “masterclient”, “nodeclient”)

| sort by TimeGenerated asc

| summarize count() by user, userAgent

In the log_s part of the result will find the user that executed that operation:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store