Hi,

When deploying an AKS Cluster, local accounts are enabled by default. Even when enabling RBAC or Azure Active Directory integration, –admin access still exists, essentially as a non-auditable backdoor option. With this in mind, AKS offers users the ability to disable local accounts via a flag, disable-local. A field, properties.disableLocalAccounts, has also been added to the managed cluster API to indicate whether the feature has been enabled on the cluster.

Requirements:

az feature register --namespace "Microsoft.ContainerService" --name "DisableLocalAccountsPreview"

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/DisableLocalAccountsPreview')].{Name:name,State:properties.state}"

Disable local account on an existing AKS cluster:

az aks update -g -n --enable-aad --aad-admin-group-object-ids --disable-local

Create a new AKS cluster without any local account:

az aks create -g -n --enable-aad --aad-admin-group-object-ids --disable-local

Maxime.