AKS Identity and Security: Entra ID, Workload Identity, and Policy

Calendar February 22, 2026
Kubernetes
Intermediate
Aks-Identity-Management, Workload-Identity-Configuration, Secret-Management, Policy-Enforcement
Aks, Azure, Security, Entra-Id, Workload-Identity, Key-Vault, Azure-Policy, Rbac
Az, Kubectl, Kubelogin

AKS Identity and Security#

AKS identity operates at three levels: who can access the cluster API (authentication), what they can do inside it (authorization), and how pods authenticate to Azure services (workload identity). Each level has Azure-specific mechanisms that replace or extend vanilla Kubernetes patterns.

Entra ID Integration (Azure AD)#

AKS supports two Entra ID integration modes.

AKS-managed Azure AD: Enable with --enable-aad at cluster creation. AKS handles the app registrations and token validation. This is the recommended approach.

Azure Fundamentals for Agents

Calendar February 22, 2026
Cloud-Services
Intermediate
Azure-Resource-Management, Azure-Networking, Azure-Identity-Management
Azure, Entra-Id, Vnet, Aks, Azure-Sql, Blob-Storage, Azure-Monitor, Nsg
Az-Cli, Azure-Portal, Azure-Aks, Azure-Monitor

Resource Groups and Subscriptions#

Azure organizes resources in a hierarchy: Management Groups > Subscriptions > Resource Groups > Resources. An agent interacts most frequently with resource groups and the resources inside them.

A resource group is a logical container. Every Azure resource belongs to exactly one resource group. Resource groups are regional, but can contain resources from any region. They serve as the deployment boundary, the access control boundary, and the lifecycle boundary – deleting a resource group deletes everything inside it.