[BUG] AKS - cannot use kubectl auth can-i on AAD users/groups

[amithkk]

Describe the bug

kubectl auth can-i can be used to check if a specific user/group/svcaccount can access a specific resource by using the --as parameter. However, trying to run this with an AAD OID for a group or user results in the following error:

$ kubectl auth can-i get pods -n dev --as 4d1f21fa-2a27-4822-9222-3fff48f6ac21
no - Azure does not have opinion for this non AAD user. If you are an AAD user, please set Extra:oid parameter for impersonated user in the kubeconfig

To Reproduce
Steps to reproduce the behavior:

1. Run command kubectl auth can-i get pods -n dev --as <valid-AAD-oid>
2. See error

Expected behavior

AAD RBAC states whether access is granted

Environment (please complete the following information):

• kubectl version: 1.30
• Kubernetes version 1.30

Additional Info

This has been reported before, but has been closed with no resolution as stale:

• Cannot impersonate AAD user #2848
• Should user impersonation work? #843

[microsoft-github-policy-service]

@miwithrow, @CocoWang-wql would you be able to assist?