Update:
A colleague who works for Microsoft said:

Changelog entry for this behaviour change is here: https://github.com/MicrosoftDocs/azure-docs-cli/blob/master/docs-ref-conceptual/release-notes-azure-cli.md#aks-3

I'm following the proper instructions and the documentation must be out of date.

https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal

Automatically create and use a service principal.
When you create an AKS cluster in the Azure portal or using the az aks create command, Azure can automatically generate a service principal. In the following Azure CLI example, a service principal is not specified. In this scenario, the Azure CLI creates a service principal for the AKS cluster. To successfully complete the operation, your Azure account must have the proper rights to create a service principal.

az aks create --name myAKSCluster --resource-group myResourceGroup

This is what happened a few months ago - see Finished service principal creation:

Now when I try I get Add role propagation:

The problem is querying the servicePrincipalProfile.clientId results in msi, I need the guid of the service principal not the Managed Service Identity.

$CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
echo $CLIENT_ID

Used to work:

Now its changed:

How do I create the Kubernetes Cluster with a Service Principal as the documentation states and how it used to work?

Repro steps:

https://github.com/MeaningOfLights/AzureTraining/blob/master/Hands-On-Labs-That-Work/80-Kubernetes.md

https://github.com/MeaningOfLights/AzureTraining/blob/master/Hands-On-Labs-That-Work/85-Kubernetes-Deployment.md