I have an aks cluster running kubernetes 1.21.2 with those options :

Kubernetes RBAC --> enable
AKS-managed AAD --> enable
Local accounts  --> disabled

When I run the az aks get-credentials --resource-group <resource-group> --name <cluster-name> --admin it fails as expected. So far it's looking good.

I still want someone to be admin, so I give a user following privileges :

Azure Kubernetes Service Cluster User Role
Azure Kubernetes Service RBAC Cluster Admin

I followed the following steps to try out my user is a cluster admin :

• az login and input my user's credentials to login
• az aks get-credentials --resource-group <resource-group> --name <cluster-name> to download the clusterUser_kubeconfig
• kubectl get pods -A to list pods in all namespaces
• it prompts me something like To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DKXXXXX8T to authenticate.
• I login using my user's credential again and allow the k8s application to connect to my user.
• kubectl get pods -A fails : Error from server (Forbidden): pods is forbidden: User "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" cannot list resource "pods" in API group "" at the cluster scope

According to what I have read so far, it should be working as my user is Azure Kubernetes Service RBAC Cluster Admin. Could someone enlighten me what I've missed or misunderstood ?