I can't add user into Microsoft Entra Authentification on azure manage redis. Unknown error all the time

Hi Hennadii Nikitin,

Thanks for posting your question in Microsoft Q&A

Azure Cache for Redis supports only Azure AD–based role assignments through Azure RBAC at the resource level and does not allow creating Redis users tied directly to AAD identities.

Both the Redis and AKS errors occur because the chosen SKU/tier or configuration doesn’t support the attempted Entra ID user-management or RBAC mapping, leading to misconfigurations in role scope, tenant alignment, or RBAC enablement.

• The AD user or group you’re adding does not exist in the same tenant or has not properly accepted its invitation
• Your Azure AD directory role does not include sufficient privileges (for example, you need at least the User Administrator or Privileged Role Administrator role to invite/assign guest users).

to add a user to Microsoft Entra Authentication in Azure Managed Redis

• Enable Microsoft Entra Authentication: Go to Azure Portal → Redis Cache → Settings → Authentication → Enable Microsoft Entra Authentication. This may take ~15 minutes
• Add Redis User with Data Owner Role: Navigate to Data Access Configuration → Add → New Redis User → Select “Data Owner” → Assign to Managed Identity
• In Redis → Access Control (IAM) → add user/group with Cache Contributor role.

For Azure Cache for Redis, the required role depends on what level of access you need:

1.cache Contributor → Grants full management access to the Redis resource (create, delete, configure, scale, enable Entra auth, etc.). This is the main role for administrators of the Redis instance.

2.Data Owner / Data Contributor → These roles are only relevant when Azure RBAC for data plane is supported (e.g., Redis Enterprise with Entra ID). Azure Cache for Redis (standard/premium SKUs) does not support per-user data access control via AAD, it only supports resource-level RBAC. In Azure Portal, go to your Redis resource > Overview-Confirm Tier & Feature Support

3.So, for Azure Cache for Redis (non-Enterprise), you should use Cache Contributor at the resource scope.

• Use Correct Client Configuration: Ensure the Redis client uses Microsoft Entra token authentication. The token must be refreshed periodically using MSAL Microsoft Authentication Library (MSAL).

Referral documentation: https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication

To get RBAC admin access at AKS granted on the group do follow below recommendations,

• Use RoleBinding or ClusterRoleBinding: Create a Kubernetes Role or ClusterRole with required permissions.

refer: https://learn.microsoft.com/en-us/azure/aks/aksarc/kubernetes-rbac-local?tabs=cli

• Bind it to the group using RoleBinding (for namespace-level access) or ClusterRoleBinding (for cluster-wide access)

Refer: https://learn.microsoft.com/en-us/azure/aks/aksarc/kubernetes-rbac-entra-id

• Azure RBAC Integration: Ensure Azure RBAC is enabled in AKS.

refer: https://learn.microsoft.com/en-us/azure/aks/enable-authentication-microsoft-entra-id

• Use az role assignment create to assign roles to the group at the correct scope (resource group, cluster, or namespace)

Refer: https://learn.microsoft.com/en-us/azure/aks/aksarc/azure-rbac-local?tabs=cli%2Cazurecli

I hope the provided response is helpful. If you have any further questions, please feel free to post them here.