Has anyone done any work around deploying resources to an AKS cluster that has local accounts disabled? How are you getting the credentials to connect to the cluster given you can't use the local admin?
If I remember correctly we use az cli to login with sp and the new kubelogin plugin to get kubectl access. If we run this before pulumi, pulumi can use the default kubecontext on the machine. It is a chicken and egg problem, since you can't login unless the cluster is created.
You might be able to run the az login steps from the pulumi script to be sure that the cluster is up