Need to define RBAC based on the audit log. This can be a regular process to onboard a team and provide access.
I find audit2rbac tool simple and clear to use.
Need guidance wrt kubernetes service on azure.
Here is an example query for getting audit logs from Azure Log Analytics.
It removes some of the noise to try and give just logs for when a user has modified a resource in Kubernetes. The requestURI and requestObject fields will give you the most info about what the user was doing.
AzureDiagnostics
| where Category == "kube-audit"
| extend log_j=parse_json(log_s)
| extend requestURI=log_j.requestURI
| extend verb=log_j.verb
| extend username=log_j.user.username
| extend requestObject = parse_json(log_j.requestObject)
| where verb !in ("get", "list", "watch", "")
| where username !in ("aksService", "masterclient", "nodeclient")
| where username !startswith "system:serviceaccount:kube-system"
| where requestURI startswith "/api/"
| where requestURI !startswith "/api/v1/nodes/"
| where requestURI !startswith "/api/v1/namespaces/kube-system/"
| where requestURI !startswith "/api/v1/namespaces/ingress-basic/"