Hello,
With Azure pushing for AKS to become more deeply integrated with Azure AD they are encouraging admins to disable the --admin flag when getting credentials which creates a local admin account on the cluster. This creates a problem with service principal login since authentication passes but an OAuth device code flow is forced that cannot be disabled. For a while this was a blocker for user service principals.
Recently the Azure team released kubelogin to assist with the process Azure/kubelogin: A Kubernetes credential (exec) plugin implementing azure authentication (github.com) Based on this it appears that this could be leveraged to allow the flow without a local admin account.