Azure Kubernetes Service Now Offers Managed Argo CD Extension

GitOps Meets Azure Native

Microsoft announced the public preview of an integrated Argo CD extension for Azure Kubernetes Service this week, bringing the popular GitOps tool into the platform’s native management layer. This marks a significant shift in how Microsoft approaches Kubernetes tooling—moving from simply supporting third-party projects to deeply integrating them into the Azure experience.

The extension addresses a common enterprise concern: maintaining GitOps agility while meeting security and compliance requirements. Self-managed Argo CD installations require ongoing maintenance, security updates, and credential management. The new managed extension shifts these responsibilities to Microsoft while preserving the full functionality platform teams expect from Argo CD.

Enterprise Identity Integration

The managed extension connects to Microsoft Entra ID, replacing manual credential management with two key features that address the most common pain points in enterprise GitOps adoption.

Workload Identity Federation: Argo CD can authenticate to Azure Container Registry and Azure DevOps without storing long-lived secrets in Git repositories. Instead, it uses short-lived tokens exchanged via OIDC. This removes a common attack surface where service principal secrets historically leaked through configuration drift or compromised repositories. The implementation aligns with Microsoft’s broader push toward secretless authentication across Azure services.

Single Sign-On: Teams authenticate to the Argo CD web UI using existing Azure identities. No separate user databases. No extra passwords to manage. RBAC policies in Argo CD map directly to Azure AD groups, enabling centralized identity management with existing tooling and audit trails.

Security Hardening by Default

Microsoft built the extension on Azure Linux—its purpose-built container host engineered for reduced CVE exposure. This is not a generic Ubuntu or Debian image with Argo CD installed. It is a hardened, minimized environment that reflects Microsoft’s security-first approach to container infrastructure.

Minimal attack surface with only required components
Opt-in automatic patching for security fixes
Compatibility with high-availability configurations for production workloads
Reproducible builds with supply chain verification

The extension maintains parity with upstream Argo CD, supporting ApplicationSets for multi-cluster scenarios and hub-and-spoke architectures for large fleet management. Microsoft has committed to remaining current with upstream releases within a reasonable timeframe, avoiding the version lag that often plagues managed services.

Setting It Up

Enable the extension through Azure CLI. Portal-based management arrives in a few weeks, but today all configuration happens via CLI or infrastructure-as-code templates:

az extension add --name k8s-extension

az k8s-extension create   --cluster-type managedClusters   --cluster-name my-aks   --resource-group my-rg   --name argocd   --extension-type Microsoft.ArgoCD

The extension deploys Argo CD components into a managed namespace with appropriate network policies and resource quotas. You can monitor deployment status through standard Azure monitoring tools or kubectl.

Migration Considerations

For teams already running self-managed Argo CD on AKS, migration requires planning:

The extension manages the Argo CD lifecycle—you cannot customize the Argo CD version independently
Backup your existing Application resources before migration using argocd admin export
The extension stores state in Azure-managed storage, eliminating manual backup strategies but also limiting customization
Custom resource hooks and plugins require validation against the managed version—these run in a restricted environment

Microsoft recommends testing the extension in a non-production cluster before migrating production workloads. The public preview period is an opportunity to validate your specific use cases and report any gaps.

Why This Matters

Argo CD has become the de facto standard for Kubernetes GitOps. By offering it as a managed extension, Microsoft reduces operational burden while maintaining the flexibility that made Argo CD popular. This is not a fork or a wrapper—it is the real Argo CD, managed by Microsoft.

The integration pattern—Entra ID authentication, Azure Linux hardening, Workload Identity for secretless auth—reflects where enterprise Kubernetes is heading. Platform teams manage the tooling. Application teams focus on delivery. Security and compliance concerns are handled automatically.

Availability and Pricing

The Argo CD extension is in public preview for all AKS regions and Azure Arc-enabled Kubernetes clusters. General availability pricing and SLA details remain unannounced. During the preview, Microsoft encourages feedback through GitHub issues and Azure support channels.

For organizations already invested in GitOps, the Argo CD extension represents a compelling option. It combines the flexibility of open source with the reliability of a managed Azure service—an increasingly common pattern as Kubernetes matures from experimental technology to production infrastructure.