diff --git a/src/azure-cli/azure/cli/command_modules/acs/_roleassignments.py b/src/azure-cli/azure/cli/command_modules/acs/_roleassignments.py
index 98d6e51a2a1..3e14d631907 100644
--- a/src/azure-cli/azure/cli/command_modules/acs/_roleassignments.py
+++ b/src/azure-cli/azure/cli/command_modules/acs/_roleassignments.py
@@ -100,6 +100,14 @@ def add_role_assignment_executor(cmd, role, assignee, resource_group_name=None,
 
 def add_role_assignment(cmd, role, service_principal_msi_id, is_service_principal=True,
                         delay=2, scope=None, assignee_principal_type=None):
+    # Every caller of add_role_assignment targets either a service principal or a managed
+    # identity, both of which are represented as a ServicePrincipal in Microsoft Entra ID.
+    # Explicitly setting the principal type lets the Authorization RP skip the Entra ID
+    # existence check, which avoids PrincipalNotFound failures caused by replication delay
+    # for freshly created identities.
+    if assignee_principal_type is None:
+        assignee_principal_type = "ServicePrincipal"
+
     # AAD can have delays in propagating data, so sleep and retry
     hook = cmd.cli_ctx.get_progress_controller(True)
     hook.add(message="Waiting for AAD role to propagate", value=0, total_val=1.0)
diff --git a/src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py b/src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py
index 518c735df8e..df48993aaac 100644
--- a/src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py
+++ b/src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py
@@ -8356,12 +8356,16 @@ def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None:
             except Exception as e:  # pylint: disable=broad-except
                 logger.warning("Could not get signed in user: %s", str(e))
             else:
+                # signed_in_user_get() calls Graph /me, which only succeeds for a delegated
+                # (interactive) user; service principal / managed identity logins raise GraphError
+                # and are handled by the except branch above. So the assignee here is always a User.
                 self.context.external_functions.add_role_assignment_executor(  # type: ignore # pylint: disable=protected-access
                     self.cmd,
                     "Azure Kubernetes Service RBAC Cluster Admin",
                     user["id"],
                     scope=cluster.id,
                     resolve_assignee=False,
+                    assignee_principal_type="User",
                 )
 
     def put_mc(self, mc: ManagedCluster) -> ManagedCluster: