In an Azure subscription with a tenant 'contoso.com' and an AKS cluster 'AKS1', how do you initially address the issue of an administrator being unable to grant AKS1 access to 'contoso.com' users?