Introduction
Managing access to Azure resources often means dealing with two separate permission models: one for management operations and another for data access. For Azure Cosmos DB customers, this split can increase complexity, slow down onboarding, and create confusion around governance and security boundaries.
Today, we’re excited to announce the private preview of Integrated Azure RBAC for Cosmos DB, a major step toward a unified, intuitive permissions experience across Azure. This new capability brings Cosmos DB data plane authorization directly into Azure RBAC, allowing customers to manage both management and data access using a single, familiar permissions model. With this integration, access management becomes simpler and clearer while remaining easy to operationalize across development, test, and production environments.
What’s New
Unified Role Management in the Azure Portal
Cosmos DB data plane roles now appear alongside existing Azure RBAC roles in the Azure portal. This unified view allows administrators to manage permissions from a single, consistent place using the same workflows they already know.
New Built‑in Roles
Two new roles have been introduced for operations:
- Cosmos DB Data Reader – Allows Cosmos DB data plane read access
- Cosmos DB Data Contributor – Allows Cosmos DB data plane read and write access
Consistent Entra ID Experience Across Azure
Applications and developers authenticating with Microsoft Entra ID can now use the same identity, role assignment, and governance patterns they already rely on across Azure services. There’s no separate permission model to learn or maintain, Cosmos DB data access follows established Azure RBAC conventions.
Why It Matters
- Faster time to production through a single authorization model
- Fewer security misconfigurations caused by split permission systems
- Stronger governance using consistent Entra ID identities and auditing
How It Works
When you opt for the private preview, you’ll see the following experience:
- Create or open an existing Azure Cosmos DB account.
- Navigate to Access Control (IAM) in the Azure portal.
- Cosmos DB data plane RBAC roles appear directly within the existing role assignment UI.
- Assign Cosmos DB Data Reader or Cosmos DB Data Contributor just like any other Azure role.
- Applications and users authenticating with Microsoft Entra ID gain data access based on their assigned role.
There’s no new permission system to learn since everything follows established Azure RBAC patterns. Existing data plane authorization mechanisms will continue to work, allowing customers to adopt Integrated Azure RBAC incrementally without breaking existing applications
Limitations in Private Preview
To ensure quality and safety during the preview:
- Access experience will be available only via feature flag
- Role definition, scope support and UX may evolve as we gather customer feedback
- Not recommended for production workloads
- Custom roles are currently not supported
Join the Private Preview
We are looking to partner with early adopters to validate the experience and shape the final release. This private preview is ideal for customers who want to simplify Cosmos DB access governance and align data authorization with existing Azure RBAC practices.
If you’re interested in participating in the private preview, sign up using our request form, and our team will reach out with next steps.
- Sign up at https://aka.ms/CosmosDB-RbacPreview
0 comments
Be the first to start the discussion.